so i've been working on a talk that im calling "claude is your insider threat now" and it intially began with anthropics "china paper" they released last year surrounding the use of llms to do bad guy stuff. I ended up talking about it at great length with Tony from Versprite, and even ended up on his podcast about it - the big discovery there was "claude lying about running a tool, and claude lying about tool output"
turns out that shit is hardcoded
copilot is just for entertainment? Per the TOS...
Highlighting is my own. From that last boost.
https://www.microsoft.com/en-us/microsoft-copilot/for-individuals/termsofuse
Thomson Reuters’ data, which can include peoples’ addresses and details on their ethnicity, is linked to tools used ICE.
https://www.404media.co/how-thomson-reuters-powers-ice-and-palantir/
Anthropic inadvertently made Claude Code open source.
Chaofan Shou discovered that the published npm package for Claude Code included a .map file referencing the full, unobfuscated TypeScript source — downloadable as a zip from Anthropic's R2 storage bucket.
https://github.com/nirholas/claude-code
The internet is furiously pulling it apart and analyzing it, at LLM speed.
An open-source project called Axios (not the website), which has over 100M downloads weekly, was briefly hijacked overnight to drop remote access malware into two releases, potentially affecting countless developers. Already called "one of the most impactful npm supply chain attacks on record." 👀
by the very excellent @carlypage: https://www.theregister.com/2026/03/31/axios_npm_backdoor_rat/
I teach cybersecurity. And I genuinely don't know what to tell my students after this one. Federal reviewers spent years trying to get basic encryption documentation from Microsoft for its GCC High government cloud. They couldn't get it. One reviewer called the system a "pile of spaghetti pies," with data traveling from point A to point B the way you'd get from Chicago to New York: a bus to St. Louis, a ferry to Pittsburgh, and a flight to Newark. Each leg is a potential hijacking. They knew this. They said this out loud in writing. Then they approved it anyway in December 2024, because too many agencies were already using it. 🔐 That's not a security review. That's a hostage negotiation. Two things in this story should make every CISO and CIO uncomfortable:
🧩 Microsoft built its federal cloud on top of decades of legacy code that it apparently can't fully document itself
👮 "Digital escorts" often ex-military with minimal software engineering backgrounds are the firewall between Chinese engineers working on the system and classified U.S. networks 🤦🏻♂️
The scariest line in the whole ProPublica investigation isn't the "pile of shit" quote. It's this: FedRAMP determined that refusing authorization wasn't feasible because agencies were already using the product. Read that again. The security review process reached a conclusion based on sunk cost, not risk. Ex Post Facto Fallacy
If that logic holds, the compliance framework is just documentation theater. And right now, CISA is being hollowed out, so there are fewer people left to even run the theater.
https://arstechnica.com/information-technology/2026/03/federal-cyber-experts-called-microsofts-cloud-a-pile-of-shit-approved-it-anyway/
#Cybersecurity #Microsoft #FedRAMP #Leadership #RiskManagement #security #privacy #cloud #infosec
Hey folks, Apple's finally giving in & letting me do depositions for the retaliation lawsuit, but they left me with only two weeks & its going to be very expensive (at least ~$1k/each).
Want to see Employee Retaliations. Workplace Violence, or my crappy bosses deposed about Apple harassing, retaliating, suspending, & firing me?
Please consider donating:
https://www.ashleygjovik.com/donate.html
STRICTLY CONFIDENTIAL: The 2025 Arduino Open Source Report
Qualcomm's first full year owning Arduino and every metric went down, but at least they remembered to leave "STRICTLY CONFIDENTIAL" in the PDF... 🔍📉
https://blog.adafruit.com/2026/03/29/strictly-confidential-the-2025-arduino-open-source-report/
Viss
Pink
Keith
404 Media
dragosr
Zack Whittaker
Brian Greenberg 
Ashley M. Gjøvik, JD
adafruit
