A popular Python library just became a backdoor to your entire machine

https://www.xda-developers.com/popular-python-library-backdoor-machine/

It's one of the most popular Python libraries for interacting with large language models [...] It has over 40,000 stars on GitHub, and it's an important dependency in a lot of AI tooling. It's also been compromised on PyPI, and the malicious versions are stealing everything they can find on your machine.

Sorry but... 🍿

My incometence at this game is very consistent:

- I always overshoot onto short platforms
- I always undershoot when trying to get the 3rd perfect landing

https://100jumps.org

Realität für Frauen ist übrigens auch, dass wenn wir viele Beiträge zu sexualisierter Gewalt teilen, um dem Thema die nötige Aufmerksamkeit zu verschaffen, plötzlich ein Dude in die DMs slidet, mit dem man vorher noch nie interagiert hat, und völlig kontextlos fragt, was man von Männern hält, und auf Nachfrage sagt, die eigene Timeline sei voller Posts zu sexualisierter Gewalt etc. und er müsse so viel blocken, und überhaupt wie könne man assumen er sei ein Dude.

Ich schulde keinem Auskunft.

Signal Boost: If you are willing to fix any of the #Wayland related issues I describe in https://michael.stapelberg.ch/posts/2026-01-04-wayland-sway-in-2026/, I am willing to sponsor the hardware you need for it, e.g. high-res monitor, GPU, PC, etc. and/or pay a bounty for the fix itself.

See https://lobste.rs/s/5pkjai/wayland_set_linux_desktop_back_by_10_years#c_4cpf8q for details and reach out; thanks in advance.

My goal is that #Linux works better, but I can’t do it alone. Let’s improve it together!

Neulich erklärt mir ein Polizist: Datenschutz ist Täterschutz

Frage mich, was er dazu sagt, dass wir auf die Adressen der Studierenden der Akademie der Polizei Hamburg zugreifen konnten

https://www.ccc.de/de/updates/2026/datenleck-im-campusnet

#disclosure #ccc #hochschule #CampusNet #datenschutz

Der dritte Golfkrieg treibt den Ölpreis hoch. Aber mittelfristig macht genau das Öl billiger und unwichtiger.

Weil hohe Preise Elektrifizierung beschleunigen.

Kurzer THREAD über diese Energieironie 🧵

Static + dynamic analysis of Signal's APK. The good news first: Signal is genuinely exceptional.

Rust core (libsignal_jni.so), post-quantum hybrid Double Ratchet (Kyber-1024 + X25519), Direct ByteBuffers with immediate zeroing after PIN/username hashing, Intel SGX attestation for SVR — MREnclave verification means even a compromised Signal server can't extract your PIN hash.

But two things stood out:

1. Firebase is always there. Google receives IP + notification timestamps regardless of message content. If you need metadata privacy, Signal still leaks presence data to Google's infrastructure.

2. Certificate revocation endpoints hit http://g.symcd.com in plaintext. An ISP or state-level observer can fingerprint Signal usage from DNS queries and HTTP traffic to those CAs — without touching message content.

Conclusion: strongest crypto engineering in consumer messaging. The attack surface isn't the cryptography. It's the operational dependencies.

Soon the full analysis

#infosec #AndroidSecurity #Signal #privacy #ReverseEngineering #postquantum #mobileforensics