i genuinely think everyone in this space should immediately switch to using Vim. DPRK started abusing VS Code hooks that run _automatically_ in the background when you open a folder. ZERO fucking user interaction required _after_ trusting the repo (the trusting part is important here). Yes, read it again. ZERO. INTERACTION. REQUIRED.

so what happens is the following: they (in the usual case the Contagious Interview group, meaning some fake recruiting guy) share GitHub, Bitbucket, and GitLab repos containing a `.vscode/` subdirectory with malicious hooks. the one example I share here executes a fake font that's actually heavily-obfuscated JS and will absolutely rek you.

all your fancy software that feels "convenient" makes tradeoffs. those tradeoffs are now being abused to silently rek your devices.

use Vim. and use Qubes. Thx.

Let's be real, a ton of people (yes, even probably you reading this) store pws, 2FA backup codes, and other sensitive info in `.txt` files. Even the 2FA providers themselves often give you those backup codes as `.txt` downloads. It's shit, but it's common. Obviously don't use `.txt` files to store any sensitive data, but let's address the major issue now: on Windows, Notepad is getting Copilot integration (sounds cool for many, but it's fucked!). That means if you open one of those `.txt` credential files, you're potentially leaking sensitive data to Microsoft's servers (I know you already leaked your dick/feet pics via the cloud sync feature of images but you don't care about those that much). They claim it only happens if you actively use Copilot features; but dude, who actually trusts that lol?

If you run on Windows, disable this feature (and the spellchecking as well) - or even better, disable Copilot system-wide - and set something like Notepad++ as the default app for `.txt` files. It's lightweight, local, and not phoning home. Until you're using proper encryption or a pw manager, at least make sure your plaintext isn't being silently beamed to the cloud. And if you feel Cypherpunk enough use Qubes OS instead :)

"Make Ethereum Cypherpunk Again" isn't simply a slogan for me — it's a statement of intent. This isn't branding. It's resistance. This isn't about playing nice. It's about reclaiming Ethereum's soul!

Look it's very simple: Ethereum must provide privacy _unconditionally_. Today, it operates in a partial, opt-in model, forcing users to jump through hoops just to conceal their financial lives. That's not sovereignty — it's submission. Enough compromises. We need privacy by default.

Over the past weeks, I've written a potential path forward — a vision for Ethereum as a maximally private, self-sovereign financial system.

Read it. Challenge it. Improve it. Let's co-create it.

Make Ethereum Cypherpunk Again.

https://hackmd.io/@pcaversaccio/ethereum-privacy-the-road-to-self-sovereignty

guys, since people continue falling victim to attacks, here's another malware scheme that's been making the rounds recently: Scammers lure victims into a fake job interview using a fraudulent video conferencing application (tbh, that's nothing new). Now the application tricks users into thinking their camera isn't working, prompting (or being instructed) them to run a command shown in the first screenshot. Executing this command triggers a script that installs a Trojan on their device (as seen in the second screenshot). I obtained the malware for both ARM64 and x86_64 architectures and uploaded it to VirusTotal:
- ARM64 VT hash: 0a49f0a8d0b1e856b7d109229dfee79212c10881dcc4011b98fe69fc28100182
- x86_64 VT hash: c6774961e12c14b91f6673ad47ce44d489cdbdd193e031ded367a36f531b6ab9

This is again a warning - PLEASE DO NOT INVOKE RANDOM CODE SOME RANDOM DUDES/APPLICATIONS SHARE WITH YOU. It can completely wreck you.

gents, amidst the whirlwind of SEAL 911 tickets, I somehow managed (don’t ask me how!) to add support for off-chain message hashes to my Safe transaction hashes Bash script over the past few days. The updated script now outputs the raw message, along with the domain, message, and Safe message hashes, making it easy for you to verify them against the values shown on your Ledger hardware wallet screen. This can be particularly useful for security councils using 1/1 multisigs to sign into governance tools or for logging into platforms like OpenSea with your multisig. Always remember: Don't trust, verify!

https://github.com/pcaversaccio/safe-tx-hashes-util/pull/10

On a side note, I've been asked a few times over the last weeks how people can support my open-source work. Everything I create is for the community, with the goal of strengthening our ecosystem's security/tooling suite (this includes snekmate, CreateX, xdeployer etc.). If you feel like showing your appreciation, you can find my donation address here https://github.com/pcaversaccio/snekmate/blob/main/FUNDING.json#L4