Prof. Sam LawlerHAHAHAHA
Predatory journals do not know how to handle April Fool's Day papers (like this one https://arxiv.org/pdf/2603.29324) on the arxiv...
thepwnicorn
- 68 Followers
- 71 Following
- 708 Posts
Working in AppSec by day, posting on here by night. he/him
Em 
When you read about Bans of Social Media for Teens and Age Verification, you must remember what it truly means:
• Official identification of every adult using social media.
• Deanonymization of every account, endangering groups that often rely on pseudonymity for safety, such as victims of domestic violence, victims of stalkers, people of color, and LGBTQ+ people.
• Putting every adult at great danger of exploitation, fraud, and identity theft by forcing them to share their official ID with a for-profit third-party company with no incentive to protect it. Breaches have already happened.
• Constructing a system of mass surveillance to attach every comment on social media to a legal identity. Effectively allowing authoritarian governments to silence their critics and opposition.
• Potential for dystopian censorship and cutting off means of organization for groups of resistance to oppressive regime and organizations.
• Endangering children online by putting a clear identification beacon over every child or family with children online.
• Endangering the data of children who will inevitably try to pass as adults, and have their information collected by the third-party for-profit company.
• Diminishing the value of official identification due to the inevitable data breaches, eventually pushing the system to require even more intrusive identification techniques, such as iris scans and fingerprints.
• Installing a system of mass surveillance capable of attaching even more information to everyone's legal identity. With a potential to built list of people in certain groups, and scale-up state censorship and discrimination in unprecedented ways.
• The list goes on and on.
This isn't about protecting the children.
It never was.
Do not be duped by this excuse used to convince you to let go of your human rights. They are only trying to manipulate people lacking information.
Stay informed on the issues related to Age Verification, and push back for your rights to privacy and democracy.
The future depends on us.
#AgeVerification #Privacy #HumanRights #MassSurveillance #Authoritarianism
IFIN - The Independent Federated Intelligence NetworkLooks like we have a live one here. Weird Rust maintainer phishing campaign using crates[.]ws:
https://discourse.ifin.network/t/bizarre-crates-io-phishing-campaign/232
Bizarre crates.io phishing campaign
Observable: crates[.]ws Observable Type: Domain Details: Rust maintainer phishing email sending users to a bogus Crates website. Interestingly it looks like the .ws domain redirects to .io unless you provide it direct parameters. Unclear the intention though. Full URI in the email: https://crates[.]ws/settings/profile?action=verify&e=SOMENUMBER https://bsky.app/profile/nabijaczleweli.xyz/post/3miyodcruiuy2
Socket🚨 New Investigation: Attackers are hunting the maintainers behind Lodash, Fastify, buffer, Pino, mocha, Express, and #Nodejs core, because compromising one of them means write access to packages downloaded billions of times a week.
Multiple high-impact maintainers have all confirmed they were targeted in the same coordinated social engineering campaign that compromised Axios.
https://socket.dev/blog/attackers-hunting-high-impact-nodejs-maintainers
🚨 Active supply chain attack on [email protected]. The latest version pulls in [email protected] -- a brand-new package that didn't exist before today.
We're still investigating. If you use axios, pin your version and audit your lockfile.
Supply Chain Attack on Axios Pulls Malicious Dependency from...
A supply chain attack on Axios introduced a malicious dependency, [email protected], published minutes earlier and absent from the project’s GitHu...
Neil BrownPerhaps I am some kind of dangerous computer radical these days, thinking that one should be able to buy or make a computer, install one's choice of OSs and software, create a local user account, and get on with one's affairs, privately and without interference.
Quiet enjoyment of one's computer.
* No age or ID verification
* No jumping through hoops to install software, or third parties restricting the software that one can run
* No third party accounts
So does anyone want to have a guess what project TeamPCP are going for next? It would have to have used the compromised Trivy version or action, be popular, and not have rotated their credentials fast enough. So far we got KICS and LiteLLM that we know of.
Max Maass 
#Trivy got compromised on thursday and released a backdoored new version, which was rolled back. We spent the entire friday in incident response mode. Now they got compromised again over the weekend.
I have a lot of sympathy for people under pressure during an incident, but for fucks sake, having a security tool get compromised three times within two months is just completely bonkers. We spent more time remediating security issues caused by our security tooling than any other cause. And the fact that there wasn't any official communication on friday means that we had to rely on third-party writeups, which were missing critical information like exact docker container digests and time ranges of the compromise. This made incident response completely miserable.
Anyway. Trivy 0.69.4, 0.69.5, 0.69.6 were all compromised with infostealer malware. Do what you have to do. There are several decent writeups:
- https://www.stepsecurity.io/blog/trivy-compromised-a-second-time---malicious-v0-69-4-release
- https://www.wiz.io/blog/trivy-compromised-teampcp-supply-chain-attack
- https://labs.boostsecurity.io/articles/20-days-later-trivy-compromise-act-ii/
And Trivy has an advisory on their GitHub that covers last thursday, but not the second compromise over the weekend: https://github.com/aquasecurity/trivy/security/advisories/GHSA-69fq-xp46-6x23
Trivy Compromised a Second Time - Malicious v0.69.4 Release, aquasecurity/setup-trivy, aquasecurity/trivy-action GitHub Actions Compromised - StepSecurity
On March 19, 2026, trivy — a widely used open source vulnerability scanner maintained by Aqua Security — experienced a second security incident. Three weeks after the hackerbot-claw incident on February 28 that resulted in a repository takeover, a new compromised release (v0.69.4) was published to the trivy repository. The original incident disclosure discussion (#10265) was also deleted during this period, and version tags on the aquasecurity/setup-trivy GitHub Action were removed. Trivy maintainers deleted the v0.69.4 tag and Homebrew downgraded to v0.69.3. The following is a factual account of what we observed through public GitHub data.
First they ask for your date of birth,
but later they claim it's not enough.
Then they ask for your full name and location,
but later they claim it's not enough.
Then they ask for a copy of your passport,
but later they claim it's not enough.
Then they ask for your facial scan,
but later they claim it's not enough.
Then they ask for your fingerprints,
but later they claim it's not enough.
Then they ask for your palm scan,
but later they claim it's not enough.
Then they ask for a scan of your iris,
but later they claim it's not enough.
Then they ask for ...
#MassSurveillance #Authoritarianism #AgeVerification #Privacy #Democracy #HumanRights
Stacey Cornelius 🇨🇦@cR0w I work in the culture sector. I see writers who have no problem using genAI to create images.
And I see people who loudly defend visual art who have no problem using LLMs to "help" with their writing.
IMHO generated artificial "intelligence" is the biggest marketing grift since big tobacco. Except the information about how the tools function and potential harms like deskilling is easily available. People just don't bother asking any questions.
We'll die on the hill of convenience.