βΌοΈπ¨ The Mini Shai-Hulud npm worm has hit again. Hundreds of antv packages compromised (Alibaba's data visualization suite) along with echarts-for-react, timeago.js, size-sensor, and canvas-nest.js.
It all started today with the compromise of npm account atool (i@hust.cc). In a 22-minute window between 01:39 and 02:06 UTC, the attacker published 631 malicious versions across 314 packages, all carrying the same payload.
Top affected packages by monthly downloads:
- size-sensor@1.1.4 - 4.2M dl/mo
- echarts-for-react@3.1.7 - 3.8M dl/mo
β’ antv/scale@0.6.2 - 2.2M dl/mo
- timeago.js@4.1.2 - 1.15M dl/mo
β’ antv/g@6.4.1 - 1.0M dl/mo
β’ antv/path-util@3.1.1 - 1.1M dl/mo
β’ antv/g-svg@2.2.1 - 975K dl/mo
β’ antv/g-lite@2.8.0 - 883K dl/mo
β’ antv/vendor@1.1.11 - 751K dl/mo
What the payload does (498KB obfuscated Bun script, runs via preinstall hook):
- Harvests 20+ secret types: GitHub PATs, npm tokens, AWS keys, GCP service accounts, Azure creds, DB connection strings, Stripe keys, Slack tokens, SSH keys, Docker auth, Kubernetes configs, Vault tokens
- Attempts Docker container escape if the host socket is reachable, spinning up a Privileged container with host filesystem bind mounts
- Pulls a secondary payload via optional dependency antv/setup from antvis/G2 commit 1916faa, which was pushed 19 minutes before the npm publishes started
Read:
https://safedep.io/mini-shai-hulud-strikes-again-314-npm-packages-compromised/
https://socket.dev/blog/antv-packages-compromised
https://aikido.dev/blog/mini-shai-hulud-antv-npm-supply-chain-attack
It all started today with the compromise of npm account atool (i@hust.cc). In a 22-minute window between 01:39 and 02:06 UTC, the attacker published 631 malicious versions across 314 packages, all carrying the same payload.
Top affected packages by monthly downloads:
- size-sensor@1.1.4 - 4.2M dl/mo
- echarts-for-react@3.1.7 - 3.8M dl/mo
β’ antv/scale@0.6.2 - 2.2M dl/mo
- timeago.js@4.1.2 - 1.15M dl/mo
β’ antv/g@6.4.1 - 1.0M dl/mo
β’ antv/path-util@3.1.1 - 1.1M dl/mo
β’ antv/g-svg@2.2.1 - 975K dl/mo
β’ antv/g-lite@2.8.0 - 883K dl/mo
β’ antv/vendor@1.1.11 - 751K dl/mo
What the payload does (498KB obfuscated Bun script, runs via preinstall hook):
- Harvests 20+ secret types: GitHub PATs, npm tokens, AWS keys, GCP service accounts, Azure creds, DB connection strings, Stripe keys, Slack tokens, SSH keys, Docker auth, Kubernetes configs, Vault tokens
- Attempts Docker container escape if the host socket is reachable, spinning up a Privileged container with host filesystem bind mounts
- Pulls a secondary payload via optional dependency antv/setup from antvis/G2 commit 1916faa, which was pushed 19 minutes before the npm publishes started
Read:
https://safedep.io/mini-shai-hulud-strikes-again-314-npm-packages-compromised/
https://socket.dev/blog/antv-packages-compromised
https://aikido.dev/blog/mini-shai-hulud-antv-npm-supply-chain-attack
β€1π¨1
Germany has lost it.
Back in November 2024, a teen in Germany posted "olaf scholz du bastard was soll diese scheiΓe" ("olaf scholz you bastard what the hell is this shit") while staring at a Fortnite update sitting at 3%, downloading a 37.9 GB patch at roughly 173 KB/s. At that rate the install would have taken over 60 hours.
The post pulled exactly 503 views.
Three months later, on February 11, 2025, German police sent him a Schriftliche ΓuΓerung als Beschuldigter, the formal "written statement as the accused" notice. The charge: Β§188 StGB, insulting a person of political life.
A year on he posted the police letter with the caption "Happy anniversary to the funniest thing that ever happened to me." Per his own follow-ups, the matter ended without major consequences, though no formal outcome of the proceedings has been made public. The original tweet seems deleted.
Back in November 2024, a teen in Germany posted "olaf scholz du bastard was soll diese scheiΓe" ("olaf scholz you bastard what the hell is this shit") while staring at a Fortnite update sitting at 3%, downloading a 37.9 GB patch at roughly 173 KB/s. At that rate the install would have taken over 60 hours.
The post pulled exactly 503 views.
Three months later, on February 11, 2025, German police sent him a Schriftliche ΓuΓerung als Beschuldigter, the formal "written statement as the accused" notice. The charge: Β§188 StGB, insulting a person of political life.
A year on he posted the police letter with the caption "Happy anniversary to the funniest thing that ever happened to me." Per his own follow-ups, the matter ended without major consequences, though no formal outcome of the proceedings has been made public. The original tweet seems deleted.
π16π€£3β€1π1
Media is too big
VIEW IN TELEGRAM
βΌοΈπ©πͺ This is what German police actually do with their time now. Going door to door, seizing tablets and phones from pensioners over memes and tweets. The case of the Fortnite teen getting accused for cursing out Olaf Scholz is not an isolated one.
Prosecutors can now open cases on their own under "special public interest." The politician doesn't need to file anything. The result is a steady drip of cases that look insane from the outside and barely register inside the system.
Germany has a law problem.
The Β§188 StGB statute, "insulting a person of political life," got beefed up by the Bundestag in 2021.
This has led to the following absurd cases:
- Pimmelgate (2021): Hamburg interior senator Andy Grote got called a "Pimmel" (dick) on Twitter after he was caught violating his own COVID restrictions. Police raided the user's apartment at 6 a.m. with six officers. The Hamburg regional court later ruled the raid disproportionate. The term "Pimmelgate" became national shorthand for state overreach.
- The Schwachkopf-AffΓ€re (2024): Stefan Niehoff, a 64-year-old pensioner, reposted an edited meme putting Robert Habeck on a fake "Schwachkopf Professional" shampoo bottle (roughly: "Professional Moron"). Reported via a state-linked "trusted flagger" pipeline, police raided his home at dawn in November 2024 and seized his tablet while his wife and his daughter with Down syndrome were home. Habeck filed the complaint. The main insult charge was later dropped, but Niehoff was fined β¬825 on related counts. He died in early 2026. The case became the single most-cited symbol of the law's reach.
- The Merz "Pinocchio" probe (per Brussels Signal): a pensioner reportedly commented "Pinocchio is coming to HN" with a long-nose emoji on a police post about Chancellor Friedrich Merz visiting Heilbronn. Police flagged it during routine monitoring and opened a full Β§188 file, sending him a formal letter. Legal commentators have called the comment protected satirical speech.
- The David Bendels case: the right-wing journalist shared a photomontage mocking then-Interior Minister Nancy Faeser. He was initially given a 7-month suspended prison sentence. On appeal in 2026, he was acquitted. The court ruled the satire was protected political expression.
The pattern is the same every time. A low-engagement post or meme triggers a complaint. Prosecutors open a Β§188 file. Police execute a dawn raid or send a formal letter. Months or years later, a judge throws it out or dramatically narrows it.
By that point the damage is already done. Devices are seized. Names are on file. Pensioners are dragged through a criminal process for posting a shampoo joke.
This is what "wehrhafte Demokratie," aka militant democracy, looks like in 2026.
Prosecutors can now open cases on their own under "special public interest." The politician doesn't need to file anything. The result is a steady drip of cases that look insane from the outside and barely register inside the system.
Germany has a law problem.
The Β§188 StGB statute, "insulting a person of political life," got beefed up by the Bundestag in 2021.
This has led to the following absurd cases:
- Pimmelgate (2021): Hamburg interior senator Andy Grote got called a "Pimmel" (dick) on Twitter after he was caught violating his own COVID restrictions. Police raided the user's apartment at 6 a.m. with six officers. The Hamburg regional court later ruled the raid disproportionate. The term "Pimmelgate" became national shorthand for state overreach.
- The Schwachkopf-AffΓ€re (2024): Stefan Niehoff, a 64-year-old pensioner, reposted an edited meme putting Robert Habeck on a fake "Schwachkopf Professional" shampoo bottle (roughly: "Professional Moron"). Reported via a state-linked "trusted flagger" pipeline, police raided his home at dawn in November 2024 and seized his tablet while his wife and his daughter with Down syndrome were home. Habeck filed the complaint. The main insult charge was later dropped, but Niehoff was fined β¬825 on related counts. He died in early 2026. The case became the single most-cited symbol of the law's reach.
- The Merz "Pinocchio" probe (per Brussels Signal): a pensioner reportedly commented "Pinocchio is coming to HN" with a long-nose emoji on a police post about Chancellor Friedrich Merz visiting Heilbronn. Police flagged it during routine monitoring and opened a full Β§188 file, sending him a formal letter. Legal commentators have called the comment protected satirical speech.
- The David Bendels case: the right-wing journalist shared a photomontage mocking then-Interior Minister Nancy Faeser. He was initially given a 7-month suspended prison sentence. On appeal in 2026, he was acquitted. The court ruled the satire was protected political expression.
The pattern is the same every time. A low-engagement post or meme triggers a complaint. Prosecutors open a Β§188 file. Police execute a dawn raid or send a formal letter. Months or years later, a judge throws it out or dramatically narrows it.
By that point the damage is already done. Devices are seized. Names are on file. Pensioners are dragged through a criminal process for posting a shampoo joke.
This is what "wehrhafte Demokratie," aka militant democracy, looks like in 2026.
π€£11β€1π1π1
βΌοΈπ¨ BREAKING: The "British patriot" Facebook pages flooding UK feeds with anti-Muslim AI slop are not British. One of them is in fact a devout Muslim living in Pakistan who makes $1,500/month posting Islamophobic content.
They have monetised feeding hate against their own people.
A Sri Lankan operator claims $300K career earnings and runs a course with 2,500 graduates.
A 7-month Bureau of Investigative Journalism probe traced the operators.
Source: https://www.theguardian.com/commentisfree/2026/may/19/social-media-facebook-ai-slop-hateful-south-asia
They have monetised feeding hate against their own people.
A Sri Lankan operator claims $300K career earnings and runs a course with 2,500 graduates.
A 7-month Bureau of Investigative Journalism probe traced the operators.
Source: https://www.theguardian.com/commentisfree/2026/may/19/social-media-facebook-ai-slop-hateful-south-asia
π€£12π₯7π©3π1
βΌοΈπ¨ MAJOR IMPACT: The 18-year-old NGINX critical RCE vulnerability "NGINX Rift" (CVE-2026-42945) now WORKS with ASLR turned ON.
PoC code with the ASLR bypass has just been published on GitHub.
https://github.com/Hamid-K/nginx-rift-private-lab
PoC code with the ASLR bypass has just been published on GitHub.
https://github.com/Hamid-K/nginx-rift-private-lab
π3π2
βΌοΈπ¨ BREAKING: GitHub has been compromised by TeamPCP. GitHub has confirmed the internal breach. A poisoned VS Code extension on an employee device exfiltrated ~3,800 internal repositories.
TeamPCP is already selling the data on a cybercrime forum.
https://x.com/github/status/2056949168208552080
TeamPCP is already selling the data on a cybercrime forum.
https://x.com/github/status/2056949168208552080
π€―11π6π€3β€2π’2π2
βΌοΈ Meet the guy who allegedly stabbed Henry Nowak, a student who died at 18. He was stabbed five times, and bodycam footage shows police handcuffed the dying victim after the suspect claimed he had been racially abused and does not carry a knife. Yet we found a photo of him carrying his knife in public...
The suspect "Vickrum Digwa" can be seen wearing his "religious" Sikh knife, or "kirpan". Sikhs have a clear, statutory defence to possess and wear a kirpan in public in the UK. Two-tier policing, written into statute.
The suspect "Vickrum Digwa" can be seen wearing his "religious" Sikh knife, or "kirpan". Sikhs have a clear, statutory defence to possess and wear a kirpan in public in the UK. Two-tier policing, written into statute.
π©11π€―5β€1π1π’1
βΌοΈπ¨ Drupal CMS (which powers about 1 in 100 websites on the internet) has just released, not a 'critical' vuln patch, but a 'highly critical' patch to fix a SQL injection vuln.
This vulnerability only affects sites using PostgreSQL.
ID: CVE-2026-9082
This vulnerability only affects sites using PostgreSQL.
ID: CVE-2026-9082
βΌοΈ AI gooners be warned: the FBI and DOJ announced the arrests of Cornelius Shannon and Arturo Hernandez, both charged with violations of the TAKE IT DOWN Act, which prohibits nonconsensual publication of AI-generated deepfake pornography.
Shannon and Hernandez allegedly posted thousands of images and videos that appeared to depict real people nude and engaging in sexual acts. Victims included actresses, singers, elected officials, and private acquaintances of the defendants.
Shannon, 51, of New Jersey, ran 360 albums depicting ~90 female victims, viewed millions of times. Hernandez, 20, of Texas, posted 113 albums depicting ~50 victims, including non-public figures whose innocent photos were morphed into explicit content.
The DOJ is charging conduct from May 19, 2025 onward, the day President Trump signed the TAKE IT DOWN Act into law. Both men allegedly kept posting for a full year after that date, into the new federal statute.
Each defendant faces up to 2 years in federal prison.
Shannon and Hernandez allegedly posted thousands of images and videos that appeared to depict real people nude and engaging in sexual acts. Victims included actresses, singers, elected officials, and private acquaintances of the defendants.
Shannon, 51, of New Jersey, ran 360 albums depicting ~90 female victims, viewed millions of times. Hernandez, 20, of Texas, posted 113 albums depicting ~50 victims, including non-public figures whose innocent photos were morphed into explicit content.
The DOJ is charging conduct from May 19, 2025 onward, the day President Trump signed the TAKE IT DOWN Act into law. Both men allegedly kept posting for a full year after that date, into the new federal statute.
Each defendant faces up to 2 years in federal prison.
π€£9β€3
βΌοΈ Steam has listed a game in which you whip Black slaves to keep them working, called "Plantation Simulator".
It costs $0.83 USD. The developer, FzzyBzzy, describes the content on the Steam page like this:
"In this game, you will be whipping black people to keep your farm productive. If you whip your black person too much, they will die."
It costs $0.83 USD. The developer, FzzyBzzy, describes the content on the Steam page like this:
"In this game, you will be whipping black people to keep your farm productive. If you whip your black person too much, they will die."
π₯°11π₯7π€―4π€£3π2β€1π€¬1π1π1