βοΈπ¨ BREAKING: Security researchers are now handing Nightmare-Eclipse vulnerabilities for free, in what looks like both a show of support and a reaction to how Microsoft treats researchers. First up: "Bitskrieg," violates Secure Boot trust and fully bypasses BitLocker.
It seems aimed squarely at Microsoft's recent blog, where the company said its Digital Crimes Unit would bring cases against threat actors "and those that enable their criminal activity," language many researchers read as a threat pointed at them.
It seems aimed squarely at Microsoft's recent blog, where the company said its Digital Crimes Unit would bring cases against threat actors "and those that enable their criminal activity," language many researchers read as a threat pointed at them.
β€26π₯6π₯°3
βοΈ Google wants to release up to 64 million male mosquitoes in Florida and California, infected with a bacteria that makes them mate with wild females and produce eggs that never hatch.
The plan comes from Verily's "Debug" project. The released males carry Wolbachia, a naturally occurring bacteria (not genetic engineering). Males don't bite, so the releases shouldn't add to the biting. But when they mate with wild females, the eggs fail to hatch, suppressing the population over time.
The scale: up to 16 million males per state each year, for two years. That's up to 64 million total across both states. The EPA is reviewing the experimental use permit and has flagged it as potentially of "regional and national significance," which is why it opened public comment.
The technique isn't new. Wolbachia-based control has been trialed for years, and the Florida Keys Mosquito Control District is already testing a similar approach.
Source: https://www.federalregister.gov/documents/2026/04/20/2026-07625/pesticide-experimental-use-permit-receipt-of-application-comment-request-february-2026
The plan comes from Verily's "Debug" project. The released males carry Wolbachia, a naturally occurring bacteria (not genetic engineering). Males don't bite, so the releases shouldn't add to the biting. But when they mate with wild females, the eggs fail to hatch, suppressing the population over time.
The scale: up to 16 million males per state each year, for two years. That's up to 64 million total across both states. The EPA is reviewing the experimental use permit and has flagged it as potentially of "regional and national significance," which is why it opened public comment.
The technique isn't new. Wolbachia-based control has been trialed for years, and the Florida Keys Mosquito Control District is already testing a similar approach.
Source: https://www.federalregister.gov/documents/2026/04/20/2026-07625/pesticide-experimental-use-permit-receipt-of-application-comment-request-february-2026
π€9π±5π2β€1π₯°1
A United Airlines Boeing 767 made an emergency return to Newark because a 16-year-old passenger had named his personal Bluetooth speaker "BOMB."
United Flight 236 was heading to Palma de Mallorca, Spain, and was nearly two hours into the transatlantic crossing when the discoverable speaker name popped up on nearby phones in the cabin. A passenger flagged it, the crew looped in United's operations center in Chicago, and announcements began ordering everyone to turn off Bluetooth or the plane would turn back. After repeated warnings and a final one-minute ultimatum, two devices were still showing. The jet squawked 7700 and returned to Newark.
The aircraft was taxied to a remote stand and met by airport police and federal agents. Passengers deplaned with only passports and phones, leaving belongings on board, and were bussed back through TSA rescreening. The teen reportedly admitted the speaker was his and was taken into custody.
The same 767 eventually flew the route as a replacement, departing around 2:30 AM, roughly nine hours behind schedule. It's the second name-based scare on United this month, after a Wi-Fi hotspot reading "Free Palestine, F Zionists" drew an FBI warning from a pilot.
See photos: https://www.reddit.com/r/unitedairlines/comments/1tsk81w/ua_236_the_bluetooth_flight/?rdt=55081
United Flight 236 was heading to Palma de Mallorca, Spain, and was nearly two hours into the transatlantic crossing when the discoverable speaker name popped up on nearby phones in the cabin. A passenger flagged it, the crew looped in United's operations center in Chicago, and announcements began ordering everyone to turn off Bluetooth or the plane would turn back. After repeated warnings and a final one-minute ultimatum, two devices were still showing. The jet squawked 7700 and returned to Newark.
The aircraft was taxied to a remote stand and met by airport police and federal agents. Passengers deplaned with only passports and phones, leaving belongings on board, and were bussed back through TSA rescreening. The teen reportedly admitted the speaker was his and was taken into custody.
The same 767 eventually flew the route as a replacement, departing around 2:30 AM, roughly nine hours behind schedule. It's the second name-based scare on United this month, after a Wi-Fi hotspot reading "Free Palestine, F Zionists" drew an FBI warning from a pilot.
See photos: https://www.reddit.com/r/unitedairlines/comments/1tsk81w/ua_236_the_bluetooth_flight/?rdt=55081
π€£24π3π€―2
Media is too big
VIEW IN TELEGRAM
βΌοΈπ¨ BREAKING: Meta's AI feature let attackers hijack Instagram accounts for days with nothing but a username. It was being A/B tested on a slice of users, and if you were in the test, you couldn't turn it off. Among the casualties: the official Obama White House account.
The method: get on a VPN near the target's region, ask the Meta AI support agent to send a verification code to any email you control, relay that code back to the agent, and it hands over a password reset link. Without ID or human review. From there, the account is yours.
The flaw lived in the AI's logic layer, which acted on recovery requests with no real identity checks. One researcher compared it to the Roblox AI assistant exploit from days earlier, where you needed a target's billing info. Instagram was easier: the username and a regional VPN were enough and victims reported sessions revoked and passwords changed with no email, text, or push alert at all.
By the time it went public, the method was common knowledge in blackhat Telegram circles and had been used to allegedly hijack 100+ high-value accounts.
Accounts hit:
- obamawhitehouse (the archived official Obama White House account, ~2.4M followers. Hackers posted an AI-generated image captioned "The White House is under Shiites' control," plus cryptic anti-Trump and pro-Iranian Stories. Meta confirmed the hack and scrubbed it.
- Premium short handles like hey and jowo, worth over $1M combined, stolen and flipped on Telegram.
- albert (owned by Albert Renshaw), whose owner publicly reported being locked out and unable to reach Meta support.
Meta has since patched it. There was no public acknowledgment.
The method: get on a VPN near the target's region, ask the Meta AI support agent to send a verification code to any email you control, relay that code back to the agent, and it hands over a password reset link. Without ID or human review. From there, the account is yours.
The flaw lived in the AI's logic layer, which acted on recovery requests with no real identity checks. One researcher compared it to the Roblox AI assistant exploit from days earlier, where you needed a target's billing info. Instagram was easier: the username and a regional VPN were enough and victims reported sessions revoked and passwords changed with no email, text, or push alert at all.
By the time it went public, the method was common knowledge in blackhat Telegram circles and had been used to allegedly hijack 100+ high-value accounts.
Accounts hit:
- obamawhitehouse (the archived official Obama White House account, ~2.4M followers. Hackers posted an AI-generated image captioned "The White House is under Shiites' control," plus cryptic anti-Trump and pro-Iranian Stories. Meta confirmed the hack and scrubbed it.
- Premium short handles like hey and jowo, worth over $1M combined, stolen and flipped on Telegram.
- albert (owned by Albert Renshaw), whose owner publicly reported being locked out and unable to reach Meta support.
Meta has since patched it. There was no public acknowledgment.
β€8π±6π2π₯1π©1
βΌοΈπ¨ BREAKING: Nvidia is entering the CPU market. At Computex, the company announced its RTX Spark chips, full Arm-based processors that run Windows and put Nvidia in direct competition with Intel, AMD, and Qualcomm.
This is the long-rumored "N1X" silicon. RTX Spark pairs a 20-core Grace Arm CPU (custom-built with MediaTek) and a Blackwell GPU with 6,144 CUDA cores, the same core count as a desktop RTX 5070, though the laptop version runs at far lower power (45-80W). The two are linked over NVLink-C2C and share up to 128GB of unified LPDDR5X memory accessible to both CPU and GPU, an approach similar to Apple's M-series but on a larger scale.
Nvidia is positioning it as an AI chip first. It claims RTX Spark can run agents like OpenClaw and Codex locally, render 90GB 3D scenes, edit 12K video on the built-in Blackwell encoder, and run 120-billion-parameter models on-device, up to 1 petaFLOP of FP4 AI performance.
But it games too. Nvidia demoed Forza Horizon 6 and 007: First Light, claiming 1440p at 100fps with ray tracing (with DLSS). That's a far stronger gaming profile than any prior Windows-on-Arm chip. Optimized versions of Photoshop and Premiere are coming later this year, reportedly up to twice as fast.
This makes Nvidia the second major Arm-for-Windows supplier after Qualcomm, whose Microsoft exclusivity has now lapsed. Microsoft is already in: the new Surface Laptop Ultra is built on RTX Spark from the silicon up. First laptops ship this fall from ASUS, Dell, Microsoft, MSI, and Lenovo. Nvidia says it'll ship new Windows chips every two years, with a Rubin-GPU version on the roadmap.
This is the long-rumored "N1X" silicon. RTX Spark pairs a 20-core Grace Arm CPU (custom-built with MediaTek) and a Blackwell GPU with 6,144 CUDA cores, the same core count as a desktop RTX 5070, though the laptop version runs at far lower power (45-80W). The two are linked over NVLink-C2C and share up to 128GB of unified LPDDR5X memory accessible to both CPU and GPU, an approach similar to Apple's M-series but on a larger scale.
Nvidia is positioning it as an AI chip first. It claims RTX Spark can run agents like OpenClaw and Codex locally, render 90GB 3D scenes, edit 12K video on the built-in Blackwell encoder, and run 120-billion-parameter models on-device, up to 1 petaFLOP of FP4 AI performance.
But it games too. Nvidia demoed Forza Horizon 6 and 007: First Light, claiming 1440p at 100fps with ray tracing (with DLSS). That's a far stronger gaming profile than any prior Windows-on-Arm chip. Optimized versions of Photoshop and Premiere are coming later this year, reportedly up to twice as fast.
This makes Nvidia the second major Arm-for-Windows supplier after Qualcomm, whose Microsoft exclusivity has now lapsed. Microsoft is already in: the new Surface Laptop Ultra is built on RTX Spark from the silicon up. First laptops ship this fall from ASUS, Dell, Microsoft, MSI, and Lenovo. Nvidia says it'll ship new Windows chips every two years, with a Rubin-GPU version on the roadmap.
π₯9β€2π₯°2
βοΈ Nvidia's next-gen Vera Rubin datacenter platform is now in full production. It pairs a CPU and GPU tightly linked over NVLink, and the CPU half means Nvidia is now coming for Intel and AMD's territory too.
The Rubin GPU (the Blackwell successor) delivers:
- up to 5x faster inference, 3.5x faster training
- 50 petaflops per system (vs 10 on Blackwell)
- inference cost cut to ~1/7
But the quieter big move is Vera, the new CPU half of the platform, now sold as a standalone server chip aimed directly at x86:
- "The CPU for Agents," claims 1.8x faster task completion than x86 on AI workloads
- 88 custom Arm cores, 176 threads, 227 billion transistors (Grace had 72 cores / 64B)
- 2x the memory bandwidth and 3x the bandwidth-per-core of x86 with DDR5
Early customers: Anthropic, OpenAI, xAI, ByteDance, CoreWeave, Oracle. Ships this fall.
The Rubin GPU (the Blackwell successor) delivers:
- up to 5x faster inference, 3.5x faster training
- 50 petaflops per system (vs 10 on Blackwell)
- inference cost cut to ~1/7
But the quieter big move is Vera, the new CPU half of the platform, now sold as a standalone server chip aimed directly at x86:
- "The CPU for Agents," claims 1.8x faster task completion than x86 on AI workloads
- 88 custom Arm cores, 176 threads, 227 billion transistors (Grace had 72 cores / 64B)
- 2x the memory bandwidth and 3x the bandwidth-per-core of x86 with DDR5
Early customers: Anthropic, OpenAI, xAI, ByteDance, CoreWeave, Oracle. Ships this fall.
π₯΄9π₯4β€2π1
βοΈ Over 30 official Red Hat npm packages were compromised. How they got in:
- A Red Hat employee's GitHub account was compromised.
- Attackers pushed "orphan commits" (detached from branch history) straight in, bypassing code review with no pull request.
- Payload "Miasma" (Mini Shai-Hulud variant) steals GitHub/cloud/Vault/SSH/npm secrets. Rotate everything since June 1.
- The commits added a workflow (ci.yaml) + script (_index.js) that abused npm trusted publishing, requesting a real OIDC token to publish backdoored versions.
Source: https://www.aikido.dev/blog/red-hat-npm-packages-compromised-credential-stealing-worm
- A Red Hat employee's GitHub account was compromised.
- Attackers pushed "orphan commits" (detached from branch history) straight in, bypassing code review with no pull request.
- Payload "Miasma" (Mini Shai-Hulud variant) steals GitHub/cloud/Vault/SSH/npm secrets. Rotate everything since June 1.
- The commits added a workflow (ci.yaml) + script (_index.js) that abused npm trusted publishing, requesting a real OIDC token to publish backdoored versions.
Source: https://www.aikido.dev/blog/red-hat-npm-packages-compromised-credential-stealing-worm
π15π€£2π¨2β€1
βΌοΈπ¨ BREAKING: Yet another Instagram exploit exists due to Meta's AI chatbot having no proper guardrails. Sellers are now using it to grab premium one-letter usernames, by tricking the AI with hidden characters, then talking it into applying the change. Monitor bots already show OG handles getting swapped.
β€14π1
βΌοΈπ¨ BREAKING: Another researcher skipped coordinated disclosure entirely and dropped a critical 1-click GitHub token theft in public because he doesn't want to deal with MSRC. In his own words: "I really don't want to deal with MSRC on VSCode bugs."
The bug: just clicking a link can hand an attacker a GitHub token that reads AND writes to all your repos, including private ones. It lives in github[.]dev, GitHub's browser-based VSCode editor, which passes the browser an OAuth token that isn't scoped to a single repo. That token can touch everything you can.
Researcher Ammar Askar found that VSCode's sandboxed "webviews" leak keyboard events to the main editor. A malicious repo opened via one link can simulate keystrokes, install a local extension that skips VSCode's publisher-trust check, and exfiltrate your token. He published a working proof-of-concept.
He says when he reports github[.]dev bugs, GitHub tells him they're out of scope and to go report to MSRC, and a prior VSCode bug he reported was silently fixed with no credit. One commenter summed up the mood: "MSRC has turned into Feedback Hub."
Sources:
https://reddit.com/r/netsec/comments/1tuue57/1click_github_token_stealing_via_a_vscode_bug/
https://blog.ammaraskar.com/github-token-stealing/
The bug: just clicking a link can hand an attacker a GitHub token that reads AND writes to all your repos, including private ones. It lives in github[.]dev, GitHub's browser-based VSCode editor, which passes the browser an OAuth token that isn't scoped to a single repo. That token can touch everything you can.
Researcher Ammar Askar found that VSCode's sandboxed "webviews" leak keyboard events to the main editor. A malicious repo opened via one link can simulate keystrokes, install a local extension that skips VSCode's publisher-trust check, and exfiltrate your token. He published a working proof-of-concept.
He says when he reports github[.]dev bugs, GitHub tells him they're out of scope and to go report to MSRC, and a prior VSCode bug he reported was silently fixed with no credit. One commenter summed up the mood: "MSRC has turned into Feedback Hub."
Sources:
https://reddit.com/r/netsec/comments/1tuue57/1click_github_token_stealing_via_a_vscode_bug/
https://blog.ammaraskar.com/github-token-stealing/
π₯11β€2
βΌοΈπ¨ German police have been buying commercial location data, harvested from phone apps and resold by data brokers, to track phones without a warrant. An investigation confirmed at least two state criminal offices did it.
Experts call it likely unlawful; a data-protection authority is now investigating.
Source: https://netzpolitik.org/2026/daten-schwarzmarkt-deutsche-polizei-nutzt-offenbar-rechtswidrig-databroker/
Experts call it likely unlawful; a data-protection authority is now investigating.
Source: https://netzpolitik.org/2026/daten-schwarzmarkt-deutsche-polizei-nutzt-offenbar-rechtswidrig-databroker/
π±13π1
This media is not supported in your browser
VIEW IN TELEGRAM
π©οΈ This is so cool: A Redditor living under SFO's takeoff path built a ceiling projection that maps every plane flying over their house in real time, using ADS-B, the open radio signal aircraft broadcast on 1090 MHz. Same feed as FlightRadar24, picked up with a cheap SDR dongle and beamed onto the ceiling.
β€11π₯5
π¨π©πͺ Germany just fined a citizen up to a month's income for posting "LΓΌgenfritz" ("Lying Fritz") about Chancellor Friedrich Merz in a Facebook comment.
Politicians love to call themselves the guardians of democracy. But Germany has a special law that gives politicians MORE legal protection from insults than ordinary citizens get. The powerful, shielded from the powerless who criticize them.
Fining people for airing their opinion is how you take free speech away. It makes the government the editor of every sentence you publish.
π€‘ And here's the kicker: German MPs have "IndemnitΓ€t", near-total lifelong legal immunity for what they say in parliament.
https://www.welt.de/politik/deutschland/article6a1ee49d1f46a650bff5cf50/mehrere-verfahren-beleidigung-von-merz-unter-facebook-post-gericht-verhaengt-hohe-geldstrafe-fuer-luegenfritz.html
Politicians love to call themselves the guardians of democracy. But Germany has a special law that gives politicians MORE legal protection from insults than ordinary citizens get. The powerful, shielded from the powerless who criticize them.
Fining people for airing their opinion is how you take free speech away. It makes the government the editor of every sentence you publish.
π€‘ And here's the kicker: German MPs have "IndemnitΓ€t", near-total lifelong legal immunity for what they say in parliament.
https://www.welt.de/politik/deutschland/article6a1ee49d1f46a650bff5cf50/mehrere-verfahren-beleidigung-von-merz-unter-facebook-post-gericht-verhaengt-hohe-geldstrafe-fuer-luegenfritz.html
π©14π€¬8π€―2π1
βοΈ Peak slop achieved: Microsoft announced "Scout," an always-on AI agent that reads your email and chats and acts on your behalf unprompted. They call it an "Autopilot." It's the sloppification of work: AI slop now runs all day reading your inbox.
π©14π3π€¬2π€£2