βΌοΈπ¨ BREAKING: Another researcher skipped coordinated disclosure entirely and dropped a critical 1-click GitHub token theft in public because he doesn't want to deal with MSRC. In his own words: "I really don't want to deal with MSRC on VSCode bugs."
The bug: just clicking a link can hand an attacker a GitHub token that reads AND writes to all your repos, including private ones. It lives in github[.]dev, GitHub's browser-based VSCode editor, which passes the browser an OAuth token that isn't scoped to a single repo. That token can touch everything you can.
Researcher Ammar Askar found that VSCode's sandboxed "webviews" leak keyboard events to the main editor. A malicious repo opened via one link can simulate keystrokes, install a local extension that skips VSCode's publisher-trust check, and exfiltrate your token. He published a working proof-of-concept.
He says when he reports github[.]dev bugs, GitHub tells him they're out of scope and to go report to MSRC, and a prior VSCode bug he reported was silently fixed with no credit. One commenter summed up the mood: "MSRC has turned into Feedback Hub."
Sources:
https://reddit.com/r/netsec/comments/1tuue57/1click_github_token_stealing_via_a_vscode_bug/
https://blog.ammaraskar.com/github-token-stealing/
The bug: just clicking a link can hand an attacker a GitHub token that reads AND writes to all your repos, including private ones. It lives in github[.]dev, GitHub's browser-based VSCode editor, which passes the browser an OAuth token that isn't scoped to a single repo. That token can touch everything you can.
Researcher Ammar Askar found that VSCode's sandboxed "webviews" leak keyboard events to the main editor. A malicious repo opened via one link can simulate keystrokes, install a local extension that skips VSCode's publisher-trust check, and exfiltrate your token. He published a working proof-of-concept.
He says when he reports github[.]dev bugs, GitHub tells him they're out of scope and to go report to MSRC, and a prior VSCode bug he reported was silently fixed with no credit. One commenter summed up the mood: "MSRC has turned into Feedback Hub."
Sources:
https://reddit.com/r/netsec/comments/1tuue57/1click_github_token_stealing_via_a_vscode_bug/
https://blog.ammaraskar.com/github-token-stealing/
π₯11β€2
βΌοΈπ¨ German police have been buying commercial location data, harvested from phone apps and resold by data brokers, to track phones without a warrant. An investigation confirmed at least two state criminal offices did it.
Experts call it likely unlawful; a data-protection authority is now investigating.
Source: https://netzpolitik.org/2026/daten-schwarzmarkt-deutsche-polizei-nutzt-offenbar-rechtswidrig-databroker/
Experts call it likely unlawful; a data-protection authority is now investigating.
Source: https://netzpolitik.org/2026/daten-schwarzmarkt-deutsche-polizei-nutzt-offenbar-rechtswidrig-databroker/
π±13π1
This media is not supported in your browser
VIEW IN TELEGRAM
π©οΈ This is so cool: A Redditor living under SFO's takeoff path built a ceiling projection that maps every plane flying over their house in real time, using ADS-B, the open radio signal aircraft broadcast on 1090 MHz. Same feed as FlightRadar24, picked up with a cheap SDR dongle and beamed onto the ceiling.
β€11π₯5
π¨π©πͺ Germany just fined a citizen up to a month's income for posting "LΓΌgenfritz" ("Lying Fritz") about Chancellor Friedrich Merz in a Facebook comment.
Politicians love to call themselves the guardians of democracy. But Germany has a special law that gives politicians MORE legal protection from insults than ordinary citizens get. The powerful, shielded from the powerless who criticize them.
Fining people for airing their opinion is how you take free speech away. It makes the government the editor of every sentence you publish.
π€‘ And here's the kicker: German MPs have "IndemnitΓ€t", near-total lifelong legal immunity for what they say in parliament.
https://www.welt.de/politik/deutschland/article6a1ee49d1f46a650bff5cf50/mehrere-verfahren-beleidigung-von-merz-unter-facebook-post-gericht-verhaengt-hohe-geldstrafe-fuer-luegenfritz.html
Politicians love to call themselves the guardians of democracy. But Germany has a special law that gives politicians MORE legal protection from insults than ordinary citizens get. The powerful, shielded from the powerless who criticize them.
Fining people for airing their opinion is how you take free speech away. It makes the government the editor of every sentence you publish.
π€‘ And here's the kicker: German MPs have "IndemnitΓ€t", near-total lifelong legal immunity for what they say in parliament.
https://www.welt.de/politik/deutschland/article6a1ee49d1f46a650bff5cf50/mehrere-verfahren-beleidigung-von-merz-unter-facebook-post-gericht-verhaengt-hohe-geldstrafe-fuer-luegenfritz.html
π©14π€¬8π€―2π1
βοΈ Peak slop achieved: Microsoft announced "Scout," an always-on AI agent that reads your email and chats and acts on your behalf unprompted. They call it an "Autopilot." It's the sloppification of work: AI slop now runs all day reading your inbox.
π©14π3π€¬2π€£2
βΌοΈπ¨ A new npm supply-chain attack compromised 57 packages across over 286 malicious versions in under 2 hours. The attackers used self-replicating malware, a new version of the Miasma worm, which also used evasion techniques to stay under the radar.
The payload targets CI/CD and developer credentials, including GitHub Actions secrets, cloud credentials, Vault tokens, SSH keys, npm and GitHub tokens, and password-manager stores. This variant also injects AI coding assistant config files at
Source: https://www.stepsecurity.io/blog/binding-gyp-npm-supply-chain-attack-spreads-like-worm
The payload targets CI/CD and developer credentials, including GitHub Actions secrets, cloud credentials, Vault tokens, SSH keys, npm and GitHub tokens, and password-manager stores. This variant also injects AI coding assistant config files at
.claude, .cursor, .gemini, and .vscode paths, a separate persistence and repo-poisoning angle.Source: https://www.stepsecurity.io/blog/binding-gyp-npm-supply-chain-attack-spreads-like-worm
β€4
βοΈGoogle employees are flooding an internal meme board with posts about how bad the company's AI is.
A source says dozens of anti-AI memes post weekly, spiking when models update or their internal coding tool Jetski breaks. One showed Jetski admitting it fabricated report metrics with over 400 upvotes.
Engineers say AI removed the code-gen bottleneck but jammed everything else: testing, build times, and human review now drowning in code nobody wrote.
CEO Pichai says 75% of new code is AI-generated, btw.
Via 404Media https://www.404media.co/google-employees-internally-share-memes-about-how-its-ai-sucks/?ref=daily-stories-newsletter
A source says dozens of anti-AI memes post weekly, spiking when models update or their internal coding tool Jetski breaks. One showed Jetski admitting it fabricated report metrics with over 400 upvotes.
Engineers say AI removed the code-gen bottleneck but jammed everything else: testing, build times, and human review now drowning in code nobody wrote.
CEO Pichai says 75% of new code is AI-generated, btw.
Via 404Media https://www.404media.co/google-employees-internally-share-memes-about-how-its-ai-sucks/?ref=daily-stories-newsletter
β€9π3π1
βΌοΈ The alienation continues: more security researchers are sticking up the middle finger after feeling squeezed by Microsoft and GitHub. MSRC emailed Black Hat USA 2026 presenters asking which MSRC cases, VULN-IDs, or CVEs their talks would cover. GitHub told a researcher to delete his public PoC repos and flagged his accounts under ToS.
π©8β€4π1
βοΈπ¨ Zcash crashes nearly 50% after an AI-powered white-hat researcher, using Claude Opus, found a critical flaw in Zcash's privacy pool (Orchard) that could mint unlimited, undetectable counterfeit ZEC.
It went unnoticed for 4 years until the emergency patch on June 1...
It went unnoticed for 4 years until the emergency patch on June 1...
β€5π₯°3π₯1
βοΈπ¨ An Israeli company has backdoored hundreds of millions of households through countless Smart TV apps, and they're quietly turning Samsung and LG TVs into exit nodes for AI web-scraping. Your TV is relaying strangers' web traffic from your home IP, your bandwidth, your address attached to whatever those scraping jobs touch.
Roku, Fire TV and Google TV banned the practice. Samsung and LG didn't. The culprit is Bright Data's proxy SDK, which rides inside Tizen and webOS apps, 200+ on webOS alone. Datacenter IPs get blocked, home IPs don't.
Include Security reverse-engineered the SDK and found its relay protocol has no message signing, authentication, or device attestation. Their words: less secure than typical malware command-and-control.
To make things worse, they found that in iOS the relay tunnel binds straight to the physical network interface, so it routes around any VPN the user is running.
Bright Data's config also ships per-country tiers. Devices in Uzbekistan and Oman are cleared to relay down to 1% battery, with data caps up to 60x the worldwide default.
Before the BaCkDoOrEd replies land: technically you agreed. In practice you were enrolled into a global proxy network you were never given the information to refuse. And these exit nodes drag down your IP's reputation, potentially leaving you with blocks from providers.
Read: https://blog.includesecurity.com/2026/06/the-smart-tv-in-your-livingroom-is-a-node-in-the-aiscraping-economy/
Roku, Fire TV and Google TV banned the practice. Samsung and LG didn't. The culprit is Bright Data's proxy SDK, which rides inside Tizen and webOS apps, 200+ on webOS alone. Datacenter IPs get blocked, home IPs don't.
Include Security reverse-engineered the SDK and found its relay protocol has no message signing, authentication, or device attestation. Their words: less secure than typical malware command-and-control.
To make things worse, they found that in iOS the relay tunnel binds straight to the physical network interface, so it routes around any VPN the user is running.
Bright Data's config also ships per-country tiers. Devices in Uzbekistan and Oman are cleared to relay down to 1% battery, with data caps up to 60x the worldwide default.
Before the BaCkDoOrEd replies land: technically you agreed. In practice you were enrolled into a global proxy network you were never given the information to refuse. And these exit nodes drag down your IP's reputation, potentially leaving you with blocks from providers.
Read: https://blog.includesecurity.com/2026/06/the-smart-tv-in-your-livingroom-is-a-node-in-the-aiscraping-economy/
π©12π€¬8β€3π₯°1π1