Core dependencies compromised office coffee maker
And Meta is still running the children's party

The Day The Intern Spilled Coffee On The Global Supply Chain

It turns out that two of the most foundational libraries in modern software development; debug and chalk; were compromised. An attacker simply walked in, replaced the perfectly good staplers, and then wired them to submit your passwords to a third-party server in a move that feels less "cyberwarfare" and more "petty office sabotage." The issue affects millions of software projects worldwide. It is a stunning display of what happens when you decide the communal pen budget is sufficient to secure all of the blueprints to the server room.

The packages themselves were not malicious but had been hijacked to load a second-stage payload via a pre-install script. Basically, the attacker replaced the label on the sugar jar with a label for salt; now everything tastes wrong. This is the predictable outcome of an industry that treats crucial, unsexy infrastructure like a minor detail. We all depend on chalk to make our log files look exciting, and now we discover the person maintaining the color scheme has been plotting a coup d'état since 2018.

Meta Tried To Organize Its Friends List, Accidentally Sold Everyone's Phone Number

It is another day ending in 'Y'; therefore, Meta is facing another round of claims about endangering users. Two separate reports surfaced: one stating that the company endangered billions of users by continuing its "reckless" pursuit of monetizing data, and another alleging that Meta suppressed internal research on child safety.

Imagine a corporate environment where the most profitable business unit's primary goal is to ensure the company never finds out anything bad about its products. Mark Zuckerberg, Chief Executive Officer, is running a very large, expensive science fair project where all findings that are not "Good Job" are immediately recycled. The former WhatsApp cybersecurity head, Jonathan Evans, is now claiming Meta knew it was unsafe, but you cannot blame a company for enthusiastically running toward the next quarterly report.

Secure Backups: The New Way To Make Your Security Feel Good (But Not Be Good)

The privacy-focused messaging application, Signal, has finally introduced "Secure Backups," which is the tech equivalent of your boss installing a second, slightly stronger lock on the filing cabinet after the old one was picked with a paperclip. The new feature requires you to remember a complex 25-word phrase, which is a fantastic solution for the three people on Earth who already remember their GPG key.

While the company is insistent that the backups remain end-to-end encrypted; that phrase is now the single point of failure. It solves the massive user issue of "I bought a new phone and lost my entire chat history" by replacing it with the massive user issue of "I bought a new phone and lost my entire chat history because I did not write down the twenty-five magical keywords." This is the compromise we make when we ask the security team to also handle the customer service complaints.

Briefs

• Network Access Denied: A social media ban in Nepal over anti-government protests led to fourteen deaths during unrest. The official reason for the outage was not a configuration error, for once.
• The Real Doorbell Prankster: Residents of a German apartment complex were relentlessly tormented by a doorbell-ringing menace who was eventually revealed to be a common slug causing a short circuit. It is good to know that sometimes the source of an escalating security incident is just something damp and slow.
• Tesla Market Share Update: The electric vehicle brand's market share in the US has dropped to its lowest point since 2017. The market is finally catching up with the reality that a car should not require a software patch every time it rains.