Knock Knock 🔮 ♞

On Monday we connected Monica Reza to General McCasland. Over 25,000 of you read it. Then you started sending us names. Carl Grillmair. Caltech astronomer. Shot on his porch. His killer's charges were dismissed 11 days before. Nuno Loureiro. MIT fusion scientist. Shot at his home. His killer planned it for three years. Jacob Prichard. Jaymee Prichard. 1st Lt. Jaime Gustitus. All three worked at Wright-Patterson. All three dead in one night. AFOSI investigating. No motive. Melissa Casias. Los Alamos National Lab. Badged into a nuclear weapons facility, wiped her government phone, walked into the wilderness. Four days after Reza. Nine names. One institution. Nine months. Our full OSINT investigation is live. Every name sourced. Every connection documented. thesentinelnetwork.substitutestack.com/p/the-long-cou…

Software horror: litellm PyPI supply chain attack. Simple `pip install litellm` was enough to exfiltrate SSH keys, AWS/GCP/Azure creds, Kubernetes configs, git credentials, env vars (all your API keys), shell history, crypto wallets, SSL private keys, CI/CD secrets, database passwords. LiteLLM itself has 97 million downloads per month which is already terrible, but much worse, the contagion spreads to any project that depends on litellm. For example, if you did `pip install dspy` (which depended on litellm>=1.64.0), you'd also be pwnd. Same for any other large project that depended on litellm. Afaict the poisoned version was up for only less than ~1 hour. The attack had a bug which led to its discovery - Callum McMahon was using an MCP plugin inside Cursor that pulled in litellm as a transitive dependency. When litellm 1.82.8 installed, their machine ran out of RAM and crashed. So if the attacker didn't vibe code this attack it could have been undetected for many days or weeks. Supply chain attacks like this are basically the scariest thing imaginable in modern software. Every time you install any depedency you could be pulling in a poisoned package anywhere deep inside its entire depedency tree. This is especially risky with large projects that might have lots and lots of dependencies. The credentials that do get stolen in each attack can then be used to take over more accounts and compromise more packages. Classical software engineering would have you believe that dependencies are good (we're building pyramids from bricks), but imo this has to be re-evaluated, and it's why I've been so growingly averse to them, preferring to use LLMs to "yoink" functionality when it's simple enough and possible.

@monsterarust @playrust Wait really???

Frogs Screenshoting proof 🐸 @playrust

@EricSpracklen Nobody bro

Serious question… Who is still watching The Charlie Kirk Show? Anyone?

The last of a dying breed. She’s a real gem.

CERN fucked us and we are in a goofy parody of what once was our universe

@irisneural The amount of people stealing this entire thread is sickening

🚨BREAKING: You can now run Claude Code for FREE. No API costs. No rate limits. 100% local on your machine. Here's how to run Claude Code locally (100% free & fully private):

@gudanglifehack x.com/Ubermenscchh/s…

NO API KEY. NO BILLING. NO LIMITS. Claude Code just went fully local and free. Here's how to run Claude Code locally (100% free & fully private):

@gudanglifehack Damn just stealing this whole thread huh

Some fucking guy named Jeff blackmailing the elite

@EricSpracklen Raiklin

Possibly the best video I’ve seen in months.

@Willjum1 @StevieDoesYT Why is his arm that man’s shin at first

missed my raid alarm so @StevieDoesYT had to come wake me in person

Oh my gosh theres a dislike button now

@vxunderground McAfee explicitly contacted the FBI to ensure their product would whitelist the NSA/FBI keylogger and not detect it

1. Not true. Minor exception. This is a long-standing conspiracy dating back to the very inception of malware, in essence the idea governments and anti-malware vendors are cooperating with each other for espionage. The reality is this is simply improbable. Not every anti-malware vendor resides in the United States and not every anti-malware vendor has to cooperate with the United States government. Additionally, some anti-malware services may feel hostile toward the United States government and actively disregard any form of communication. However, there have been some instances where the United States government has partnered with anti-malware vendors and/or security companies to target high-profile targets (sex traffickers, terrorist organizations) and requested assistance. It would not be outside the realm of possibility to intentionally insert an exception in highly targeted operations. This has been semi-documented in the past whereas Google identified a malware campaign in the Middle East and it was discovered to be a United States military operation targeting individuals believed to be part of ISIS. Finally, Magic Lantern is old. It is old as dirt. It was discussed in the early-2000's. Malware has changed a lot since then. The anti-malware industry has changed a lot. This sort of operation (wide spread espionage via malware) just isn't really possible without global cooperation, including China and Russia. 2. Not true. Long standing schizo theory. Google it. Even real privacy schizos know it's not true. The concern arose when security researchers identified a debug switch in INTEL ME. Additionally, if this were true, network traffic monitoring software would identify this. There is also open source solutions, you don't need INTEL ME or anything else. The exception to this is when the United States government intercepts hardware and places malware on it or intentionally modifies it. This is true. 3. Partially true. There is some speculation, but basically the NSA recommended Dual_EC_DRBG to vendors as a standard despite criticism of it and known vulnerabilities in which could allow exploitation. Basically, the NSA was recommending a known bad thing. 4. No idea. I don't do anything with frequencies and radios. 5. This is true. 6. This is true. However, this is not exclusive to the NSA. 7. Partially true. The United States government owns a bunch of Tor nodes and monitors it, the monitoring however is for entry and exit of Tor. However, this cannot easily identify you. If this were the case then there would be much less child pornography and fentanyl sales on Tor. Additionally, they would use this to heavily crackdown on ransomware groups. Most of the time people are caught on Tor from information leaking from Tor (long story, basically cookies) 8. Partially true. It has been documented several times large tech organizations are aware of critical exploits and (based on existing contracts with them) may notify them before anyone else due to the risk to critical infrastructure of the United States. Microsoft has big contracts with the United States. This isn't a surprise. Furthermore, it was been speculated heavily that Microsoft has delayed patches to aid the United States military in offensive cyber operations (APT NightEagle) 9. This is true. However, to the extent they can "take it over" is ambiguous because your cars electronics and GPS are not connected to your steering wheel. 10. IoT is a huge piece of shit and is compromised all the time. Seriously, don't use IoT devices. 11. No idea.

Zelda: A Link to the Past (1991)

🚨 BREAKING: Someone just open-sourced a full offline survival computer with AI, Wikipedia, and maps built in. Project N.O.M.A.D. is an open-source offline survival computer. Self-contained. Zero internet required after install. Zero telemetry. Everything runs locally on your hardware. What it includes: → Full Wikipedia archives via Kiwix → Offline maps via OpenStreetMap → Local AI models via Ollama + Open WebUI → Calculators, reference tools, resource libraries → A management UI to control everything from a browser One curl command installs the entire system on any Debian-based machine. Runs headless as a server so any device on your local network can access it. Minimum specs to run the base system: dual-core processor, 4GB RAM, 5GB storage. To run local LLMs offline, you want 32GB RAM and an NVIDIA RTX 3060 or better. No accounts. No authentication by default. No cloud dependency. No phone-home behavior. Built to function when nothing else does. The grid, the cloud, the API you depend on. None of it is guaranteed. The people building local-first systems right now are the ones who won’t be asking for help when access disappears.

@monsterarust @SerWinterGaming @playrust Hahaha this is incredible

Painting of @SerWinterGaming made in Rust #artofrust @playrust

@axstonee 🔥

I'm Selin from Turkey, this is my art✨

#1 all-time. #2 is Final Fantasy 7 🔥