Sayeed Anjum

🚨 UPDATE: 19 MILLION exposed NGINX instances hit by the 18-year-old NGINX RCE found by AI. Top exposure by country: - United States: 5,340,011 - China: 2,540,008 - Germany: 1,871,780 Note on ASLR as added security: not all of these instances will have ASLR disabled, but every one of them is running a version inside the vulnerable band. The vulnerability is a heap buffer overflow. ASLR randomizes memory layout, which makes reliable RCE much harder because the attacker cannot predict where their payload or useful gadgets land. But the overflow itself still happens. The corrupted memory still causes the NGINX worker process to crash. ASLR-enabled hosts are still trivially DoS-able. ASLR-disabled or non-PIE builds are RCE-able. Either way, patch ASAP!

CVE-2026-44578  ⚠️ Next.js – WebSocket Upgrade SSRF (CVSS 8.6)  A server-side request forgery vulnerability in Next.js allows unauthenticated attackers to force self-hosted instances to make internal HTTP requests via the WebSocket upgrade handler.  By sending a crafted absolute-form HTTP request with Upgrade: websocket headers, attackers can access internal services, cloud metadata endpoints, admin panels, and internal APIs reachable from the Next.js server on port 80. Successful exploitation may expose cloud credentials, API keys, secrets, and configuration data.  Affected: Next.js 13.4.13+, 14.x, 15.x <15.5.16, 16.0.0–16.2.4  Mitigation: Upgrade immediately to 15.5.16 or 16.2.5.   Modat Magnify Query:  technology="Next.js"  The platform:  magnify.modat.io  #threatintel #vulnerability #CVE202644578 #Nextjs #SSRF #WebSocket #CloudSecurity #infosec #Critical #ModatMagnify

I believe that spec-driven development, whether formal specs or conversations, is the future. But writing great specs is hard, and always has been. That's why I'm super excited about this new blog post from the @kirodotdev team, and our automated reasoning teams at AWS.

THIS GUY BUILT AN AUTOMATED PIGEON DEFENSE SYSTEM FOR HIS BALCONY pigeons kept nesting on his balcony so he engineered a full detection and deterrent system here's how it works: 1\ camera captures video in real time 2\ an AI model identifies the pigeon in real time 3\ a water gun mounted on servo motors turns toward it 4\ sprays the pigeon automatically the hardware: > an orange pi 5 running the detection model > a disassembled electric battery-driven water gun > USB camera > 2 servo motors for aiming > resistors and a transistor to trigger the water gun the detection runs on an AI vision model (yolo world v2) using the rockchip 3588's built in neural processing unit. the best part is that it's not limited to pigeons. because it uses open vocabulary detection, you can reprogram the target to any object. squirrels, cats, raccoons, whatever is messing with your balcony fully automated, runs 24/7, no manual intervention needed

In adults, limiting smartphone functionality to texting and calls and blocking all social media and mobile internet for 2 weeks significantly improved attention, self-reported well-being and mental health. 90% of participants experienced a benefit.

It’s 2018 and your coworker just sent you a 400 line pull request. You get a cup of coffee and sit down to review it. It’s beautiful. Elegant micro-refactors. Crispy method names. You catch a few things, but that’s ok. It’s part of the dance. They didn’t consider extensibility on part of their API. Here’s a comment buddy. They respond in an hour saying they think we should do one piece differently than your comment. Hey let’s jump into a room and figure it out. We can’t just agree to disagree, this code is too important. The PR merges and goes to prod. You feel a shared sense of ownership and accomplishment. That night you go to sleep and dream of that code. You can still see the shapes of it on the backs of your eyelids, your IDE syntax highlighting sparking neurons in your reptile brain. You go to work the next day ready to go. You understand the system. N is your foundation. Time to build n+1.

The laundry industry figured out one of the greatest grifts in American retail: sell people a giant bottle that’s mostly water, perfume, and vibes. Most detergent is designed to smell like “clean” before it actually needs to do much cleaning. You can make your own with the parts that actually matter: Washing soda: raises the pH and helps lift grease and grime. Borax: softens hard water and keeps dirt from redepositing. Castile soap: breaks surface tension and helps carry the dirt away. For a 4-person household doing around 300 loads a year: Commercial detergent: $150 to $180 DIY version: about $6 That’s $140+ saved by refusing to pay luxury prices for scented tap water. Trust the chemistry, not the marketing. Reclaim your laundry room. 🇺🇸

Must read: How Hospitals inflate bills in India 1. Doctors get paid for more treatment The fee-for-service model ties doctor bonuses and salaries to the revenue they generate. So the system rewards extra tests and procedures, even when not needed. 2. Expensive IV drugs over cheaper oral ones Hospitals push doctors to prescribe stronger, more expensive antibiotics. IV when oral works. Sometimes antibiotics when none are needed at all. All of it done to push up the reimbursement claim from insurers, including government schemes. 3. Unnecessary scans and tests CT scans, MRIs, PET CTs ordered for minor stuff like simple stomach pain or suspected food poisoning. A basic clinical exam would have done the job. Same with injections for fever, when reports show no infection. 4. Patients profiled for pricing Hospitals look at how a patient is dressed, what they do for a living, where they're from. Then they decide who can be charged more. Bills get adjusted after admission based on that read. 5. Life support extended even when recovery isn't possible Terminally ill patients, like those with severe stroke or terminal cancer, kept on ventilators just to extract more billing. Even when doctors know there's no chance of recovery. One of the worst things he spoke about. 6. In-house pharmacy and diagnostics run as profit centres IPD prices are higher than OPD for the same service. The hospital uses this to recover infrastructure and operational cost. That's why drugs, tests and scans inside the hospital cost way more than outside. With foreign PE money sitting on top of most big hospitals now, this only gets worse without some regulation or check in place. The aam junta, as usual, ends up at the receiving end. Either pay big bills to hospitals, or pay big premiums to insurers. PS. This is also why GIC (an industry body for insurance) is driving common empanelment with hospitals. It's one of the real steps the industry is taking to negotiate better with hospitals, drive standardization, at least for insurance customers. Hope it works. Source: Raj Shamani podcast with Dr. Reddy, founder of Continental Hospitals.

This is such a great example of theory vs practice. In theory, UUIDv4 collisions don't happen (generating one million per second, probability of seeing one collision in a year is ~10^-8). But they have been observed to happen in practice, especially in distributed systems. Why?

🚨USE THIS GUIDE TO PROTECT YOUR COMPUTER FROM NPM HACKS THAT STEAL EVERYTHING IN ONE INSTALL TanStack, a code library used in millions of web apps, got hacked on Monday one install steal every password, key, and credential on your computer this is far not the first hack this month and definitely just the beginning Here's how to protect your machine: [ 1. lock down npm with a 7-day cooldown ]: open ~/.npmrc. keep all existing lines (auth tokens, registry config). append: """ min-release-age=7 minimum-release-age=10080 save-exact=true """ this makes npm refuse any package version published in the last 7 days. attack windows are usually under 24 hours, you skip them entirely [ 2. same cooldown for bun ]: open ~/.bunfig.toml (create if missing). append: """ [install] minimumReleaseAge = 604800 """ 7 days in seconds, same protection in bun's config format [ 3. pin every npm dependency in your projects ]: open package.json. strip every ^ and ~ from versions under: - dependencies - devDependencies - peerDependencies exact versions only. commit your lockfile (bun.lock / package-lock.json / pnpm-lock.yaml) to git so the resolved tree is frozen [ 4. same discipline for python ]: if you use uv (the modern default): commit uv.lock, run `uv sync` to restore if you use pip: requirements.txt with pinned versions, run `pip install --require-hashes -r requirements.txt` if you use poetry: commit poetry.lock, use `poetry install --no-update` never trust `>=` or `~=` ranges in production projects [ 5. pin GitHub Actions to commit SHAs ]: stop using `actions/checkout@v4`. switch to: ```yaml uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 ``` every third-party action runs in your CI with access to repo secrets. pinning the SHA means a compromised maintainer cannot push malicious code into your pipeline [ 6. audit your IDE extensions ]: Cursor, VSCode, Windsurf, every extension is code running with full access to your filesystem, clipboard, and open files - review installed extensions monthly - remove anything you haven't actively used in 30 days - check the publisher, install count, last update, GitHub source before installing - never install extensions that ask for permissions they shouldn't need [ 7. lock down API tokens and credentials ]: - never commit .env to git (add to .gitignore on every project, no exceptions) - use minimum-scope tokens: one repo, one bucket, one workspace - rotate API keys every 90 days, force expiry on critical ones - separate tokens by environment (dev / staging / prod) - enable 2FA on every developer account: GitHub, npm, PyPI, Cloudflare, AWS, OpenAI, Anthropic - never paste secrets into Claude / ChatGPT / any AI chat, they're logged [ 8. set up continuous monitoring ]: - enable Dependabot alerts on every repo (free, takes 2 minutes) - install Socket.dev or Snyk for live vulnerability scanning - subscribe to the npm and PyPI security advisory feeds - follow @snyksec, @socketsecurity, @stepsecurity for early warnings [ 9. how to detect if you got the TanStack payload ]: if you installed any @tanstack/* package between 19:20 and 19:30 UTC on Monday, May 11, treat the host as compromised the detection signature: a malicious manifest contains "optionalDependencies": { "@tanstack/setup": "github:tanstack/router#79ac49ee..." } any version with this entry is compromised. the payload is delivered via the git-resolved optionalDependency, whose prepare script runs router_init.js (~2.3 MB, smuggled into the tarball root) how to check fast: - search your lockfile for `@tanstack/setup` references - search node_modules for any `router_init.js` file - if either shows up, jump to section 10 immediately future attacks will use the same trick: malicious code hidden in optionalDependencies or postinstall/prepare scripts. add `grep -r "postinstall\|prepare" node_modules/*/package.json | grep -iE "curl|wget|eval|base64"` to your weekly audit routine [ 10. emergency response if you're already compromised ]: ran an install during a suspected attack window? do this in this exact order: - rotate every cloud credential: AWS, GCP, Kubernetes service accounts, Vault tokens - rotate GitHub personal access tokens, OAuth tokens, SSH keys - revoke active sessions on GitHub, npm, PyPI, all cloud providers - audit AWS / GCP / Kubernetes / Vault audit logs for the last several hours, look for unauthorized API calls - pin to the last known-good version of every @tanstack package and reinstall from a clean lockfile - check ~/.npm, ~/.config, browser cookie stores for tampered files - wipe ~/.bash_history, ~/.zsh_history, local AI chat logs that might have secrets - if you ran the install as root or with sudo: nuke the machine, reinstall from scratch, restore code from git only [ why this matters right now ]: attack chains in supply chain hacks usually only last a few hours before the malicious package gets caught and yanked. during those hours, every developer running `npm install` becomes a victim worse: npm couldn't even UNPUBLISH most of the TanStack malicious versions because of third-party dependencies. the registry's own safeguards are part of the problem. you can't rely on the platform, you have to protect yourself the patterns from the last 18 months: - npm: TanStack on May 11 (42 packages, AWS/GCP/Vault credentials), Shai-Hulud worm hit Nx packages, chalk/debug/ansi-styles worm hit qix maintainer - GitHub Actions: tj-actions/changed-files compromise exposed thousands of repos' secrets - PyPI: ongoing typosquatting campaigns targeting AI/ML packages - IDE extensions: VSCode marketplace caught hosting credential stealers the frequency is rising because the payoff is massive one compromised package lands on millions of machines in hours if you don't lock this down tonight, you're exposed to the next one. and there will be one 30 minutes tonight, or wait for the next attack to clean out your machine Full TanStack breakdown: github.com/TanStack/route…

7,000 false positives per square millimeter. The culprit was the lab gloves. University of Michigan researchers just upended a core assumption in microplastics science. Latex and nitrile gloves, worn by the scientists doing the measuring, shed stearate particles that look chemically identical to polyethylene. Standard infrared and Raman instruments can't tell them apart. The gloves were counting as plastic. Seven glove types tested. All contaminated. The cheapest fix: switch to cleanroom gloves, which dropped false positives to around 100 per mm² vs. 7,000. The "credit card per week" headline (5 grams, WWF/Newcastle 2019) has separate problems. A 2022 re-analysis found severe methodological errors in the original estimate. Actual measured intake is likely 100x lower. None of this means microplastics are harmless. Last month's data on brain accumulation still stands. But the numbers driving the panic may have been measuring the scientists, not the environment. Science catching its own errors is exactly how it's supposed to work.

Security things from the last few days: - CopyFail (linux pwn'd) - CopyFail 2/Dirty Frag - 13 advisories in Next.js - Over 70 CVEs addressed in MacOS 26.5 - ~50 CVEs addressed in iOS 26.5 - YellowKey (Windows Bitlocker pwn'd entirely) - GreenPlasma (Windows privilege escalation) - CVE-2026-21510 and CVE-2026-21513 confirmed to be used by Russia for Windows RCE - CVE-2026-32202 separately confirmed to be used by Russia for sensitive document access - Mini-Shai Hulud (over 300 JS and Python packages compromised via GitHub Action cache poisoning) - Google confirms they have identified AI-powered exploitation of zero days in an unidentified "open-source, web-based system administration too" - Canvas (popular LMS used in most schools) pwn'd entirely - PAN-OS (palo alto networks) pwn'd with a 9.3 severity CVE-2026-0300 Are you scared yet?

We are all fucked.

This is crazy. The hacker installed a dead-man's switch that will wipe your computer if you revoke the GitHub token they stole from you. Revoking the token is what triggers the wipe.

SECURITY ADVISORY — TanStack npm packages A supply-chain compromise affecting 42 @tanstack/* packages (84 versions total) was published to npm earlier today at approximately 19:20 and 19:26 UTC. Two malicious versions per package. Status: ACTIVE — packages are deprecated, npm security engaged, publish path being shut down. Severity: HIGH — payload exfiltrates AWS, GCP, Kubernetes, and Vault credentials, GitHub tokens, .npmrc contents, and SSH keys. If you installed any @tanstack/* package between 19:20 and 19:30 UTC today, treat the host as potentially compromised: • Rotate cloud, GitHub, and SSH credentials immediately • Audit cloud audit logs for the last several hours • Pin to a prior known-good version and reinstall from a clean lockfile Detection — the malicious manifest contains: "optionalDependencies": { "@tanstack/setup": "github:tanstack/router#79ac49ee..." } Any version with this entry is compromised. The payload is delivered via a git-resolved optionalDependency whose prepare script runs router_init.js (~2.3 MB, smuggled into each tarball at the package root). Unpublish is blocked by npm policy for most affected packages due to existing third-party dependents. All 84 versions are being deprecated with a SECURITY warning, and npm security has been engaged to pull tarballs at the registry level. Full technical breakdown, complete package and version list, and rolling status updates: github.com/TanStack/route… Credit to the security researcher for responsible disclosure.

India is most exposed.

Dr. Pierre Kory exposes a massive media anomaly. He reveals over 100,000 articles were published globally about Hantavirus in days. He confirms this massive coordination is entirely unnatural. Why is a minor outbreak suddenly consuming the global media cycle?

At bedtime the 8 yo told me his teacher said: "Think of your mind like a pond full of fish and each fish is a feeling. Try to be the pond, not the fish." And all I can say is primary school has significantly improved.

Walter Isaacson reveals the brutal philosophy Steve Jobs and Elon Musk both share about leadership "Jobs said the same thing that Musk said to me. People like you love wearing velvet gloves. You like to sweet talk things, sugarcoat things. He said, I'm just a working class kid and I don't have that luxury. If something sucks I got to tell people it sucks or I got a team of B players" "There are a lot of successful people who are much kinder. But it's sometimes necessary to be much more brutal and honest"

One of my most popular articles ever included a long extract from a powerful closing speech by barrister Rajiv Menon during a Palestine Action trial in January. In the end, the jury refused to convict the six defendants. Menon is now on trial for that closing speech – for reminding the jury that they had a 350-year-old right in law to follow their conscience in reaching a verdict, even if it meant defying a direction from the judge to convict. Paradoxically, Menon joked in his speech that, because of that earlier legal principle, the judge, unlike his counterpart in 1670, could not lock them, the jurors, up were they to choose to follow their consciences. Instead, the judge is seeking to lock up the barrister. Does 2026 qualify as an improvement on 1670? It is believed that this is the first time a barrister has been tried for comments made to a jury in his closing speech. That should serve as a potent reminder of just us how authoritarian the current political moment is, and of how quickly long-established legal rights are being dismantled to protect British collusion in genocide. Read my article – and the part of the speech for which Menon is being tried – here: jonathan-cook.net/blog/2026-01-1…