BlueT - Matthew Lien

@sciwork I can't attend but would love to support. Do you accept small donations to support this project? (maybe by adding one more ticket type without requiring to select food types, etc)

📣 scisprint Hsinchu in April is now open! Want to build projects or improve your skills but find it hard to start alone? Come code, focus, and meet people with similar interests 🙌 More info in the comments 👇

North Korean intelligence agents built an entire fake company to compromise one JavaScript developer. And it worked. UNC1069 didn't hack Axios. They befriended its maintainer. They cloned a real company founder's identity, built a branded Slack workspace with fake employee profiles and LinkedIn post channels, then scheduled a Microsoft Teams call with what appeared to be a full team. During the call, a fake error message said his system needed an update. He installed it. That update was the RAT. From one developer's laptop, they had everything: npm credentials, publishing access, the keys to a package installed in 80% of cloud environments. Axios gets 100 million downloads per week. The attackers published two poisoned versions at 12:21 AM UTC on a Sunday night, tagging both the latest and legacy branches within 39 minutes. The malicious dependency had been pre-staged 18 hours earlier with a clean decoy version to build registry history. Three separate RAT payloads were pre-built for macOS, Windows, and Linux. The malware self-deleted after execution to erase forensic evidence. The poisoned versions were live for about three hours before npm pulled them. Huntress observed 135 endpoints across all operating systems calling the attacker's command-and-control server during that window. Wiz found the malicious versions in roughly 3% of environments scanned. Every affected machine needs full credential rotation: npm tokens, AWS keys, SSH keys, CI/CD secrets, everything in .env files. The part that keeps getting worse: this isn't isolated. The same threat cluster compromised Trivy (a security scanner), KICS, LiteLLM, and multiple GitHub Actions in the two weeks before Axios. Google estimates hundreds of thousands of stolen secrets are now circulating from these combined attacks. The maintainer had 2FA enabled. He said himself: "I have 2FA/MFA on practically everything." The exact method of token compromise is still undetermined. One person. One fake Teams call. 100 million weekly downloads weaponized in under three hours. The npm ecosystem runs on mass trust in individual maintainers who volunteer their time, and North Korean intelligence now has a repeatable playbook for turning that trust into a delivery mechanism.

這幾天建議大家先別安裝、更新 js 模組 😂 Axios 中招，這波影響應該誇張大... 作者帳號被盜，模組被更新成塞了惡意程式碼的版本...

@pofeng 身分證字號算 PII ，如 @Kirin_Lin 所說，通常用加密或雜湊、代碼的方式取代敏感資料

請問一下各位專家，這裡的"假名化"，要怎樣改善比較好? eg: 只儲存身分證號，但沒有姓名，生日，依此條例，是否算假名化? 全民健康保險資料管理條例 第 3 條 四、假名化：指健保資料經處理或加工後，非透過其他資訊對照，不能識別其身分，且該其他資訊應分開存放，並採取技術上或組織上保護措施之程序

剛剛忘了附上鏈結 : huggingface.co/spaces/hugging…

跟著 au 前大臣的腳步，一人一 emoji，連署請 Hugging Face 提供 TAIDE-12b 的推論 API

@mrmoneyc 補個 Google Play link for Android : play.google.com/store/apps/det…

這好讚 XDDD AWS Card Clash apps.apple.com/tw/app/aws-car…

Check out our new #logo for this year's #UbuCon Asia 2026 @COSCUP! #FormosanBlackBear #UbuConAsia

这位外国小哥教你如何判断来电者是否是AI诈骗‼️ 只需问问他有没有纸杯蛋糕的食谱就行了！哈哈……

POV: You say 'I'm full-stack' thinking it's just React + Node.

Excited to announce Claude for Open Source ❤️ We're giving 6 months of free Claude Max 20x to open source maintainers and core contributors. If you maintain a popular project or contribute across open source, please apply! claude.com/contact-sales/…

It’s easier done than say.

@pofeng 我去年 10 月有接種 A 流疫苗，不巧仍中了 XD

@BlueT 保重，美國 CDC 建議 6 個月以上，所有人都要接種流感疫苗。

真誇張，今天 *全部* 都是B型流感。

@pofeng Interface is cheap, show me your PRD. PRD is cheap, show me your prompt. Prompt is cheap, show me your intent. x.com/i/status/19462…

Talk is cheap. Show me the code. Code is cheap now. Show me the ... interface ?

"Code is just a lossy projection of intent"

@charl_dot_dev @paramaggarwal @CloudflareDev still waiting in the waitlist 🥲

@paramaggarwal @CloudflareDev email.cloudflare.dev Soon™

We have been sleeping on these amazing websites by @CloudflareDev: agents.cloudflare.com sandbox.cloudflare.com containers.cloudflare.com

@alexocheema @exolabs @awnihannun Just got some Mac Studios and gonna try it, can't wait to see the benchmark results!

Running GLM-4.7-Flash on 4 x M4 Pro Mac Minis using @exolabs. Uses tensor parallelism with RDMA over Thunderbolt & MLX backend (h/t @awnihannun). Runs at 100 tok/sec. We're working on optimizing this at @exolabs. Aiming to hit ~200 tok/sec on this setup soon.

Beautiful things from the lovely seeds.