Hacker News Cybersecurity digest

Attackers hijacked an axios maintainer's npm account to publish malicious versions (1.14.1, 0.30.4) that install a hidden dependency, plain-crypto-js. This payload executes a cross-platform RAT dropper, contacts a C2 server, and self-cleans to evade detection. Compromised users are urged to rotate credentials immediately and downgrade to secure versions (1.14.0 or 0.30.3).

Little Snitch for Linux monitors network activity using eBPF technology. It offers a web-based UI to track traffic, manage connectivity rules, and utilize domain-based blocklists. Designed for transparency rather than high-security hardening, it provides visibility into application behavior. Advanced configurations are managed via TOML files, and the source code is hosted on GitHub.

A leaked source map for Anthropic’s Claude Code CLI revealed proprietary features, including anti-distillation tactics, hidden autonomous agent modes (KAIROS), and native client attestation (DRM). The incident, likely caused by a Bun runtime bug, exposes Anthropic's secret product roadmap and development practices, mirroring ongoing tensions regarding third-party API usage and competitive AI deployment.

The lead developer of VeraCrypt reports their Microsoft developer account was terminated without warning or explanation, preventing Windows driver and bootloader signing. Unable to reach a human at Microsoft for resolution, the developer can no longer release Windows updates, significantly impacting the project and their professional work.

Research shows that AI cybersecurity capabilities are 'jagged,' with performance not scaling smoothly with model size. Smaller, cheaper, open-weights models effectively identify vulnerabilities previously attributed only to large frontier models. The true 'moat' in AI security is not the individual model, but the expert-built system integration, validation, and maintenance pipeline.

A major supply chain attack compromised over 30 WordPress plugins from the 'Essential Plugin' library. After being sold on Flippa to a commercial buyer, the plugins were updated with a dormant backdoor that triggered months later, using blockchain-based command-and-control to inject spam. WordPress.org eventually closed the plugins, but users must manually clean their compromised wp-config.php files.

Backblaze has silently updated its software to exclude popular cloud storage folders like OneDrive and Dropbox, as well as .git directories, from its backup service. This major policy change was poorly communicated and undermines the core promise of providing comprehensive, unlimited personal data protection, leading to significant user mistrust and concerns regarding data loss.

Researchers discovered that the Bitwarden CLI npm package version 2026.4.0 was compromised through a malicious GitHub Action. The attack, linked to the broader Checkmarx supply chain campaign, harvests GitHub tokens, cloud credentials, and SSH keys. Affected users should rotate all credentials and audit CI/CD pipelines immediately for unauthorized modifications or secondary infections.

A privacy vulnerability in Firefox and Tor Browser allowed websites to track users by exploiting the non-deterministic order of IndexedDB database results. This process-scoped identifier leaked across origins, circumventing Private Browsing and Tor's isolation promises. Developers resolved this by canonicalizing result order to remove identifying entropy, ensuring API output remains stable and consistent rather than leaking internal process states.

Apple released a software update patching a bug that cached deleted messages within system notification databases on iPhones and iPads. This flaw allowed law enforcement to recover sensitive content even after messages had been deleted by apps like Signal. Apple has fixed this vulnerability, ensuring notifications are no longer retained after the original messages are removed.

Vercel has confirmed a security breach involving unauthorized access to internal systems. Threat actors claim to have stolen sensitive data, including API keys and source code. Vercel is investigating with experts, has notified authorities, and advises customers to rotate secrets and secure environment variables to mitigate potential risks.

The French government, led by DINUM, is accelerating its strategy for digital sovereignty by reducing dependence on non-European tech. Key initiatives include transitioning government workstations to Linux, adopting sovereign collaborative tools like Tchap and Visio, and migrating critical health data to trusted platforms, while fostering public-private coalitions to support the European digital industry.