A new npm supply-chain attack has infected 36 packages with Rust-based infostealer malware called IronWorm. According to BleepingComputer, the malware "targets 86 environment variables (key-value pairs) and 20 credential files that may contain OpenAI, AWS, Anthropic, and npm credentials, vault configuration files, SSH keys, and Exodus cryptocurrency wallet files." From the report: According to researchers at supply-chain and devops company JFrog, IronWorm is written in Rust, hides behind an eBPF kernel rootkit, and communicates with the operator over the Tor network. The Rust-based malware self-propagates by using stolen credentials for publishing on npm; this includes secrets associated with npm's Trusted Publishing workflow. Once it compromises a developer or CI environment, it can publish trojanized versions of packages owned by the victim, which then infect additional developers and CI systems.

This behavior is conceptually similar to Shai Hulud, which had its code published on GitHub recently. Although JFrog researchers did not find a clear connection between IronWorm and Shai Hulud, they observed the same commit names in both supply-chain attacks. This opens the possibility that the new malware is an evolution of TeamPCP's payload, since IronWorm appears to be "a custom, carefully built implant from an operation with its own infrastructure."

[...] The company provides a list of all impacted package names and their versions in the report and recommends that developers upgrade to fixed releases, rotate their keys, and enable two-factor authentication (2FA) for all accounts. At the same time, Endor Labs and StepSecurity have spotted a very similar but distinct attack involving a JavaScript-based malware named binding.gyp, performing registry poisoning and GitHub Actions infection, unfolding during the same time-frame.

fjo3 shares a report from Defense One: A small but growing number of European officials and analysts are saying what four years ago was unthinkable: Ukraine isn't just surviving its grueling war with Russia, it is in some ways thriving and may even be on a path to victory. This isn't yet captured in headlines -- for example, about last weekend's barrage of Russian drones and missiles around Ukraine -- but in the details, like how some 90 percent were intercepted. Several long-term trends have shifted in Ukraine's favor, and the core reason is its fierce focus on AI and robotics.

In the crucible of war, Ukraine has developed drones and ground robots that can hold territory -- even take it back. Some are fully controlled by humans, like supply robots and medical-evacuation vehicles. But an increasing number are controlled in at least some aspects by dozens of AI products, from guidance packages on aerial drones to decision aids at the highest levels. [...] Just as important as the tech are the new tactics. Given unusual latitude to experiment, Ukrainian fighters began to develop robot-forward infantry concepts, like combined-arms attacks by airborne and ground systems, "more than a year ago. Right now, we're massively starting to implement this," said Davyd Aloian, deputy secretary of the National Security and Defence Council of Ukraine, the coordinating body on domestic and international security, in an interview.

Ukraine and its partners are also steaming ahead on new concepts for highly autonomous defenses against Russian drones, combining ISR sensors and AI to detect and identify enemy drones in less time and with more certainty. "All of the systems are being linked with each other and with people" to create a distributed network with interceptor drones at various locations to be activated when needed, Aloian said. "One day we will have only like 10 guys who are just going to be responsible for approving interception. And it will automatically go direct to the target." The human operators will be dispersed as well. "Everything can be controlled from Kyiv, Lviv, from cities in other countries," he said. "It's not what happened to Ukraine" (referencing Russia's barrage of Shahed drones) that "should scare us in Europe," said Swarmer CEO Serhii Kupriienko. It's how quickly Ukraine's "middling" military evolved to counter Russia's invasion.

"We are behind by literally 10 years or 20 years" in some defense-technology areas, such as satellite imagery, Kupriienko said, and yet his country has climbed a capability curve that just two years ago seemed insurmountable. So could others, he said. "The answer is always AI solutions and integrating the AI into even the daily routine work within the bureaucracy," he said.

"We have evolved since 2022, the industry has and our defense has as well. Right now we are able to provide not only [large quantities of drone] assets but everything what is needed to build out the ecosystem," including parts and production, training, modification, etc. Aloian said.

The Trump administration is moving to dismantle the National Science Foundation's $368 million Ocean Observatories Initiative, a network of more than 900 deep-sea instruments used to monitor ocean currents, marine ecosystems, carbon absorption, heat waves, fisheries, coastal flooding, and climate change. The NSF said it would send ships in June to begin the removal of the instruments anchored off Oregon, Washington, Alaska, North Carolina, and an area between Greenland and Iceland known as the Irminger Sea. The New York Times reports: The ocean observation system began operating in 2016 and was expected to continue for 25 years. Jim Edson, a marine meteorologist who led the Ocean Observatories Initiative, called it "the world's most advanced continuously operating ocean observing systems." When it was first proposed, the science foundation said it was important to have a long-term presence at scientifically important sites in the Atlantic and Pacific oceans. Removing the instruments could take 15 months. Seismic instruments positioned around an active underwater volcano off Oregon will continue operating until 2028.

Each observation station consists of several moorings that secure long arrays of devices connected to wires. The devices measure ocean currents as well as chemical and biological conditions from the water's surface down thousands of feet. The instruments were hardened to resist the pressure of the deep ocean, corrosive seawater as well as marine plants and animals that can foul electronics. Remotely controlled robotic vehicles and gliders around the moorings collect and transmit data to research laboratories.

It cost $48 million annually to operate the network. The Trump administration repeatedly tried to shutter it, proposing to cut its funding by 80 percent in both 2025 and again in 2026. Congress pushed back, restoring the money. To try to reduce costs, managers turned off some of the instruments and collected less data, according to a December 2025 presentation about the observatories at the annual meeting of the American Geophysical Union, a nonprofit organization of scientists. Still, the science foundation moved ahead to decommission the observatory network.

An anonymous reader quotes a report from Ars Technica: Authorities in the Netherlands said they dismantled a botnet that comprised more than 17 million devices and were managed by 200 servers in a joint operation by the police and the National Cyber Security Center. The action, announced Thursday, came about after a security researcher reported the sprawling network to authorities. The host infrastructure was located in the Netherlands. "The police then seized several botnet servers from a hosting provider for investigation," the NCSC said. "The botnet was taken offline by the provider because it was used for criminal purposes."

According to a report Thursday by the NL Times, the botnet was linked to ASOCKS, a Russia-based company that provides residential proxy services. These services cater to people and organizations who want to obscure their locations or identities by proxying their Internet traffic through third-party devices. Proxy services are often used for illicit or unethical purposes such as performing DDoS attacks, running botnet command-and-control servers, operating phishing operations, and scraping website content. [...] It's unclear how the 17 million devices controlled by the botnet taken down by the Dutch police came to be that way.

"Scientists have developed a solar desalination system that turns seawater into drinking water without creating environmentally damaging brine," reports ScienceDaily.

"Special laser-textured metal panels use sunlight to evaporate water while automatically moving salt deposits away from the working surface, preventing clogging. The process was successfully tested with water from three oceans and can recover nearly all salts as solids. Those leftover materials could even become a source of valuable lithium for batteries." (The research team was led by University of Rochest professor Chunlei Guo and published their results in the journal Light: Science & Applications.)

The University of Rochester has made an announcement: The technology uses solar panels made of black metal etched with femtosecond lasers to make the surface super light-absorbing and superwicking — or extremely attractive to water. The panels have a laser-treated active region that pulls a thin layer of water across the surface, absorbs nearly all solar radiation, distills the water, and deposits the leftover salts and minerals into the panel's untreated sides or "passive" region so that the salt does not clog the active region and disrupt continuous desalination... Guo's team precisely etched the black metal's grooves so the various salts and minerals in ocean water would simply slough off... [I]t extracts nearly 100 percent of the salts in solid form.

This could not only produce an abundant supply of table salt, but it could also be used to extract more precious minerals, including lithium, which is used in the lithium-ion batteries that power electric vehicles and other electronics. In a related paper in the Journal of Materials Chemistry A, Guo and his colleagues show how they can use the same superwicking solar panels to separate lithium from the rest of other salts in desalination. Embedding nanoparticles made of hydrogen titanate in the tiny grooves of the black metal surface isolates the lithium from other salts and minerals...Using water samples from Great Salt Lake, the researchers extracted about 50 percent of the lithium from the salts left behind by the desalination process. Guo says now that the superwicking desalination technology has been demonstrated in proofs of concept on small-scale devices, he sees the technology inherently scalable, capable of improving global access to drinking water and building more sustainable supply chains for precious minerals.
"The National Science Foundation, the Bill & Melinda Gates Foundation, and Worldwide Universities Network supported this research."

You can try 570 extinct operating systems at a new "virtual museum," according to a new article by ZDNet. Their reporter downloaded the ancient OS NeXTSTEP, and was "shocked" by how easy it was to run it, "and by the sheer number of operating systems to choose from." Essentially, what you do is download a zipped file, unzip it, change into the newly created directory, and run the executable. VirtualBox then opens to a Debian Linux instance, where you can select from a very long list of operating systems to run... You can run operating systems like Amiga, Apple I/II/III, Atari, Avigo, Commodore 64, Cray, DEC Alpha, Einstein, Game Boy Advance, GE 200, HP 3000, IBM 1130, iPod touch, Jupiter Ace, Lisa, Macintosh, MIPS-based SBCs, Neo, Newton, NeXT, NORC, Palm, and so many more. You can test the earliest mainframes, later mainframes and minicomputers, workstations and Unix variants, home computers, personal computer operating systems, mobile and embedded adOSes, and research-based and obscure systems. As far as Linux is concerned, you can run early Debian and its derivatives, Red Hat and its derivatives, early Slackware, and more...

There are two editions of the Virtual OS Museum: full and lite. The full edition is currently 174GB and includes everything you need to run these old-school operating systems. The full version does not require a network connection to run. The Lite version is only 14GB and requires an internet connection because it downloads the full OS image you want to use.
Gizmodo notes "this project is all the more remarkable for being the work of one man: Andrew Wartenkin, who has been collecting OS images for over two decades." Of course, Wartenkin didn't write all the emulation software himself, and he maintains a list of credits to give credit where it's due... The Museum itself runs in a virtual machine, which seems kinda fitting — it opens in a virtualized Linux installation and presents you with the full list of available operating systems.

Did you know someone has written a GUI for the Commodore 64? Neither did I! There are simulations of ancient mainframes, like the IBM 1130 (yours for the low, low price of $32,280 — or $41,230 with a disk drive — back in 1965).
There's also a YouTube channel.

Thanks to long-time Slashdot reader Z00L00Kfor sharing the news.

The Zig programming language wants to be a modern alternative to C (including better memory safety features). It's maintained by as an open-source project by a 501(c)(3) nonprofit and a network of contributors.

But Business Insider notes that Zig bans the submission of AI-assisted code: On the JetBrains podcast, Zig President Andrew Kelley called AI-assisted contributions "invariably garbage."

"People are sending us contributions that have no value whatsoever," Kelley said. "They have negative value, because they take review time away from the team...." There are more pull requests than reviewers. At the time of the recording, Kelley said that Zig had 200 open pull requests. Those AI-generated "slop contributions" slow the whole team down even more, Kelley said. "We've wasted everybody's time...."

Big Tech companies have projected lofty goals for the percentage of code that should be — and already is — written with AI. Zig doesn't have a mandate to be maximally efficient like these public companies. Instead, "mentorship" is part of its core mission, Kelley said, making AI contributions counterproductive. "We're all trying to get better at programming," Kelley said. "People who are sending AI pull requests, those people are not helping this goal."

A research team found "extensive changes" on brain scans of 13 young women taking GLP-1 drugs, reports the Washington Post: Within only a few months, the brain connections in the salience network, which helps target attention, had multiplied... ["We didn't expect to see this effect, and we really don't know what it means," said an assistant professor assisting the research.] Ozempic and other GLP-1 drugs were initially understood as a metabolism breakthrough: medicines that act like hormones to control hunger, blood sugar and weight. But as researchers probe deeper into how the drugs work, early evidence suggests that GLP-1s may also be reshaping parts of the brain.

Tens of millions of people are now taking the medications worldwide, turning what began as an obesity and diabetes treatment into what could be modern medicine's largest unplanned neuroscience experiments... Long before Oprah Winfrey and social media influencers helped popularize GLP-1 drugs, physician-scientist Lorenzo Leggio was studying them as a possible addiction treatment... Several major studies examining GLP-1 drugs on nicotine dependence, opioid- and cocaine-use disorders, gambling addiction and binge eating are also underway. "It's very exciting times, but we don't fully understand how it works," Leggio said...

As evidence has grown that inflammation, metabolism and mental health may be far more connected than scientists once believed, researchers have become intrigued by patients who say GLP-1 drugs appear to ease anxiety, compulsive thinking and emotional distress. Daniel Drucker, a University of Toronto researcher and GLP-1 drug pioneer who receives funding from several drugmakers, said researchers are investigating the medications across a variety of psychiatric and neurological conditions, though none are approved for them. "We have so many anecdotal reports: They were treated for blood sugar and then they felt much happier. Or they took one dose of the drug and their brain fog cleared," he said.
The article suggests social media complaints "raise deeper questions about what, exactly, these drugs are changing.

"If GLP-1s alter the brain systems involved in reward, craving and motivation, researchers wonder, where is the line between quieting a person's destructive impulses and reshaping personality itself?"

An anonymous reader quotes a report from Ars Technica: Now sites have a new way to spy on their visitors: measuring subtle interactions with their solid-state drives. The technique, named FROST (fingerprinting remotely using OPFS-based SSD timing), allows sites to monitor other sites a visitor is viewing and what apps are open on their devices. The technique, laid out in a research paper (PDF), exploits a side channel, a form of leak resulting from physical manifestations such as electromagnetic emanations, data caches, or the time required to complete a task. By measuring the manifestations, attackers can decrypt encrypted traffic and infer other confidential data.

The attack that FROST uses is known as a contention side channel, which measures the interaction of various processes all using (or competing for) a given resource. By measuring the timing of certain I/O (input-output) operations of the SSD a visitor is using, the researchers were able to determine the websites open in other tabs -- even on other browsers -- and the apps that were open on the visitor's device. FROST requires no interaction from the visitor other than opening the site hosting the attack. [...] Unlike previous contention side-channel attacks on SSDs, FROST runs exclusively in the browser. It uses JavaScript that interacts with the OPFS (origin private file system), an allocated storage space that's reserved for a specific site to run code needed to complete a given task. Websites can create one with no interaction required by the visitor.

While each file system is sandboxed, meaning it's isolated from other websites and from the device system itself, the JavaScript can measure the I/O interactions. Then, by running those interactions through a pretrained convolutional neural network -- a system that uses deep learning to analyze text, audio, and images -- the attacker can deduce various apps and websites open on the device. "The attacker continuously measures SSD contention by performing random reads from a large OPFS file," the researchers explained. "SSD contention caused by user activity causes measurable latency differences for these read operations. By training a convolutional neural network (CNN) on these traces, the attacker can fingerprint user activity on the host system by classifying new traces using the trained model."

An anonymous reader quotes a report from the BBC: Internet access has started to be restored in Iran after being cut off almost three months ago, the country's first vice-president has said. "The first step toward free and regulated access to cyberspace has been taken," Mohammad Reza Aref wrote on X on Tuesday. Internet monitoring groups Netblocks and Kentik reported "partial" restoration around 13:00 GMT, though the latter warned most networks were still down.

The Iranian government cut internet access following the launch of US and Israeli attacks on February 28. Officials suggested the aim was to prevent surveillance, espionage and cyber-attacks. It is one of the longest-running national internet shutdowns ever recorded worldwide. A content creator from Tehran told the BBC that he had been able to connect to the internet using his home WiFi on Tuesday. "The main point is, some of my income will come back," he said.

Netblocks said it was unclear whether the internet return would be sustained, and told the BBC it was consistent with what it had seen when previous blackouts were lifted -- where restoration could take hours. "Access is not universally back to its original state, with some regional variation," said the global internet tracker's research director Isik Mater on Tuesday. She added that there were signs of "more extensive filtering" than prior to January -- when a similar blackout was imposed during the regime's deadly crackdown on anti-government protests -- "including additional restrictions to messaging apps like WhatsApp."

"The expansion of SpaceX's Starlink network of internet relay satellites continued Monday with a Memorial Day launch from Cape Canaveral Space Force Station," reports Spaceflight Now. The mission added another 29 Starlink satellites to more than 10,000 already in low Earth orbit: This was SpaceX's 60th orbital flight of the year, consisting of 59 Falcon 9 rockets and one Falcon Heavy rocket...

Nearly 8.5 minutes after liftoff, [Falcon 9 first stage] B1078 landed on the drone ship, 'A Shortfall of Gravitas,' positioned in the Atlantic Ocean off the coast of South Carolina. This was the 151st landing for this vessel and the 614th booster landing to date for SpaceX.

Meanwhile, the second stage shut down eight minutes and 39 seconds into flight and entered a coast phase, before short second burn at T+52 minutes. The stack of Starlink satellites deployed 61 minutes and 26 seconds after launch.
On X.com SpaceX shared footage of the booster rocket landing, and a longer video showing Starship's 12th test flight Friday.

Slashdot reader wiredmikey writes: Threat actors are exploiting a vulnerability in shared content delivery network (CDN) infrastructure to hide connections to malicious domains. Researchers say the vulnerability could impact roughly 88 million domains and can bypass DNS filtering and protective DNS controls, potentially enabling stealthy command-and-control communications and other evasive attacks.
Dubbed "Underminr," the exploit "presents the SNI and HTTP Host of a domain," writes SecurityWeek, "while forcing a request to the IP address of another tenant on the same shared edge." The mismatch, ADAMnetworks reports, has been exploited in attacks targeting large-scale hosting providers, including those that have implemented mitigations against domain fronting...

Threat actors' increased reliance on AI is expected to lead to a surge in attacks. "Once Underminr becomes parametric information for AI-generated malware, we could expect to see it in every attack that needs to evade protective DNS as part of the attack chain," ADAMnetworks CEO David Redekop says.

The Free Software Foundation announced this week that "its global call for free software supporters to organize LibreLocals this May resulted in free software supporters organizing forty-six LibreLocal events on six continents thus far." (And new dates and locations are being added daily.) The FSF invited free software supporters to organize in-person community meetups in their area during May 2026, or LibreLocal month, to bring people together to swap ideas, learn from each other, and celebrate free software. People were encouraged to organize events grounded in freedom to help spread the free software philosophy.... "The success of these LibreLocals speaks to how many people globally are interested in free software and ready to build community, and it demonstrates the strength of our movement" [said FSF executive director Zoë Kooyman]. "People getting together like this also proves how computer freedom and digital rights are on people's minds. When we reject freedom-restricting software and promote software that respects user rights, it helps further so many other basic rights...."

The FSF has financially supported some of the events, but notes organizers are going above and beyond to create noteworthy events by any measure, and is impressed with the global network taking shape. "The energy we feel from all organizers is extremely motivating and we look forward to seeing LibreLocal events spread even wider over the next years! We want to support these initiatives even more, so we'll be looking to build a network of sponsors for future iterations as we work towards May 2027," says Heshan de Silva-Weeramuni, FSF program manager... William Goodspeed, the organizer behind the Beijing LibreLocal, reported that their meetup was double the size of last year's, and a number of very rich collaborative projects have emerged among the attendees.

Discussing the value of connecting people, de Silva-Weeramuni notes: "Free software supporters know that connecting with each other leads them to learn, experiment, and create great things that protect our individual and shared rights. The extraordinary contributions that free software has made to the world were born through such collaborations between like-minded people towards a freer society. This same global spirit of collectively building a better future is one of the inspiring things that we have once again seen unfold through this year's many LibreLocals."

Trump Mobile confirmed that a third-party platform exposed customers' personal data to the open internet. The data included names, email addresses, mailing addresses, phone numbers, and order IDs. TechCrunch reports: Chris Walker, a spokesperson for the Trump-branded phone maker, told TechCrunch that the company is investigating the exposure and has not found evidence that content or financial information spilled online. The company said there was no breach of Trump Mobile's network, systems, or infrastructure. Walker said that the exposure was linked to a third-party platform provider that supports "certain Trump Mobile operations." He did not name the provider.

[...] On Wednesday, two YouTubers who ordered Trump Mobile's phone said a researcher alerted them that their personal information was exposed online. The YouTubers Coffeezilla and penguinz0 said they tried to alert Trump Mobile of the exposure after the researcher also tried but to no avail. Walker said Trump Mobile is evaluating whether it needs to notify customers of the exposure of their personal data. Further reading: Trump Phones Start Shipping - But Were There Really 600,000 Preorders?

An anonymous reader quotes a report from Reuters: AT&T on Wednesday filed suit (PDF) against California officials seeking a court order declaring it does not have to continue offering traditional copper wire phone service to new customers as it vowed to spend $19 billion on modern telecom services. California requires the U.S. wireless carrier to spend $1 billion annually to maintain a century-old telephone network that few use, AT&T said, saying the network now serves just 3% of households in AT&T's California territory.

AT&T's suit named the California Public Utilities Commission and the state attorney general. AT&T said it is committing to investing $19 billion in California as it works to connect more than 4 million additional households and businesses across California by 2030 and added IP-based networks are far more reliable and efficient. AT&T also Wednesday asked the Federal Communications Commission for permission to discontinue traditional phone service in parts of California where it has faster, more reliable service available. It also filed a petition with the FCC to declare that California's rules that effectively require AT&T to power, repair and sell traditional phone service, even after the FCC has authorized the service to be phased out, are preempted by federal standards.

AT&T added that transitioning from copper will save an estimated 300 million kilowatt-hours annually by 2030 or the equivalent of eliminating emissions from 17 million gallons of gasoline. The company added that California has already suffered about 2,000 outages from copper thefts this year and it struggles to find replacement parts. The federal government and virtually all states where AT&T historically offered copper-wire service "have now eliminated outdated regulatory obstacles" allowing AT&T to begin powering down its old network and increasing its investments in modern communication technologies, the company said in its lawsuit filed in U.S. District Court in southern California.

Thousands of Chicago-area Zillow and Trulia listings disappeared after Midwest Real Estate Data cut off Zillow's access to its feed, "in the latest escalation of a legal battle with Lisle-based Midwest Real Estate Data (MRED)," reports the Chicago Sun-Times. "The fight is over MRED's private listing network, where homes for sale are shared among real estate professionals. And MRED followed through on a threat to cut Zillow's access to its listing data feed." From the report: There were nearly 5,000 Chicago homes listed on Zillow Tuesday, but as of Wednesday afternoon, that number plummeted to about 1,700. Meanwhile, other listing sites like Redfin and Realtor.com show about 5,000 to 8,000 listings in Chicago. MRED manages listings -- submitted by brokers -- throughout Illinois, as well as parts of Wisconsin and Indiana. The regional multiple listing service has more than 43,000 members and processed more than 264,000 listings worth $43 billion in 2025. The loss of listings on Zillow's websites have made a behind-the-scenes real estate industry fight public. And it now hinders some consumers in their search to buy a home, while also limiting the marketing opportunity for sellers. The legal fight is basically over who gets to control how home listings are marketed and displayed online.

Zillow recently adopted a rule saying that if a home is marketed privately, such as behind a paywall, login, or private listing network, it should not also appear on Zillow. The policy, the real estate marketplace says, is meant to discourage "pocket listings," preserve transparency, and make sure buyers can see the full market.

MRED sees it differently. It expanded its private listing network and partnered with Compass, which wants to give sellers more control over whether their homes are broadly publicized or marketed privately first. MRED argues that Zillow is violating MLS rules and licensing agreements by refusing to display certain listings, including private Compass listings. Consumers are now caught in the middle...

An anonymous reader quotes a report from Ars Technica: Google on Wednesday published exploit code for an unfixed vulnerability in its Chromium browser codebase that threatens millions of people using Chrome, Microsoft Edge, and virtually all other Chromium-based browsers. The proof-of-concept code exploits the Browser Fetch programming interface, a standard that allows long videos and other large files to be downloaded in the background. An attacker can use the exploit to create a connection for monitoring some aspects of a user's browser usage and as a proxy for viewing sites and launching denial-of-service attacks. Depending on the browser, the connections either reopen or remain open even after it or the device running it has rebooted.

The unfixed vulnerability can be exploited by any website a user visits. In effect, a compromise amounts to a limited backdoor that makes a device part of a limited botnet. The capabilities are limited to the same things a browser can do, such as visit malicious sites, provide anonymous proxy browsing by others, enable proxied DDoS attacks, and monitor user activity. Nonetheless, the exploit could allow an attacker to wrangle thousands, possibly millions, of devices into a network. Once a separate vulnerability becomes available, the attacker could use it to then compromise all those devices.

"The dangerous part here is that you can just have a lot of different browsers together that you can in the future run something on that you figure out," said Lyra Rebane, the independent researcher who discovered the vulnerability and privately reported it to Google in late 2022 in an interview. He said using the exploit code Google prematurely published would be "pretty easy," although scaling it to wrangle large numbers of devices into a single network would require more work. In the thread of Rebane's disclosure to Google, two developers said in separate responses that it was a "serious vulnerability." Its severity was rated S1, the second-highest classification.

Since its reporting 29 months ago, the vulnerability remained unknown except to Chromium developers. Then on Wednesday morning, it was published to the Chromium bug tracker. Rebane initially assumed the vulnerability was finally fixed. Shortly thereafter, he learned that, in fact, it remained unpatched. While Google removed the post, it remains available on archival sites, along with the exploit code. Google representatives didn't immediately respond to an email asking how and why it published the vulnerability and if or when a fix would become available. The exploit works by abusing Chromium's Browser Fetch API to open a service worker that remains persistently active. A malicious website can trigger it through JavaScript, creating a connection that can be used "for monitoring some aspects of a user's browser usage and as a proxy for viewing sites and launching denial-of-service attacks," reports Ars.

Depending on the browser, those connections "either reopen or remain open even after it or the device running it has rebooted," effectively turning the device into part of a "limited botnet."

The FBI is seeking up to $36 million for nationwide access to automated license plate reader (ALPRs) data, which could let it query vehicle movements across the U.S. and its territories through a commercial database. 404 Media reports: "The FBI has a crucial need for accessible LPRs to provide a diverse and reliable range of collections across the United States. This data should be available across major highways and in an array of locations for maximum usefulness to law enforcement," a statement of work, which describes what data the FBI is seeking access to, reads. ALPR cameras generally work by constantly scanning the color, brand, model, and license plate of vehicles that drive by. This creates a timestamped record of where a particular vehicle was at a specific time that law enforcement can then query, effectively letting them see exactly where someone drove across time. The technology has existed for decades, but has become more pervasive in recent years.

The FBI says it is looking for a vendor that will let it log into a Software-as-a-Service system and then query the collected ALPR data with license plate information, a description of the vehicle, a time or date, and geolocation information. The FBI says it is looking for ALPR coverage in the following areas: Eastern 48 (East of the Mississippi River); Western 48 (West of the Mississippi River); Hawaii; Puerto Rico; Alaska; and outlying areas such as Guam, the U.S. Virgin Islands, or Tribal Territories. In effect, the FBI is looking for ALPR data nationwide and even beyond. An attached price template indicates the FBI is willing to pay $6 million for each of those broad areas, bringing the total to $36 million.

The FBI says it intends to award the contract to a single vendor, but if any such vendor is unable to fulfill all of the requirements, the agency may award the contract to up to two vendors. The contract is specifically for the FBI's Directorate of Intelligence, which oversees the agency's intelligence mission. The FBI is not only a law enforcement agency, but also part of the Intelligence Community. The report notes that the contract appears aimed at vendors like Flock or Motorola Solutions, since they're some of the only companies able to provide the sort of data the FBI is seeking.

Further reading: Small Town Fights Over Flock's AI-Enhanced Network of License Plate-Reading Cameras

Meta is expected to begin cutting about 8,000 jobs this week as it pours more money into AI infrastructure and looks to "offset" other investments, with additional layoffs reportedly possible later this year. According to CNBC, the morale has worsened inside the company. "Internally, there's an emerging sense of dread across wide swaths of the company," the report says, citing current and former Meta employees. "That's in part because more cuts are expected this year, including a potential round of layoffs in August, followed by another round later in the year, some of the sources said." From the report: [...] Whatever anxiety investors are experiencing, the feelings inside the company are more intense, with some longtime staffers questioning Meta's AI pursuits under AI chief Alexandr Wang, while also weighing if now is the time to leave for opportunities at other companies in the AI race, according to current and former employees. Data aggregated by Blind, an anonymous professional network that requires users to verify their employment with a work email address, reveals some of the internal malaise. Meta's overall rating by employees on Blind has declined 25% from a peak in the second quarter of 2024 to the current period, with a 39% drop in its culture rating. In every category other than compensation, Meta has seen a ratings decline and dramatically underperforms rivals Amazon, Google and Netflix, the Blind data reveals.

The company's full-court press with AI included the recent debut of an employee tracking tool intended to collect data from staffers' actions, such as mouse movements and keystrokes on their work computers. The Model Capability Initiative, or MCI, as it's called, is part of Meta's efforts to train AI models to power digital agents that can perform various coding and white-collar tasks. Employees have characterized the data tracking tool as "dystopian," according to messages viewed by CNBC, with some workers expressing fear that personal information could be leaked. Some Meta workers have noted that their workplace computers appear slower since the company initiated the project, adding to their frustration, sources said.

Meta workers responded by creating an online petition that urges Zuckerberg and leadership to shutter the project. "Collecting and repurposing this kind of data raises serious concerns around privacy, consent, and trust in the workplace," the petition says. "It should not be the norm that companies of any size are permitted to exploit their employees by nonconsensually extracting their data for the purposes of AI training." Further reading: NYT: 'Meta's Embrace of AI Is Making Its Employees Miserable'

An anonymous reader quotes a report from the New York Times: The World Health Organization declared on Saturday that the spread of the Ebola virus in the Democratic Republic of Congo and Uganda was a global health emergency. The announcement was made a day after Africa's leading public health authority reported that an outbreak in a province in the northeast of the country was linked to dozens of suspected deaths. By Saturday, cases had also been confirmed in Kampala, the capital of Uganda, the W.H.O. said.

In Congo's Ituri province, where the outbreak was first identified, 246 suspected cases and 80 deaths attributed to the virus had been reported, although only eight cases had been definitively linked to the virus through laboratory testing. There is no approved vaccine and no therapeutics for the Bundibugyo species of Ebola behind the outbreak, according to the W.H.O. The scale of the outbreak could be far larger than has been detected and reported, the W.H.O. said in declaring a "public health emergency of international concern." It added that there were "significant uncertainties" about the precise number of people infected and the "geographic spread."

The W.H.O.'s declaration signals a public health risk requiring a coordinated international response, and is intended to prompt member countries to prepare for the virus to spread and to share vaccines, treatments and other resources needed to contain the outbreak. [...] The risk of the outbreak spreading is exacerbated by a humanitarian crisis, high population mobility and a large network of informal health care facilities in the area, the agency said. Containing an Ebola outbreak depends on the speed and scale of the public health response. The virus is transmitted through direct contact with the bodily fluids of an infected person, putting family members and caregivers at particular risk. Tracing people who may have come into contact with sufferers, isolating and treating victims promptly and safely, and burying the dead properly are all viewed as critical steps.