TechLetters ☕️ Supply-chain worm goes ~exponential? Moscow runs false-flag theatre. Your SSD fingerprints you. The Vatican enters the AI debate.
Security
Another wave of supply chain attacks hit npm. The worm republishes itself using stolen npm tokens – the blast radius grows automatically with each new victim. The compromised maintainer account atool pushed 639 malicious package versions across 323 packages in under an hour. The payload steals whatever it finds. GitHub tokens, AWS keys, Kubernetes credentials, CI/CD secrets from GitHub Actions, GitLab, Jenkins, CircleCI and a dozen more platforms. If it finds a GitHub token, it creates repositories under the victim’s account and commits stolen data there. If it finds an npm token, it republishes more infected packages. The campaign has now hit 1,055 package versions. https://socket.dev/blog/antv-packages-compromised
Russian cyber operators hijacked hundreds of Bluesky accounts - journalists, academics, filmmakers - and used them in information operations to post propaganda. Bluesky insists its systems weren’t breached - old leaked credentials did the work. Avg post views: 50. https://www.france24.com/en/live-news/20260529-bluesky-accounts-hijacked-in-pro-russia-propaganda-campaign
Russia’s Social Design Agency runs online influence and propaganda operations. But it’s also making offline operations, staged for cameras and the media. Pig heads marked “Macron” were left outside Paris mosques. Green paint hit synagogues and the Shoah Memorial. Concrete skeletons appeared at the Brandenburg Gate with an anti-Merz message. Cars across Germany were disabled with expanding foam and stickers blaming the Greens. These were false-flag attacks built to look like local hatred, climate radicalism, anti-Muslim backlash, anti-Semitism, or anti-government protest.
The leaked details show a senior Russian Presidential Administration official tracking budgets, field operations and approvals. Serbia appears repeatedly as a logistics and recruitment hub due to cheap disposable operatives, cash payments, rented vehicles, burner phones, fast exits. One internal goal was candid enough: help Russia “maintain the image of a superpower.”
The files also describe outreach to Western retired generals, including one French and one American, to launder pro-Kremlin positions as independent expert opinion. For 2026, SDA plans include AI-generated content farms, fake think tanks, opinion-leader trackers and “Mitteleuropa”, a geopolitical project aimed at pulling Austria, Hungary and Slovakia into a Moscow-friendlier Central European bloc. Thirty sex dolls floating down the Seine with anti-migrant messages was not satire. It was an agenda item.
The previous SDA leak was in 2024. It changed nothing. Moscow just moved from fake websites to fake reality.
https://www.occrp.org/en/investigation/leaked-documents-reveal-russian-cognitive-strikes-against-the-west-including-islamophobic-pig-head-attacks-in-paris
Privacy
Using the Origin Private File System browser mechanism to track and fingerprint users via solid state disk (SSD) noise, from inside a regular browser tab, with no permissions, nor native code. Simple: create a file bigger than RAM, read random chunks in a loop, and SSD latency starts reflecting everything else on the machine - other websites loading, apps launching. 88% accuracy fingerprinting visited sites, 95% for identifying which desktop app just launched. Covert channel capacity: 660 b/s. Chromium, Apple, and Mozilla mostly ignored it. https://tugraz.elsevierpure.com/ws/portalfiles/portal/109750638/main.pdf
Technology Policy
Other
The first encyclical of Pope Leo XIV is a major intervention on AI, human dignity, truth, war, and technological power. It is a warning that technology is never neutral when it is shaped by money, control, secrecy, and force. It rejects surrendering human judgment to AI.
The encyclical treats cyberattacks as part of a wider transformation of conflict. Cyber conflict creates instability before formal war starts. War no longer is limited to tanks and missiles. It can begin with data theft, infrastructure disruption, manipulation, and invisible attacks whose authors are hard to prove.
The enciclica considers also information operations and cognitive warfare. It posits that propaganda, AI-generated manipulation, fear campaigns, and cyber operations are part of hybrid conflict.
The battlefield includes imagination, trust, identity, and social cohesion. This is the cognitive dimension.
The encyclical addresses lethal autonomous weapons systems, and AI-assisted targeting. Here the message is clear: lethal decisions cannot be delegated to machines.
Pope Leo XIV’s first encyclical therefore cannot be reduced to AI only. It is about the kind of civilization being built around AI. https://www.vatican.va/content/leo-xiv/en/encyclicals/documents/20260515-magnifica-humanitas.html
In case you feel it's worth it to forward this content further:
Subscribed
If you’d like to share: