This week I think I’d like a refund on my optimism.
The Doxxer Gets Doxxed
Someone in Spain leaked the personal details of police, prosecutors, and cyber officials across multiple platforms. They got arrested in Granada last week. The poetic justice of doxxing the very people tasked with preventing doxxing is absolutely chef’s kiss.
When Your Dependencies Turn Feral
Toshiba, Muji, and Samsung all got bitten by the same polyfill.io code this week. The domain expired, someone else bought it, and suddenly legitimate websites were serving login prompts to steal credentials. Two years of technical debt made manifest. This is what happens when you treat third-party libraries like someone else’s problem until they become everyone’s problem.
The Worm That Heckled Its Audience
TeamPCP hacked a security scanner, stole npm credentials, and turned 60+ packages into a self-spreading worm in 24 hours. The audacity is almost impressive. They left taunting comments for the researcher watching them do it. Part of me is disgusted. Part of me cannot help but admire the sheer professionalism of the craft, even when it’s being used to burn down the commons.
Chrome’s Invisible Cargo
Chrome silently downloaded 4GB of AI weights to machines with no consent prompt, won’t let you delete it permanently, and the visible “AI Mode” button doesn’t even use it. Dark patterns as infrastructure. This is Google treating your hard drive like a self-storage unit they rent without asking. The worst part? Most people will never know it happened.
Data That Couldn’t Save a Man
A man spent a month in jail despite Flock data showing he was five miles from the crime scene. Police had the evidence. They just chose not to read it. The system worked exactly as designed, which is the most damning thing you can say about it.
That’s it for this week and reply to this email if you’ve got a story I missed or just want to commiserate.
Stay cynical.
Javvad Malik 