Chris Adams

"Like any school kid, I studied Ancient Rome," said local shopkeeper Annalisa Molisano. "But it never came to life for me the way it did when I understood how it all fits together."
https://www.bbc.com/travel/article/20260408-a-150-metro-ticket-to-ancient-rome

“The Trump administration has reached a settlement with the American Library Association and a union of cultural workers, bringing to an end its yearlong effort to dismantle the Institute of Museum and Library Services, a federal agency.” https://www.nytimes.com/2026/04/13/arts/library-agency-trump-settlement.html

“The crew also received a special message that Apollo 8 and Apollo 13 astronaut Jim Lovell recorded for the mission before his passing in 2025.

‘Hello, Artemis II! This is Apollo astronaut Jim Lovell. Welcome to my old neighborhood!‘”

https://www.nasa.gov/blogs/missions/2026/04/06/artemis-ii-flight-day-6-crew-ready-for-lunar-flyby/

That problem about #Git mishandling diffs in commit messages which was circulating last month lead to some improvements by the Git maintainers:

https://git.github.io/rev_news/2026/03/31/edition-133/

The NPM Axios package maintainer suffered an account takeover:

https://www.stepsecurity.io/blog/axios-compromised-on-npm-malicious-versions-drop-remote-access-trojan

Even if you’re unaffected now, it’s a great time to set a dependency cooldown period for everything you use.

If you use #NodeJS, enable minimum package age in NPM/PNPM/Bun/Yarn.

If you use #Python, enable exclude-newer in uv, minimum age in pip, or help the Poetry maintainers finish the open PR: https://github.com/python-poetry/poetry/pull/10763

Anyone who thinks hash pinning is a solution for supply chain attacks should look at what happened to #AquaSecurity’s #Trivy: pinning the hash was arguably key to the attack succeeding by making the payload blend in, with a hefty assist from the design flaw in #GitHub allowing commits to be referenced through a repo which doesn’t contain them.

Immutable tags are becoming table stakes.

https://github.com/aquasecurity/trivy/security/advisories/GHSA-69fq-xp46-6x23

#GitHubActions

If anyone you know uses #Trivy, it's time to rotate all of the credentials it had access to if you ran the 0.69.4 container or GitHub release (Homebrew users avoided this thanks to building from source). Probably a good idea to think about other defense-in-depth measures, too…

https://socket.dev/blog/trivy-under-attack-again-github-actions-compromise
https://www.stepsecurity.io/blog/trivy-compromised-a-second-time---malicious-v0-69-4-release

I continue to be satisfied with blocking telnet on managed networks around the turn of the century:

“Thankfully, twenty years later, somebody thought to check the server end for the same vulnerability.”

https://labs.watchtowr.com/a-32-year-old-bug-walks-into-a-telnet-server-gnu-inetutils-telnetd-cve-2026-32746/

“AI is eating and breaking the internet and social media. We are moving from a many-to-many publishing environment that created untold millions of jobs and businesses towards a system where AI tools can easily overwhelm human-created websites, businesses, art, writing, videos, and human activity on the internet. What’s happening may be too chaotic, messy, and unpleasant for AI companies to want to reckon with, but to ignore it entirely is malpractice.”

https://www.404media.co/ai-job-loss-research-ignores-how-ai-is-utterly-destroying-the-internet/

“A Resume.org survey of 1,000 hiring managers found that 59% say they emphasize AI’s role in layoffs because it “is viewed more favorably by stakeholders than saying layoffs or hiring freezes are driven by financial constraints.” Only 9% said AI had fully replaced any roles. This is not a technology story; it’s a management honesty story that happens to involve technology.”
https://www.bloomberg.com/opinion/articles/2026-03-13/the-ai-washing-of-job-cuts-is-corrosive-and-confusing

Feels like we should talk more about how brittle modern security practices make systems:

“Another poster on Reddit wrote that "many colleagues phones have been wiped," and they were instructed to remove "intune, company portal, teams, VPN" from their personal devices. The author of the post indicated that they were unable to log into many of their accounts because they used their phone to provide two-factor authentication codes to log into those accounts.”
https://www.zetter-zeroday.com/iranian-hacktivists-strike-medical-device-maker-stryker-in-severe-attack-that-wiped-systems/

“The reels of film were old and battered and no one knew what was on them.

They were from before World War I and had been shuttled around from basements to barns to garages and had just been dropped off at the Library. There were about 10 of them and they were rusted. Some were misshapen. The nitrate film stock had crumbled to bits on some; other strips were stuck together.

The librarians peeled them apart and gently looked them over, frame by frame…”
https://blogs.loc.gov/loc/2026/02/lost-19th-century-film-by-melies-discovered-at-the-library/