The Samsung Galaxy Book6 Pro is a laptop in the ultrabook class, featuring a sublime design that keeps bulk to a minimum.

I was immediately struck by the svelteness of the unit. The clean lines and rounded corners only add to its minimalist chic, as does the steely grey colorway.

Google released emergency updates to fix another Chrome zero-day vulnerability exploited in attacks, marking the fourth such security flaw patched since the start of the year.

“Google is aware that an exploit for CVE-2026-5281 exists in the wild,” Google said in a security advisory issued on Tuesday.

As detailed in the Chromium commit history, this vulnerability stems from a use-after-free weakness in Dawn, the underlying cross-platform implementation of the WebGPU standard used by the Chromium project.

Attackers can exploit this Dawn security flaw to trigger web browser crashes, data corruption, rendering issues, or other abnormal behavior.

While Google has found evidence that threat actors were exploiting this zero-day flaw in the wild, it did not share details about these incidents.

“Access to bug details and links may be kept restricted until a majority of users are updated with a fix. We will also retain restrictions if the bug exists in a third party library that other projects similarly depend on, but haven’t yet fixed,” the company noted.

​Google has now fixed the zero-day for users in the Stable Desktop channel, with new versions rolling out to Windows, macOS (146.0.7680.177/178), and Linux users (146.0.7680.177). While Google says that this out-of-band update could take days or weeks to reach all users, it was immediately available when BleepingComputer checked for updates today.

If you don’t want to update the browser manually, you can also have it check for updates at the next launch and install them automatically.

This is the fourth actively exploited Chrome zero-day patched since the start of the year. The first (CVE-2026-2441) was an iterator invalidation bug in CSSFontFeatureValuesMap (Chrome’s implementation of CSS font feature values), which Google addressed in mid-February.

Google patched two other Chrome zero-day bugs exploited in attacks earlier this month: the first is an out-of-bounds write weakness in the Skia 2D graphics library (CVE-2026-3909), and the second is an inappropriate implementation vulnerability in the V8 JavaScript and WebAssembly engine (CVE-2026-3910).

In 2025, Google fixed a total of eight zero-days exploited in the wild, many of which were discovered and reported by Google’s Threat Analysis Group (TAG), which is known for tracking and identifying zero-day exploits used in spyware attacks.

Automated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the other.

This whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic questions for any tool evaluation.

Advertisement

Get Your Copy Now

As if endless scrolling wasn’t bad enough already, TikTok has now quietly added a hidden emoji game inside DMs. The mini-game is live right now and works in both one-on-one messages and group chats. It means the app now has one more little trick to keep users hanging around even when they are technically done watching videos.

And honestly, it is exactly the kind of feature you would expect from a platform that has mastered years of mastering the art of making “just five more minutes” turn into an hour.

What’s the game, and why you should be wary

The game kicks off when you send a single emoji in a chat. If you tap on this emoji, your chosen emoji becomes part of the game itself, floating across the screen to give you a speed boost as you try to bounce upward across a stack of alligators.

The goal is to climb as high as possible while avoiding skeleton alligators, with some of these disappearing after one landing. So it’s all about quick reactions and enough chaos to make you give it another try. TikTok also shows both your score and your opponent’s high score in the top-right corner. So this basically turns it into a lightweight little competition instead of just a throwaway gimmick.

It is very on-brand

TikTok told TechCrunch that it launched the Easter egg to make messaging more fun and add a playful competitive element to DMs. This isn’t the first time we’re seeing something like this. Instagram added its own hidden emoji DM game two years ago, and Meta has also been experimenting with games inside Threads chats.

On paper, this is just a harmless little DM mini-game. But in practice, it is one more engagement hook dropped into a platform that was already very good at monopolizing attention.

Attackers stole a long-lived npm access token belonging to the lead maintainer of axios, the most popular HTTP client library in JavaScript, and used it to publish two poisoned versions that install a cross-platform remote access trojan. The malicious releases target macOS, Windows, and Linux. They were live on the npm registry for roughly three hours before removal.

Axios gets more than 100 million downloads per week. Wiz reports it sits in approximately 80% of cloud and code environments, touching everything from React front-ends to CI/CD pipelines to serverless functions. Huntress detected the first infections 89 seconds after the malicious package went live and confirmed at least 135 compromised systems among its customers during the exposure window.

This is the third major npm supply chain compromise in seven months. Every one exploited maintainer credentials. This time, the target had adopted every defense the security community recommended.

One credential, two branches, 39 minutes

The attacker took over the npm account of @jasonsaayman, a lead axios maintainer, changed the account email to an anonymous ProtonMail address, and published the poisoned packages through npm’s command-line interface. That bypassed the project’s GitHub Actions CI/CD pipeline entirely.

The attacker never touched the Axios source code. Instead, both release branches received a single new dependency: plain-crypto-js@4.2.1. No part of the codebase imports it. The package exists solely to run a postinstall script that drops a cross-platform RAT onto the developer’s machine.

The staging was precise. Eighteen hours before the axios releases, the attacker published a clean version of plain-crypto-js under a separate npm account to build publishing history and dodge new-package scanner alerts. Then came the weaponized 4.2.1. Both release branches hit within 39 minutes. Three platform-specific payloads were pre-built. The malware erases itself after execution and swaps in a clean package.json to frustrate forensic inspection.

StepSecurity, which identified the compromise alongside Socket, called it among the most operationally sophisticated supply chain attacks ever documented against a top-10 npm package.

The defense that existed on paper

Axios did the right things. Legitimate 1.x releases shipped through GitHub Actions using npm‘s OIDC Trusted Publisher mechanism, which cryptographically ties every publish to a verified CI/CD workflow. The project carried SLSA provenance attestations. By every modern measure, the security stack looked solid.

None of it mattered. Huntress dug into the publish workflow and found the gap. The project still passed NPM_TOKEN as an environment variable right alongside the OIDC credentials. When both are present, npm defaults to the token. The long-lived classic token was the real authentication method for every publish, regardless of how OIDC was configured. The attacker never had to defeat OIDC. They walked around it. A legacy token sat there as a parallel auth path, and npm‘s own hierarchy silently preferred it.

“From my experience at AWS, it’s very common for old auth mechanisms to linger,” said Merritt Baer, CSO at Enkrypt AI and former Deputy CISO at AWS, in an exclusive interview with VentureBeat. “Modern controls get deployed, but if legacy tokens or keys aren’t retired, the system quietly favors them. Just like we saw with SolarWinds, where legacy scripts bypassed newer monitoring.”

The maintainer posted on GitHub after discovering the compromise: “I’m trying to get support to understand how this even happened. I have 2FA / MFA on practically everything I interact with.”

Endor Labs documented the forensic difference. Legitimate axios@1.14.0 showed OIDC provenance, a trusted publisher record, and a gitHead linking to a specific commit. Malicious axios@1.14.1 had none. Any tool checking provenance would have flagged the gap instantly. But provenance verification is opt-in. No registry gate rejected the package.

Three attacks, seven months, same root cause

Three npm supply chain compromises in seven months. Every one started with a stolen maintainer credential.

The Shai-Hulud worm hit in September 2025. A single phished maintainer account gave attackers a foothold that self-replicated across more than 500 packages, harvesting npm tokens, cloud credentials, and GitHub secrets as it spread. CISA issued an advisory. GitHub overhauled npm’s entire authentication model in response.

Then in January 2026, Koi Security’s PackageGate research dropped six zero-day vulnerabilities across npm, pnpm, vlt, and Bun that punched through the very defenses the ecosystem adopted after Shai-Hulud. Lockfile integrity and script-blocking both failed under specific conditions. Three of the four package managers patched within weeks. npm closed the report.

Now axios. A stolen long-lived token published a RAT through both release branches despite OIDC, SLSA, and every post-Shai-Hulud hardening measure in place.

npm shipped real reforms after Shai-Hulud. Creation of new classic tokens got deprecated, though pre-existing ones survived until a hard revocation deadline. FIDO 2FA became mandatory, granular access tokens were capped at seven days for publishing, and trusted publishing via OIDC gave projects a cryptographic alternative to stored credentials. Taken together, those changes hardened everything downstream of the maintainer account. What they didn’t change was the account itself. The credential remained the single point of failure.

“Credential compromise is the recurring theme across npm breaches,” Baer said. “This isn’t just a weak password problem. It’s structural. Without ephemeral credentials, enforced MFA, or isolated build and signing environments, maintainer access remains the weak link.”

What npm shipped vs. what this attack walked past

What to do now at your enterprise

SOC leaders whose organizations run Node.js should treat this as an active incident until they confirm clean systems. The three-hour exposure window fell during peak development hours across Asia-Pacific time zones, and any CI/CD pipeline that ran npm install overnight could have pulled the compromised version automatically.

“The first priority is impact assessment: which builds and downstream consumers ingested the compromised package?” Baer said. “Then containment, patching, and finally, transparent reporting to leadership. What happened, what’s exposed, and what controls will prevent a repeat. Lessons from log4j and event-stream show speed and clarity matter as much as the fix itself.”

• Check exposure. Search lockfiles and CI logs for axios@1.14.1, axios@0.30.4, or plain-crypto-js. Pin to axios@1.14.0 or axios@0.30.3.

• Assume compromise if hit. Rebuild affected machines from a known-good state. Rotate every accessible credential: npm tokens, AWS keys, SSH keys, cloud credentials, CI/CD secrets, .env values.

• Block the C2. Add sfrclak.com and 142.11.206.73 to DNS blocklists and firewall rules.

• Check for RAT artifacts. /Library/Caches/com.apple.act.mond on macOS. %PROGRAMDATA%\wt.exe on Windows. /tmp/ld.py on Linux. If found, preform a full rebuild.

• Harden going forward. Enforce npm ci --ignore-scripts in CI/CD. Require lockfile-only installs. Reject packages missing provenance from projects that previously had it. Audit whether legacy tokens coexist with OIDC in your own publishing workflows.

The credential gap nobody closed

Three attacks in seven months. Each different in execution, identical in root cause. npm’s security model still treats individual maintainer accounts as the ultimate trust anchor. Those accounts remain vulnerable to credential hijacking, no matter how many layers get added downstream.

“AI spots risky packages, audits legacy auth, and speeds SOC response,” Baer said. “But humans still control maintainer credentials. We mitigate risk. We don’t eliminate it.”

Mandatory provenance attestation, where manual CLI publishing is disabled entirely, would have caught this attack before it reached the registry. So would mandatory multi-party signing, where no single maintainer can push a release alone. Neither is enforced today. npm has signaled that disabling tokens by default when trusted publishing is enabled is on the roadmap. Until it ships, every project running OIDC alongside a legacy token has the same blind spot axios had.

The axios maintainer did what the community asked. A legacy token nobody realized was still active and undermined all of it.

‘By supporting the emergence of Bull, we are choosing strategic independence,’ said France’s minister delegate for artificial intelligence and digital affairs.

France has completed its acquisition of 100pc of the capital of supercomputer maker Bull from Atos Group, in a deal that marks a “major step forward for French and European technological sovereignty”.

The acquisition, the completion of which was announced yesterday (31 March), is expected to boost France and Europe’s tech sovereignty particularly in the areas of high‑performance computing, AI and quantum technologies, according to the French state and Bull. The French state is now the sole shareholder of Bull.

“The revival of Bull as an independent company supported by the French state marks a decisive step in our history,” said Emmanuel Le Roux, CEO of Bull. “With a long‑term strategic shareholder, we are strengthening our position as a trusted industrial partner across the entire value chain of high‑performance computing, quantum computing and artificial intelligence.”

The deal to acquire Bull from Atos Group was first agreed in July of last year, when France agreed to pay an enterprise value of up to €404m for the company.

Bull, which is headquartered in Bezons, France, designs and manufactures supercomputers and high‑performance servers, as well as enterprise servers, software solutions, AI use cases and innovations in quantum computing.

“The supercomputers produced there meet the most demanding needs of national defence, industry and fundamental research, and are also essential for training and deploying artificial intelligence models,” read yesterday’s announcement. “They are recognised for their performance and energy efficiency – two decisive criteria for training large AI models.”

The computing company has been in operation for nearly a century, having been founded in 1931. The company was acquired by Atos Group in 2014, when it became the organisation’s advanced computing business.

Europe’s sovereignty push

The completion of France’s purchase of Bull comes amid a wider push for tech sovereignty in Europe in recent times – particularly in the wake of recent transatlantic tensions with the current US administration.

France, along with Germany, have been prominent figureheads in the push for European digital sovereignty, with both countries taking centre stage at last November’s Summit on European Digital Sovereignty to propose a number of initiatives – including the launch of a joint taskforce on European digital sovereignty led by the two nations.

Sovereignty efforts have seen milestones achieved in Europe’s supercomputing space in particular.

Last September, Jupiter, the first computer system in Europe to achieve exascale threshold – one that performs more than one quintillion operations per second – was inaugurated at the Jülich Supercomputing Centre in Germany.

Jupiter joined existing supercomputers in the EuroHPC network – namely, MareNostrum in Spain, Leonardo in Italy, Lumi in Finland, Discoverer in Bulgaria, MeluXina in Luxembourg, Vega in Slovenia, Karolina in Czechia and Deucalion in Portugal – together conducting billions of calculations per second.

A month later, the European High Performance Computing Joint Undertaking (EuroHPC JU) signed a procurement contract with Eviden for the delivery of Alice Recoque, a new European exascale supercomputer (named after the late pioneering French computer scientist) to be located in France.

“The state’s entry into Bull’s share capital marks a decisive step for our digital sovereignty,” said Anne Le Hénanff, France’s minister delegate for artificial intelligence and digital affairs. “At a time when artificial intelligence and quantum technologies are profoundly reshaping technological balances, France is equipping itself with a leading industrial player in high‑performance computing.

“By supporting the emergence of Bull, we are choosing strategic independence. It is a strong signal: that of a country that invests, that protects its expertise, and that is determined to remain sovereign in the technologies that will shape the world of tomorrow.”

Don’t miss out on the knowledge you need to succeed. Sign up for the Daily Brief, Silicon Republic’s digest of need-to-know sci-tech news.