In short: Every time you visit LinkedIn in a Chrome-based browser, a hidden JavaScript routine silently probes your browser for more than 6,000 installed extensions, collects 48 hardware and software characteristics about your device, encrypts the resulting fingerprint, and attaches it to every API request you make during your session. The practice, labelled “BrowserGate” by researchers, is not disclosed in LinkedIn’s privacy policy. LinkedIn says it is a security measure; critics say it is covert surveillance of a billion users’ browsing behaviour at industrial scale.

There is a routine that runs on your computer every time you open LinkedIn. You cannot see it, you were not told about it, and it is not described in the company’s privacy policy. According to an investigation published in early April 2026 by Fairlinked e.V., a European association of commercial LinkedIn users, the platform injects a 2.7-megabyte JavaScript bundle into its website that silently scans visitors’ browsers for the presence of more than 6,000 specific Chrome extensions, assembles a detailed fingerprint of their hardware, encrypts it, and transmits the result to LinkedIn’s servers, where it is attached to every subsequent action taken during the session.

The investigation, independently confirmed by BleepingComputer, which verified the scanning behaviour through its own testing, has been dubbed “BrowserGate.” LinkedIn disputes many of the report’s characterisations. The technical facts are not in dispute.

What the script does

LinkedIn calls its scanning system “Spectroscopy.” When a user loads the LinkedIn website, the script fires off up to 6,222 simultaneous requests, each one probing for a specific browser extension by attempting to access files associated with that extension’s ID. The presence or absence of a file in the response indicates whether the extension is installed. The entire operation runs silently in the background, without a visible prompt or notification of any kind.

The 💜 of EU tech

The latest rumblings from the EU tech scene, a story from our wise ol’ founder Boris, and some questionable AI art. It’s free, every week, in your inbox. Sign up now!

Beyond extensions, the script collects 48 distinct characteristics of the user’s device: CPU core count, available memory, screen resolution, timezone, language settings, battery status, audio hardware information, and storage capacity, among others. Individually, these attributes are unremarkable. Combined, they form a device fingerprint specific enough to identify a user even after cookies are cleared.

Once compiled, the data is serialised to JSON and encrypted using an RSA public key, LinkedIn’s internal identifier for the key is “apfcDfPK”,  before being transmitted to telemetry endpoints including li/track and /platform-telemetry/li/apfcDf. The fingerprint is then permanently injected as an HTTP header into every API request made during the session, meaning LinkedIn receives it with every search, every profile view, every message sent.

What it is looking for

The question of which extensions LinkedIn is scanning for makes the surveillance more sensitive than simple fraud detection would require. According to the BrowserGate report, LinkedIn’s list includes more than 200 products that compete directly with its own sales tools, among them Apollo, Lusha, and ZoomInfo. Because LinkedIn knows the employer of each registered user, systematically scanning for the presence of a competitor’s tool gives the platform visibility into which companies are evaluating or deploying rival products.

The list also reportedly includes tools associated with neurodivergent conditions, religious practice, political interests, and job-hunting activity, categories that, in the European Union, qualify as sensitive personal data subject to heightened protection under the General Data Protection Regulation. Knowing that a user is running a job-search extension, for instance, is a meaningful inference about their employment intentions, drawn without consent.

The scale of the operation has grown substantially over time. LinkedIn began scanning for 38 specific extensions in 2017. By 2024, that number had grown to 461. By February 2026, the list had reached 6,167, a 1,252% increase in two years. BleepingComputer’s testing confirmed the scanning was active as of early April 2026.

LinkedIn’s defence and the source of the report

LinkedIn’s response to BleepingComputer was pointed. “The claims made on the website linked here are plain wrong,” a spokesperson said. “The person behind them is subject to an account restriction for scraping and other violations of LinkedIn’s Terms of Service. To protect the privacy of our members, their data, and to ensure site stability, we do look for extensions that scrape data without members’ consent or otherwise violate LinkedIn’s Terms of Service.” The company added that it does not use the data to “infer sensitive information about members.”

The platform’s characterisation of the source matters. Fairlinked e.V. is connected to Teamfluence Signal Systems OÜ, an Estonian company whose managing directors include Steven Morell and Jan Liebling. Teamfluence makes a Chrome extension, also called Teamfluence, that LinkedIn restricted for alleged terms of service violations. The company subsequently filed a preliminary injunction against LinkedIn Ireland Unlimited Company and LinkedIn Germany GmbH at the Regional Court of Munich, alleging violations of the Digital Markets Act, EU competition law, and German data protection rules. In January 2026, the Munich court denied the injunction, finding that LinkedIn’s actions did not constitute unlawful obstruction or discrimination.

The financial dispute between the parties does not change the technical findings, which were verified independently. It does mean the framing of those findings is contested, and readers should weigh both the substance of the claim and its provenance.

The regulatory backdrop

This is not LinkedIn’s first serious encounter with European data protection enforcement. In October 2024, the Irish Data Protection Commission, which regulates LinkedIn in the EU through its Irish subsidiary, fined the company €310 million, approximately $334 million , for processing users’ personal data for targeted advertising without a valid legal basis. The decision found that LinkedIn’s consent mechanisms did not meet GDPR’s requirement that consent be “freely given.” LinkedIn was ordered to bring its data processing into compliance.

The BrowserGate investigation drops into that context. The legal question of whether scanning for 6,000 browser extensions constitutes processing of special-category personal data, and whether users’ lack of awareness of the practice renders any implied consent invalid,  is exactly the kind of question the Irish Data Protection Commission has already shown it is willing to adjoin in court. Europe’s evolving digital regulation framework has been moving steadily toward requiring explicit disclosure of all significant data collection, and a scanning operation of this scale, conducted without any mention in a privacy policy, appears difficult to square with that direction of travel.

LinkedIn is a Microsoft subsidiary, acquired in 2016 for $26.2 billion. Microsoft has been aggressively expanding its AI capabilities in 2026, with LinkedIn’s vast dataset of professional identity and employment history forming a significant part of the data infrastructure on which those capabilities rest. The relationship between LinkedIn’s data collection practices and Microsoft’s broader AI ambitions is not addressed in LinkedIn’s privacy policy either.

What this means for users

LinkedIn has more than one billion registered users. The majority access the platform through Chrome-based browsers, meaning the Spectroscopy scan runs routinely on the devices of a significant fraction of the global professional workforce, collecting a fingerprint that is precise enough to persist across cookie resets and potentially across devices.

Short of using a non-Chromium browser such as Firefox, which would limit but not necessarily eliminate LinkedIn’s fingerprinting capabilities, there is no user-facing setting that prevents the scanning. The platform does not offer an opt-out, because it does not disclose the practice in the first place. The 2026 push for governed and transparent AI and data practices is built on precisely the premise that invisible data collection of this kind should not be the default.

Whether regulators move quickly enough to change that default at LinkedIn’s scale remains to be seen. Security firms increasingly built to detect exactly this kind of covert data harvesting are becoming a growth sector in their own right, a market indicator that the gap between what platforms collect and what users understand is still very wide. The year 2025 normalised AI-powered data collection at a pace that regulation has yet to match. BrowserGate is a case study in what that lag looks like from the inside of a browser.

In short: AI-powered “vibe coding” tools have driven an 84% jump in new app submissions to Apple’s App Store in a single quarter, according to reporting by The Information, the largest surge in a decade. The flood is straining Apple’s review infrastructure, with approval times ballooning from 24 hours to as many as 30 days. Apple has responded by pulling apps that violate its self-containment rules, triggering a standoff with the platforms fuelling the boom.

Apple’s App Store is receiving more new apps than at any point in the past ten years. The cause is not a wave of professional developers: it is a term that Collins English Dictionary named its word of the year for 2025, coined by Andrej Karpathy, a co-founder of OpenAI and former AI lead at Tesla, in a single social media post in February of that year. Vibe coding ,the practice of building software by describing what you want in plain language and letting a large language model write the code, has lowered the barrier to app development so dramatically that it is now overwhelming the infrastructure Apple built to gatekeep its platform.

According to reporting by The Information, the number of new apps submitted to the App Store rose 84% in a single quarter as vibe coding went mainstream. The figure corroborates broader data from Sensor Tower, which tracked a 56% year-on-year spike in iOS app launches in December 2025 and a 54.8% rise in January 2026, the highest growth rates in four years. Apple’s full-year 2025 total reached 557,000 new app submissions, the largest annual wave since 2016.

The tools behind the flood

The surge is attributable to a small cluster of platforms that have turned natural language into deployable software. Cursor, made by Anysphere and used by seven million developers, surpassed $2 billion in annualised revenue in March 2026 and was valued at $29.3 billion after a $2.3 billion funding round co-led by Accel and Coatue in November 2025. Lovable, which targets non-technical builders, reached $200 million in annualised revenue in late 2025, a fiftyfold increase in a single year, and raised $330 million in a Series B at a $6.6 billion valuation in December 2025. Replit generated $240 million in revenue during 2025, serves more than 150,000 paying customers, and is targeting $1 billion in revenue for 2026. Bolt.new has become a popular entry point for rapid idea-to-prototype work.

The commercial argument for these platforms is straightforward: anyone with an idea and an internet connection can now build and submit an app. The problem for Apple is that the same dynamic that makes vibe coding commercially compelling is structurally incompatible with how the App Store review process works.

Why Apple has a structural problem

Vibe coding’s power lies in generating and executing new code on demand,  in response to user prompts, in real time, without a fixed codebase. Apple’s App Store review process was designed for a different model: a developer submits a static build, Apple reviews it, and the approved build is what users receive. Guideline 2.5.2 of Apple’s App Review Guidelines states explicitly that apps “may not download, install, or execute code which introduces or changes features or functionality of the app.” Vibe coding apps, almost by definition, do exactly that.

The volume consequences are already visible in Apple’s infrastructure. Developers submitting to the App Store in March 2026 reported review delays of seven to 30 or more days, against a historical baseline of 24 to 48 hours,  with the majority of delay time spent in the “Waiting for Review” queue before a reviewer picks up the submission. The flood of AI-generated apps is straining a system designed for a world in which building an app took months, not minutes.

The crackdown begins

Apple’s enforcement response has been progressive and, at times, opaque. In mid-March 2026, reports emerged that Apple had quietly blocked updates for a set of vibe coding apps, including Replit and Vibecode,  without public explanation. Developers described receiving rejections citing Guideline 2.5.2 but receiving no advance warning that enforcement was intensifying.

The most prominent casualty was Anything, an app that let users build small tools and automations through natural language prompts. Its co-founder, Dhruv Amin, said Apple had been preventing updates since December 2025 before pulling the app entirely on 30 March 2026. Amin attempted to reach a compromise by modifying the app so that vibe-coded outputs would be previewed in a web browser rather than executed inside the app itself; Apple blocked that update and removed the app regardless.

An Apple spokesperson told The Information that the company was not targeting vibe coding as a category but rather enforcing guidelines that prevent apps from changing their behaviour after review. The distinction, in practice, is narrow: the defining capability of a vibe coding app is its ability to generate and run new functionality on demand, which is precisely what Guideline 2.5.2 prohibits.

The counterargument

Critics of Apple’s position have been pointed. A CNBC column published at the end of March 2026 argued that Apple’s crackdown “puts it on the wrong side of history,” contending that the review-based model was conceived for a world that no longer exists and that blocking vibe coding apps disadvantages the platform against Android, which applies fewer constraints on dynamic code execution.

The deeper tension is one of gatekeeping economics. Apple’s App Store review process is not only a safety mechanism: it is the basis of the 15–30% commission the company collects on in-app purchases and subscriptions. A wave of vibe-coded apps that bypass review , by generating code outside the approved bundle, is also, in structural terms, a challenge to the business logic of the store itself. Regulators in Europe have been scrutinising Apple’s App Store gatekeeping under the Digital Markets Act, and the vibe coding dispute adds another dimension to that ongoing examination.

A platform reckoning

What vibe coding has exposed is a mismatch between the speed at which AI can generate software and the speed at which existing review infrastructure can evaluate it. Apple reviewed roughly 200,000 weekly app submissions at the height of its 2025 volume, and the surge has outpaced that capacity. The platform now faces a choice between expanding its review capacity significantly, updating its guidelines to accommodate dynamic code execution in controlled ways, or continuing to enforce existing rules and accepting the friction that creates with a rapidly growing class of developers.

The capital being deployed into AI infrastructure in 2026 makes it unlikely that the volume of vibe-coded apps will slow on its own. The tools are becoming faster and cheaper; the category is producing some of the highest-growth companies in the technology industry. As AI moves from novelty to commercial infrastructure, the question of who controls the distribution layer,  and on what terms, is becoming the central battleground of the platform era. Apple built the App Store as an answer to that question. Vibe coding is making it ask the question again from the beginning. The AI acceleration of 2025 has arrived at the gate. Apple is deciding whether to open it.

Looking for the most recent Strands answer? Click here for our daily Strands hints, as well as our daily answers and hints for The New York Times Mini Crossword, Wordle, Connections and Connections: Sports Edition puzzles.

Today’s NYT Strands puzzle features some complicated words. Some of the answers are difficult to unscramble, so if you need hints and answers, read on.

I go into depth about the rules for Strands in this story. 

If you’re looking for today’s Wordle, Connections and Mini Crossword answers, you can visit CNET’s NYT puzzle hints page.

Read more: NYT Connections Turns 1: These Are the 5 Toughest Puzzles So Far

Hint for today’s Strands puzzle

Today’s Strands theme is: Fringe group

If that doesn’t help you, here’s a clue: Almost on the outside.

Clue words to unlock in-game hints

Your goal is to find hidden words that fit the puzzle’s theme. If you’re stuck, find any words you can. Every time you find three words of four letters or more, Strands will reveal one of the theme words. These are the words I used to get those hints but any words of four or more letters that you find will work:

• DARK, RAGE, MORE, NEST, DINE, DINES, DINER, DINERS

Answers for today’s Strands puzzle

These are the answers that tie into the theme. The goal of the puzzle is to find them all, including the spangram, a theme word that reaches from one side of the puzzle to the other. When you have all of them (I originally thought there were always eight but learned that the number can vary), every letter on the board will be used. Here are the nonspangram answers:

• EDGE, BRINK, BOUNDARY, VERGE, MARGIN, EXTREMITY

Today’s Strands spangram

Today’s Strands spangram is OUTERLIMITS. To find it, look for the O that is six letters down on the far-left row, and wind down, over, and up.

Scammers are sending fake “Notice of Default” traffic violation text messages impersonating state courts across the U.S., pressuring recipients to scan a QR code that leads to a phishing site demanding a $6.99 payment while stealing personal and financial information.

This is a new variation of the widely sent toll violation and unpaid parking ticket scams that users received in 2025, which claimed to be from state toll agencies.

This new campaign started a few weeks ago, with someone sharing a text targeting New York residents with BleepingComputer, and many other people reporting similar texts online for other states, including California, North Carolina, Illinois, Virginia, Texas, Connecticut, and New Jersey.

Unlike the previous campaign, which included a text message and links to phishing sites, this new variation instead includes an image of an alleged court notice with an embedded QR code.

“This notice constitutes a final and urgent warning regarding an outstanding traffic violation involving your registered vehicle within the State of New York,” reads the fake court notice.

“This matter has now entered the formal enforcement stage.”

The text message shared with BleepingComputer claims to be from the “Criminal Court of the City of New York”, stating that there is an unpaid parking or toll violation that must be paid immediately or the person must appear in court. Included are instructions to scan a QR code to settle the unpaid balances.

Scanning the QR code brings the targeted person to an intermediary site that first prompts you to solve a captcha to prove you are human. The QR codes and CAPTCHA are used to make it harder for automated security software and researchers to analyze the phishing campaign.

Solving the CAPTCHA redirects you to another phishing site that impersonates the state’s DMV or another agency, claiming there is an unpaid toll or parking ticket. In all examples seen by BleepingComputer, this outstanding balance is $6.99.

For example, phishing sites that impersonate the New York DMV use the hostname “ny.gov-skd[.]org” or “ny.ofkhv[.]life”.

Clicking continue will take you to a page where you can enter your personal and credit card information to pay the alleged charge.

This form is used to steal your data, including your name, address, phone number, email address, and, eventually, your credit card information.

This information can then be used for a wide variety of malicious activities, including follow-on phishing attacks, financial fraud, identity theft, and the sale of your data to other threat actors.

As a general rule, if you receive a text from an unknown phone number or email address requesting payment of a bill, ignore it.

State agencies have repeatedly stated in response to these scams that they do not use text messages requesting personal information or payment information.

Automated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the other.

This whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic questions for any tool evaluation.

Get Your Copy Now

We got to share in a rare moment of collective awe this week as four astronauts blasted off toward the moon, beginning a 10-day journey that will take them farther from Earth than any humans have traveled in the last 50 years. It’ll still be a little while before they reach their destination — the Orion spacecraft is expected to loop around the moon on Monday — but they’ve already seen some pretty incredible stuff on the way there. Here’s the latest on the Artemis II mission, and other interesting science stories from this week.

Artemis II crosses the halfway point

After years of planning, NASA astronauts Reid Wiseman, Victor Glover and Christina Koch, along with Canadian Space Agency (CSA) astronaut Jeremy Hansen, are finally on their way to the moon for the Artemis II mission. This test flight is a crucial step in NASA’s plans to send humans to the surface of the moon again for the first time since Apollo 17, and the high-stakes launch went off without a hitch on Wednesday.

The Artemis II crew is now more than halfway to the moon, according to NASA. When Orion reaches the moon on April 6, the astronauts will have a six-hour window of opportunity to observe the partially lit lunar far side, which can’t be seen from Earth. If you’re curious about where exactly the astronauts are at any given moment, you can track the mission by visiting NASA’s Artemis Real-Time Orbit website. And, if you just want to see what space looks like from Orion, here’s a livestream from outside the capsule. The moon is now in view!

The crew did experience some technical difficulties after leaving the ground, though all were resolved fairly quickly. Early Thursday morning, Wiseman contacted mission control to troubleshoot some issues with a Surface Pro he was attempting to use, noting, “I have two Microsoft Outlooks and neither one of those are working.” Relatable. The Artemis II crew was also greeted by a malfunctioning toilet not long into the flight, and astronaut Koch had to work with the ground team to figure out a fix — which they thankfully were able to do. In a livestream later, the astronaut joked that she is now a space plumber.

Small issues aside, the Artemis II mission is off to a pretty amazing start. The Orion spacecraft completed its translunar injection burn on Thursday, officially taking it out of Earth orbit and putting it on its way to the moon. Commander Wiseman shared some pictures of the view from Orion’s windows afterward, and they are breathtaking. In one unbelievably crisp shot of Earth, you can even see two auroras. And there’s plenty more observations to come.

Students discover a nearly pristine ancient star

Using data from the Sloan Digital Sky Survey (SDSS), a group of undergraduate students at the University of Chicago has discovered what’s thought to be one of the oldest stars ever observed. Their analysis indicates that the star, called SDSSJ0715-7334, was born in the nearby Large Magellanic Cloud billions of years ago before eventually making its way to the Milky Way.

The star was one of 77 that the students selected for closer observation after poring through the SDSS data in their “Field Course in Astrophysics” class, which is led by Professor Alex Ji, the deputy Project Scientist for SDSS-V. SDSS-V is an ongoing all-sky survey that’s mapping the Milky Way. After creating their list, they set out to observe the stars during a field trip to Carnegie Science’s Las Campanas Observatory in Chile, and honed in on SDSSJ0715-7334 on day two. The team found it’s made mostly of hydrogen and helium, with very little carbon and iron. In the paper published in the journal Nature Astronomy, the researchers note that this composition could be the product of a primordial supernova.

“This ancient immigrant gives us an unprecedented look at conditions in the early universe,” said Ji in a statement. Ji added, “The star has so little carbon that it suggests an early sprinkling of cosmic dust is responsible for making it. This formation pathway has only been seen once before.”

Before you go, be sure to check these stories out too:

• What’s going on with Donut Lab’s so-called super battery?

• SpaceX has reportedly filed for the biggest IPO in history

• Charming Kitten relies on deception rather than exploiting technical software vulnerabilities
• Fake identities build trust before phishing attacks compromise sensitive user credentials
• Operations extend across Apple and Microsoft platforms, affecting diverse users globally

Iran-linked cyber operations are drawing renewed attention for relying less on advanced code and more on human manipulation to gain access to sensitive systems.

At the centre of this activity is Charming Kitten, a group associated with Iran’s security apparatus which has spent years targeting officials, researchers, and corporate employees.