The maintainers of the popular Axios HTTP client have published a detailed post-mortem describing how one of its developers was targeted by a social engineering campaign linked to North Korean hackers.

This follows the threat actors compromising a maintainer account to publish two malicious versions of Axios (1.14.1 and 0.30.4) to the npm package registry, triggering a supply chain attack.

These releases injected a dependency named plain-crypto-js that installed a remote access trojan (RAT) on macOS, Windows, and Linux systems.

The malicious versions were available for roughly three hours before being removed, but systems that installed them during that period should be considered compromised, and all credentials and authentication keys should be rotated.

The Axios maintainers said they have wiped affected systems, reset all credentials, and are implementing changes to prevent similar incidents.

The Google Threat Intelligence Group has since linked this attack to North Korean threat actors tracked as UNC1069.

“GTIG attributes this activity to UNC1069, a financially motivated North Korea-nexus threat actor active since at least 2018, based on the use of WAVESHAPER.V2, an updated version of WAVESHAPER previously used by this threat actor,” explains Google.

“Further, analysis of infrastructure artifacts used in this attack shows overlaps with infrastructure used by UNC1069 in past activities.”

Targeted in a social engineering attack

According to a post-mortem, the compromise began weeks earlier through a targeted social engineering attack on the project’s lead maintainer, Jason Saayman. 

The attackers impersonated a legitimate company, cloned its branding and founders’ likenesses, and invited the maintainer into a Slack workspace designed to impersonate the company. Saayman says the Slack server contained realistic channels, with staged activity and fake profiles that posed as employees and other open-source maintainers.

“They then invited me to a real slack workspace. this workspace was branded to the companies ci and named in a plausible manner,” explained Saayman in a post to the post-mortem.

“The slack was thought out very well, they had channels where they were sharing linked-in posts, the linked in posts i presume just went to the real companys account but it was super convincing etc. they even had what i presume were fake profiles of the team of the company but also number of other oss maintainers.”

The attackers then scheduled a meeting on Microsoft Teams that appeared to include numerous people.

During the call, a technical error was displayed, claiming that something on the system was out of date, prompting the maintainer to install a Teams update to fix the error. However, this fake update was actually RAT malware that gave threat actors remote access to the maintainer’s device, allowing them to obtain the npm credentials for the Axios project.

Other maintainers reported similar social engineering attacks, where the threat actors tried to get them to install a fake Microsoft Teams SDK update.

This attack is similar to a ClickFix attack, in which victims are shown a fake error message and then prompted to follow troubleshooting steps that deploy malware.

This attack also mirrors previous campaigns reported by Google’s threat intelligence teams, in which North Korean threat actors tracked UNC1069 used the same tactics to target cryptocurrency firms.

In previous campaigns attributed to the UNC1069 threat actor, the threat actors would deploy additional payloads on devices, such as backdoors, downloaders, and infostealers designed to steal credentials, browser data, session tokens, and other sensitive information.

Since the attackers gained access to authenticated sessions, MFA protections were effectively bypassed, allowing access to accounts without having to re-authenticate.

The Axios maintainers confirmed that the attack did not involve modifying the project’s source code, but instead relied on injecting a malicious dependency into otherwise legitimate releases.

Pelle Wessman, a maintainer of numerous open-source projects, including the popular Mocha framework, posted on LinkedIn that he was targeted in the same campaign and shared a screenshot of a fake RTC connection error message used to trick targets into installing malware.

When Wessman refused to install the app, the threat actors tried to convince him to run a Curl command.

“When it became clear that I wouldn’t run the app and we had chatted back and forth on website and chat app they made one final desperate attempt and tried to get me to run a curl command that would download and run something, then when I refused they went dark and deleted all conversations,” explained Wessman.

Cybersecurity firm Socket also reported that this was a coordinated campaign that has begun targeting maintainers of popular Node.js projects.

Multiple developers, including maintainers of widely used packages and Node.js core contributors, reported receiving similar outreach messages and invitations to Slack workspaces operated by the attackers.

Socket noted that these maintainers are responsible for packages with billions of weekly downloads, demonstrating that the threat actors focused on high-impact projects.

“Since we published our initial analysis of the axios compromise, a deep dive into its hidden blast radius, and a report on the maintainer confirming it was social engineering, maintainers across the Node.js ecosystem have come out of the woodwork to report that they were targeted by the same social engineering campaign,” explained Socket.

“The accounts now span some of the most widely depended-upon packages in the npm registry and Node.js core itself, and together they confirm that axios was not a one-off target. It was part of a coordinated, scalable attack pattern aimed at high-trust, high-impact open source maintainers.”

Socket said the campaign followed a consistent pattern, with the threat actors first making contact through platforms like LinkedIn or Slack and then inviting recipients into private or semi-private workspaces.

After building rapport with the target, the threat actors scheduled video calls, which in some cases were conducted through sites impersonating Microsoft Teams and other platforms.

During these calls, an error message would be displayed to the targets, which prompted them to install “native” desktop software that works better or run commands to fix the technical issues.

The same playbook used against all these targets during the same time period indicates this was a coordinated campaign rather than a series of one-off attacks.

The Socket researchers say that these types of supply chain attacks are becoming more common, with attackers now focusing on widely used packages to cause widespread impact.

Automated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the other.

This whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic questions for any tool evaluation.

Get Your Copy Now

It’s smaller and more portable than the brutish Move, yet large enough to sound much fuller than the pint-sized Roam. It can sit fixed on its charging cradle to rival the homebound Sonos Era 100, or follow you anywhere. In other words, it’s the epitome of Sonos versatility, and now that it’s working properly, it’ll be hard to pass up.

Play On

Opening the Play’s brown cardboard packaging feels equal parts Scandi minimalism and sustainability, in line with recent releases like the Arc Ultra soundbar. Inside, a white acoustic wrapping gives way to a stout tubular speaker with a rubberized loop attached, measuring 7.6 x 4.4 x 3 inches and weighing just under 3 pounds. You’ll also find simple setup instructions and a wireless charging stand, but no wall adapter. You’ll need one that can supply at least 9 volts and 2 amps (18 watts), but a 15-volt, 3-amp (45-watt) model is recommended for “optimal” charging. Sonos says the adapter omission is about reducing e-waste, but will happily sell you one for $29.

Otherwise, the Sonos app is all you need to get going. After the obligatory firmware update, my Play was streaming on my home network in minutes. Sonos hosts over 100 streaming services directly, and you can also stream over third-party services like Spotify Connect, Tidal Connect, Apple AirPlay, and more. You’ll find the speaker as its own “Room” on the app’s main page, where you can swipe up to group it with other Sonos products on your network, or go into the settings to tweak options like EQ, Room name (important if you have more than one Play), and Sonos Trueplay to auto-adjust the sound to your environment.

You’ll also find a Battery Saver toggle, which is set by default to shut down the power when it’s idle for too long. It’s this feature that, according to Sonos, caused my connection woes as I tested the speaker’s 24-hour battery claim. Sonos says it identified the root cause, and after the firmware update I’ve let the speaker power down multiple times, with no further network disruptions over a week of extra testing.

Photograph: Ryan Waniata

Founders Fund has made its name backing what Peter Thiel calls “zero to one” companies — businesses that don’t just improve on existing ideas but create something entirely new. Its portfolio includes Facebook, SpaceX, and Palantir. Its latest bet is a New Zealand startup that puts solar-powered smart collars on cows.

Halter, which closed a $220 million Series E at a $2 billion valuation last month, with Founders Fund leading the round, isn’t the kind of company that tends to dominate technology headlines. There is no agentic AI involved, no humanoid robots. There is, however, a very large and largely unsolved problem: How do you manage cattle spread across some of the most remote terrain on earth, without dogs, horses, motorbikes, or helicopters?

Craig Piggott, Halter’s 30-year-old founder and CEO, has spent nine years working on an answer. “If you manage a pasture-based farm, whether it’s dairy or beef, the most important variable is how you manage the productivity of your land,” Piggott told TechCrunch in a recent interview. “Fences are the lever — they control where animals graze and how you rest the land. Being able to do that virtually just made a lot of sense.”

The system Halter has built combines a solar-powered collar, a network of low-frequency towers, and a smartphone app to let farmers create virtual fences, monitor every animal around the clock, and move their herds without ever leaving the farmhouse. Cattle are trained to respond to audio and vibration cues from the collar — a process Piggott that likens to the way a car beeps as it approaches a wall while parking. Most animals, he says, learn within three interactions with a virtual fence. “Then you’re able to guide them and shift them around on sound and vibration alone.”

The collar does more than herd. Because it is always on and collecting behavioral data, it also tracks animal health, monitors fertility cycles, and flags when individual animals may be sick, capabilities that Piggott says have improved dramatically as Halter has accumulated what is likely the world’s largest dataset of cattle behavior. The company is now on its fifth generation of hardware, and its reproduction product is currently in beta with U.S. customers.

“The product that ranchers use today is radically different to what they bought a year ago,” Piggott said. “Every week, we’re releasing new things to our customers.”

Piggott grew up on a dairy farm in New Zealand before studying engineering and landing a brief stint at Rocket Lab, the rocket company that gave him his first glimpse of what a technology startup could be. “Rocket Lab was kind of my introduction to technology and startups and the world of venture capital,” he said. “Realizing you could raise money, hire a team, and chase an ambitious mission was inspiring. I wanted to do that in agriculture.” He started Halter at 21. “Probably a bit naive in hindsight,” he acknowledged, “but that was fine.”

Nine years later, Halter’s collar is on more than a million cattle across more than 2,000 farms in New Zealand, Australia, and the United States, where the company operates in 22 states. The financial proposition for farmers is straightforward: By giving ranchers precise control over where their herds graze, Halter can lift the productivity of their land by as much as 20% — not by saving labor costs (though that happens, too), but by ensuring cattle graze more efficiently and leave less grass behind. “In some cases, we see customers literally doubling the output off their land,” Piggott said. “The upper ceiling for returns is very, very strong.”

Halter isn’t alone in spying the opportunity. Pharmaceutical giant Merck already makes its own virtual fencing system for cattle, called Vence, and newer entrants are circling too — at Y Combinator’s most recent “demo day,” a startup called Grazemate presented a vision for herding cattle with autonomous drones (no collars necessary).

Piggott seems unbothered by either. Asked about drones, he answers: “Can I see drones playing some small part in the future? Probably. But I don’t think a drone is the right form factor for the core fencing element of virtual fencing. A collar will probably be the right form factor for a very long period of time.” And as for the bigger competitive picture, he argues the real obstacle isn’t rival technology at all. “The biggest competition is just not changing anything,” he said. “It’s doing what you did last year.”

What sets Halter apart, Piggott argues, is the sheer engineering difficulty of what it has spent nine years solving — a system managing a thousand animals needs to be reliable to many nines of uptime, because even a 1% failure rate means ten animals out at any given time. “Chasing those many nines of reliability takes time,” he said, “and that long tail is what we proved out in New Zealand over many years before we started to expand globally.”

Halter is also something of an outlier in the agricultural technology sector, which has slumped in recent years as startups struggled to persuade farmers to adopt new products while managing high operational costs. Piggott attributes Halter’s traction to its relentless focus on financial return. “From day one, Halter has been built around a really strong financial ROI,” he said. “If you can lift the productivity of land by 20%, that flows through the entire business.”

Unlike most technology companies, Halter doesn’t view the United States as the center of its universe. “The U.S. market is important for us, but it’s not the world’s biggest market,” Piggott said. “Agriculture is spread around the world, and we need to get there too.” The company has now raised roughly $400 million in total and is prioritizing expansion across the U.S., South America, and Europe.

But the scale of the remaining opportunity is perhaps best captured in a single number — one that no doubt resonated with Founders Fund and Halter’s earlier backers, too. Halter’s collar is on one million cattle, while there are one billion more in the world. With less than 10% penetration in its home market of New Zealand alone, “We have a long way to go, and a lot of product still to build,” Piggott said.

You can listen to our conversation with Piggott on this newest episode of the StrictlyVC Download podcast, which drops Tuesdays.

from the another-day-in-paradise dept

A quick refresher: there was originally $42.5 billion in broadband grants headed to the states thanks to the 2021 infrastructure bill most Republicans voted against (yet routinely try to take credit for among their constituents).

But after taking office this second time, the Trump administration rewrote the grant program’s guidance to eliminate provisions ensuring the resulting broadband is affordable to poor people, and to ensure that Elon Musk and Jeff Bezos gets billions in new broadband subsidies for their fledgling satellite broadband networks.

Money given to Bezos and Musk is money not spent on better, faster, local fiber optics (especially popular community owned networks). A serious broadband policy would ensure that open access fiber is the priority, followed by wireless, with satellite filling the gaps. Satellite was never intended to be the primary delivery mechanism for broadband, because of obvious congestion and capacity constraints.

The Trump NTIA is doing all of this under the pretense that giving taxpayer money to billionaires (for satellite service they already planned to deploy) instead of spending it on high quality fiber is “saving taxpayers money.” That’s generally resulted in widespread delays for this BEAD (Broadband, Equity, Access and Deployment) program, despite Republicans spending much of last election season complaining this program was taking too long.

The Trump NTIA hijacking of the program has also created a $21 billion pool of “non deployment funds” made up of the fake savings Republicans claim they created by screwing up the program. There’s a looming fight emerging over what happens to that money. Congress and the infrastructure law specifically states this money is supposed to be dedicated to expanding broadband access.

States would obviously like to use this money either for broadband, or for local infrastructure. But you get the sense that this giant wad of cash is very tempting for the Trump administration to just hijack and use as an unaccountable slush fund, doled out to its most loyal red state allies (or just kept by the “Treasury”).

After delays and excuses extended in to last summer, the Trump NTIA was supposed to provide guidance for states on how this money could be used earlier this month, but has been a no show:

“Under pressure from senators at an appropriations hearing, Commerce Secretary Howard Lutnick last month sought to calm fears when he said that so-called “non-deployment” funds under the Broadband Equity, Access and Deployment, or BEAD, program would not be rescinded.

But with no guidance so far from the department’s National Telecommunications and Information Administration, which was expected but delayed this week, lawmakers and others are pushing to have their voice heard on exactly how states will be able to use the $21 billion pot of money.”

Advertisement

It’s not clear if states can trust the word of Lutnick (who’s been a little distracted by Epstein allegations). The Trump administration has threatened (quite illegally) to withhold BEAD funding entirely from states that attempt to stand up to telecom monopolies or insist that taxpayer-funded broadband is affordable. There were also several initiatives to withhold BEAD funds if states tried to regulate AI.

Unsurprisingly, many states are afraid to be honest about what a cock up this whole hijacking has been in the press for fear of losing billions in potential (and already technically awarded) funding.

There’s a real potential here that taxpayer money that was originally earmarked for future-proof, ultra-fast fiber network is going to be repurposed into a general free for all slush fund that gets redirected to whoever praises the Trump administration the most. And I wouldn’t be surprised that this ultimately results in state lawsuits against the federal government for redirecting funds.

“I think the state officials who think they’re going to be made whole, need to reread the Merchant of Venice, because [NTIA boss Arielle] Roth is coming for her pound of flesh,” Sascha Meinrath, Palmer Chair in Telecommunications at Penn State University, told me in an email. “I wouldn’t be at all surprised if it’s operationalized in a way to directly target or disadvantage blue states — whether in what it does, or what’s tied to the acceptance of the funding.”

One last side note: last election season the “abundance” folks like Ezra Klein spent ample time parroting GOP criticism of the admitted delays and problems with this BEAD program (ignoring why the program took so long, as well as other examples of similar broadband grant programs from the same year doing well) as an example of a Democratic bureaucratic dysfunction.

But I’ve noticed that since Trump hijacked the program, introduced massive delays, redirected billions to billionaires, and even tried to run off with half the funding, the subject hasn’t been revisited by Klein since. Quite generally (since infrastructure just doesn’t get those clicks) the press coverage of this whole mess has ranged from nonexistent to positively tepid.

Filed Under: bead, broadband, elon musk, fiber, ntia, satellite, taxpayers, telecom

Security cameras have become commonplace in many neighborhoods, but their footage frequently leaves us scratching our heads and wondering what actually happened. That’s where the Wyze Cam Pan V4, priced at $45 (was $60), comes in, and its straightforward objective is to provide footage that will make sense later on. The camera records in sharp 4K (3840 by 2160 pixels each frame), so you may expect clear images of faces, clothes, license plates, and so on.

Movement tracking feels just as practical, with a 360-degree pan and 180-degree tilt that allows one camera to scan a whole room or yard with no blind spots. The base glides smoothly, while the head tilts up and down on demand, allowing you to define unique ‘waypoints’ that cause the camera to sweep over crucial locations at certain intervals. The AI tracking adds another dimension by following people, dogs, and vehicles, ignoring things like shifting leaves and focusing on what you want to see. Tests show that it can detect a person crossing the driveway and maintain them in view long enough to see all of their features and actions.

Sale

WYZE Cam Pan v4, 4K Smart Security Camera, AI Indoor/Outdoor Cameras for Home Security, Baby & Pet, Color…

• 4K Ultra HD Clarity with 360° Pan and 180° Tilt Coverage – Experience crystal-clear monitoring day and night with a wide field of view and remote…
• AI-Powered Motion Tracking for Pets & People – Next-gen CPU with integrated NPU enables faster processing and enhanced AI capabilities. Automatically…
• Robust Indoor/Outdoor Durability – Place your camera in or out, right-side up, up-side down, with an IP65 weather rating, this outdoor security camera…

Night vision doesn’t let you down either, with conventional infrared providing a basic view, but the built-in flashlight illuminates in full color when motion is detected. A built-in starlight sensor helps to keep the image from becoming hazy even when the light is not turned on yet. Clips shot in the evening or at night are just as clear as those made during the day, and users who put the camera near the front entrance or garage were able to identify delivery drivers and visitors without having to guess who they were.

Amazon Basics microSDXC Memory Card with Full Size Adapter, A2, U3, Read Speed up to 100 MB/s, 256GB…

• Universal Compatibility — NOT for Nintendo Switch 2, but Compatible with Nintendo Switch. Works seamlessly with GoPro/action cams, DSLRs, drones…
• Reliable Real-World Capacity – Labeled Capacities/Usable Capacities: 64GB/≥58GB; 128GB/≥116GB; 256GB/≥232GB; 512GB/≥465GB; 1TB/≥908GB (Due…
• 4K & Full HD Ready — Optimized for high-bitrate video recording and burst-mode photography. Handles RAW files, time-lapse sequences, and smooth 4K…

Storage is quite versatile and inexpensive: simply insert a microSD card (up to 512GB) and the camera will record continuously. The good news is that there is no monthly price for this option, as the card will last you several weeks depending on the size you choose. The Wyze app is also quite simple to use: you can go through your timeline and access quick filters for event replay. With two-way audio, you may quickly communicate with the person being recorded and even sound a loud siren if you notice something wrong.

Setup is fast; simply plug in the 6ft USB-C cable, connect to Wi-Fi, and follow the app steps via Bluetooth. It works equally well indoors and outside when combined with the optional outdoor power adaptor, and it has an IP65 designation, allowing it to withstand some rain and dust. It can also withstand temperatures ranging from minus 10 to plus 40 degrees, so you can place it anyplace without worrying about it melting or freezing.

For those who will never tire of the words of Ursula K. Le Guin, a special treat is on the way. The esteemed late author’s blog, which she started in 2010 at the age of 81, is being rereleased as a podcast, In Your Spare Time. Le Guin’s blog ran until 2017, and a book collecting a selection of those posts was published that year. But, the podcast will include everything: essays, poems and “even the ones that are mostly cat pictures,” according to the announcement. The first episode will be released April 8 on Apple Podcasts, Spotify and other platforms.

From Le Guin’s official Instagram account, which is managed by her estate:

We always wanted to hear a version of the blog that includes every single post, even the ones that are mostly cat pictures. So for the next two years and change, we’ll release an episode every Wednesday. Each episode features a different reader of Ursula’s text, and each reader adds their own thoughts—about their relationship with Ursula and her work, or about the specific topic of the post, or whatever catches their fancy.

You can listen to a trailer here ahead of the first episode’s release this week. Post zero, “A Note at the Beginning,” will be read by David Mitchell.

from the we-keep-seeing-this-over-and-over dept

Last week, I wrote about why the social media addiction verdicts against Meta and YouTube should worry anyone who cares about the open internet. The short version: plaintiffs’ lawyers found a clever way to recharacterize editorial decisions about third-party content as “product design defects,” effectively gutting Section 230 without anyone having to repeal it. The legal theory will be weaponized against every platform on the internet, not just the ones you hate. And the encryption implications of the New Mexico decision alone should terrify everyone. You can read that post for more details on the legal arguments.

But there’s a separate question lurking underneath the legal one that deserves its own attention: is the scientific premise behind all of this even right? Are these platforms actually causing widespread harm to kids? Is “social media addiction” a real thing that justifies treating Instagram like a pack of Marlboros? We’ve covered versions of this debate in the past, mostly looking at studies. But there are other forms of expert analysis as well.

Long-time Techdirt reader and commenter Leah Abram pointed us to a newsletter from Dr. Katelyn Jetelina and Dr. Jacqueline Nesi that digs into exactly this question with the kind of nuance that’s been almost entirely absent from the mainstream coverage. Jetelina runs the widely read “Your Local Epidemiologist” newsletter, and Nesi is a clinical psychologist and professor at Brown who studies technology’s effects on young people.

And what they’re saying lines up almost perfectly with what we’ve been saying here at Techdirt for years, often to enormous pushback: social media does not appear to be inherently harmful to children. What appears to be true is that there is a small group of kids for whom it’s genuinely problematic. And the interventions that would actually help those kids look nothing like the blanket bans and sweeping product liability lawsuits that politicians and trial lawyers are currently pursuing. And those broad interventions do real harm to many more people, especially those who are directly helped by social media.

Let’s start with the “addiction” question, since that’s the framework on which these verdicts were built. Here’s Nesi:

There is much debate in psychology about whether social media use (or, really, any non-substance-using behavior outside of gambling) can be called an “addiction.” There is no clear neurological or diagnostic criteria, like a blood test, to make this easy, so it’s up for debate:

• On one hand, some researchers argue that compulsive social media use shares enough features (loss of control, withdrawal-like symptoms, continued use despite harm) to warrant the diagnosis for treatment.
• Others say the evidence for true neurological dependency is still weak and inconsistent because research relies on self-reported data, findings haven’t been replicated, and many heavy users don’t show true clinical impairment without pre-existing issues.

Her bottom line is measured and careful in a way that you almost never hear from the politicians and lawyers who claim to be acting on behalf of children:

Here’s my current take: There are a small number of people whose social media use is so extreme that it causes significant impairment in their lives, and they are unable to stop using it despite that impairment. And for those people, maybe addiction is the right word.

For the vast majority of people (and kids) using social media, though, I do not think addiction is the right word to use.

That’s a leading expert on technology and adolescent mental health, someone who has personally worked with hospitalized suicidal teenagers, telling you that for the vast majority of kids, “addiction” is the wrong word. And she has a specific, evidence-based reason for why that distinction matters — one that should be of particular interest to anyone who actually wants platforms held accountable for the kids who are being harmed.

Nesi argues that overusing the addiction label doesn’t just lack scientific precision. It actively weakens the case for meaningful platform accountability:

Preserving the precision of the addiction label — reserving it for the small number of kids whose use is genuinely compulsive and impairing — actually strengthens the case for platform accountability, rather than weakening it. It’s that targeted claim that has driven legal action and regulatory pressure. Expanding it to average use shifts focus from systemic design fixes to individual diagnosis, and dilutes the very argument that holds platforms responsible.

This is a vital point that runs counter to the knee-jerk reactions of both the trial lawyers and the moral panic crowd. If you say every kid using social media is an addict, you’ve made the concept of addiction meaningless, and you’ve made it dramatically harder to identify and help the kids who are actually suffering. You’ve also given platforms an easy out: if everyone’s addicted, then it’s just a feature of how humans interact with technology, and nobody is specifically responsible for anything. Precision is what creates accountability. Vagueness destroys it.

We highlighted something similar back in January, when a study published in Nature’s Scientific Reports found that simply priming people to think about their social media use in addiction terms — such as using language from the U.S. Surgeon General’s report — reduced their own perceived control, increased their self-blame, and made them recall more failed attempts to change their behavior. The addiction framing itself was creating a feeling of helplessness that made it harder for people to change their habits. As the researchers in that study put it:

It is impressive that even the two-minute exposure to addiction framing in our research was sufficient to produce a statistically significant negative impact on users. This effect is aligned with past literature showing that merely seeing addiction scales can negatively impact feelings of well-being. Presumably, continued exposure to the broader media narrative around social media addiction has even larger and more profound effects.

So we’re stuck with a situation where the dominant public narrative — “social media is addicting our children” — appears to be both scientifically imprecise and actively counterproductive for the people it claims to help. That’s a real problem. And it would be nice if the moral panic crowd would start to recognize the damage they’re doing.

None of this means there are no risks. Nesi is quite clear about that, drawing on her own clinical work:

A few years ago, I ran a study with adolescents experiencing suicidal thoughts in an inpatient hospital unit. Many of the patients I spoke to had complex histories of abuse, neglect, bullying, poverty, and other major stressors. Some of these patients used social media in totally benign, unremarkable ways. A few of them, though, were served with an endless feed of suicide-related posts and memes, some romanticizing or minimizing suicide. For those patients, it would be very hard to argue that social media did not contribute to their symptoms, even with everything else going on in their lives.

Nobody who has paid serious attention to this issue disputes that. There are kids for whom social media is a contributing factor in genuine mental health crises. The question has always been whether that reality justifies treating social media as an inherently dangerous product that harms all children — the premise on which these lawsuits and legislative bans are built.

The evidence consistently says no. When it comes to whether social media actually causes mental health issues, the newsletter is direct:

The scientific community has substantial correlational evidence and some, but not much, causal evidence of harm. Studies that randomly assigned people to stop using social media show mixed results, depending on how long they stopped, whether they quit entirely or just reduced use, and what they were using it for.

And:

It is still the case that if you take an average, healthy teen and give them social media, this is highly unlikely to create a mental illness.

This is consistent with what we’ve been reporting on for years, including two massive studies covering 125,000 kids that found either a U-shaped relationship (where moderate use was associated with the best outcomes and no use was sometimes worse than heavy use) or flat-out zero causal effect on mental health. Every time serious researchers go looking for the inherent-harm story that politicians keep telling, they come up empty.

One of the most fascinating details in the newsletter is the Costa Rica comparison. Costa Rica ranks #4 in the 2026 World Happiness Report. Its residents use just as much social media as Americans. And yet:

It doesn’t necessarily have fewer mental illnesses. And it certainly doesn’t have less social media use. What it has is a deep social fabric, and that may mean social media use reinforces real-world connections in Costa Rica, whereas in English-speaking countries, it may be replacing them.

In other words, cultural factors appear to be protective. The underlying challenges to social foundations — trust, connection, belonging, and safety — are what drive happiness. Friendships, being known by someone, the sense that you belong somewhere: these are the actual load-bearing pillars of mental health, more predictive of wellbeing than income, and more protective against mental illness than almost any intervention we have.

If social media were inherently harmful — if the “addictive design” of infinite scroll and autoplay and algorithmic recommendations were the core problem — Costa Rica would be suffering the same outcomes as the United States. They have the same platforms, same features, and same engagement mechanics. What actually differs is the strength of the social fabric, not the tools themselves.

This is a similar point I raised in my review of Jonathan Haidt’s book two years ago. If you go past his cherry-picked data, you can find tons of countries with high social media use where rates of depression and suicide have gone down. There are clearly many other factors at work here, and little evidence that social media is a key factor at all.

That realization completely changes how we should think about policy. If the problem is weak social foundations — not enough connection, not enough belonging, not enough adults showing up for kids — then banning social media or suing platforms into submission won’t fix it. You’ll have addressed the wrong variable. And in the process, you’ll have made the platforms worse for the many kids (including LGBTQ+ teens in hostile communities, kids with rare diseases, teens in rural areas) who rely on them for the connection and community that their physical environment doesn’t provide.

Nesi’s column has some practical advice that is pretty different than what that best selling book might tell you:

If you know your teen is vulnerable, perhaps due to existing mental health challenges or social struggles, you may want to be extra careful.

If your teen is using social media in moderation, and it does not seem to be affecting them negatively, it probably isn’t.

That sounds so obvious it feels almost silly to type out. And yet it is the exact opposite of the approach we see in the lawsuits and bans currently dominating the policy landscape, which assume social media is a universally dangerous product requiring universal restrictions.

The newsletter closes with a key line that highlights the nuance that so many people ignore:

Social media may be one piece of the puzzle, but it’s certainly not the whole thing.

We’ve been making this point at Techdirt for a long time now, often in the face of considerable hostility from people who are deeply invested in the simpler narrative. I’ve written about Danah Boyd’s useful framework of understanding the differences between risks and harms, and how moral panics confuse those two things. I’ve covered so many studies that find no causal link that I’ve lost count. I’ve pointed out how the “addiction” framing may be doing more damage than the platforms themselves.

That’s why it’s encouraging to see credentialed, independent researchers — people who work directly with the most vulnerable kids — end up in the same place through their own work. Because this conversation desperately needs more voices willing to acknowledge both realities: that some kids are genuinely harmed and need targeted help, and that the sweeping narrative of universal social media harm is not supported by the science and leads to policy responses that may hurt far more people than they help.

The kids who are in that small, genuinely vulnerable group deserve interventions designed for them — better mental health funding and access along with better identification of at-risk youth. What they don’t deserve is to have their suffering used as a blunt instrument and a prop to reshape the entire internet through lawsuits built on a scientific premise that the actual scientists keep telling us is wrong.

Filed Under: addiction, experts, jackqueline nesi, katelyn jetelina, mental health, social media

Companies: meta, youtube