This yen for experimentation can extend into brand partnerships. The meal I was least excited about in this season’s testing was actually the one I was initially most excited about. EveryPlate has been experimenting with a series of partnerships with boutique food brands, including New York Chinese–inspired dumpling brand Mimi Cheng’s. In this case, the flavors didn’t quite gel, and many of the dumplings arrived broken. In the meantime, EveryPlate has moved on and is now making dishes using flavored chickpeas and beans from craft canning brand Heyday.

I’ve had few mishaps with ingredients, but they do happen. A zucchini on my most recent order got some moisture or stray water in its bag. By the time I got to it, at the end of the week, this was death to the zucchini. I had to use my own, which luckily was already in the crisper.

I also had to make a special trip for eggs to fill out that turkey-ponzu rice bowl, because I’d neglected to look ahead at the recipe. There aren’t too many ingredients you need to have on hand to make EveryPlate’s dishes, but milk, eggs, and butter are sometimes among them. Look ahead when ordering recipes, or when receiving them.

Photograph: Matthew Korfhage

The seams can show more often on EveryPlate’s recipes than with premium kits like HelloFresh or Marley Spoon. I find myself improvising slightly: adding extra flavors after the fact, using my meat drippings on a side course, or swapping the order of operations. If I had my druthers, I would have used my own preferred prep on brussels sprouts rather than risk obliterating stray leaves in the oven.

But mostly, what EveryPlate offers is a baseline to work from. It offers an escape from my own tired routines: thought put into my meals by someone who is not me. A $7 meal where I buy an egg is still an economical meal—and a much more filling one than I would have had otherwise. EveryPlate remains the most budget-friendly meal kit I’d happily eat on a regular basis, a signal achievement for uncertain times.

Blackstone-backed data center operator AirTrunk said on Thursday it would invest $30 billion in India by 2030, adding to a wave of commitments from technology and infrastructure groups seeking to expand computing capacity in the country.

The Australian company said it would develop 5 gigawatts of new data center capacity in India, one of the largest commitments to the South Asian nation’s digital infrastructure sector. AirTrunk entered India earlier this year through the acquisition of Lumina CloudInfra.

AirTrunk’s commitment underlines India’s growing appeal as a destination for AI infrastructure, as tech companies and investors seek new geographies to expand computing capacity. Data center capacity in the country is projected to rise to as much as 8GW by 2030 from about 1.5GW today, according to research firm Bernstein.

The Indian government has also taken steps to attract investment in AI infrastructure. Earlier this year, New Delhi offered foreign cloud providers tax exemptions through 2047 on services sold overseas if those workloads are run from Indian data centers.

AirTrunk has already begun laying the groundwork for its expansion in the country. Earlier this week, Maharashtra Chief Minister Devendra Fadnavis said in a post on X that the western Indian state had exchanged a letter of intent for land allotment at the Raigad Pen Growth Center, where AirTrunk is planning a 3GW data center involving an investment of about ₹2 trillion (around $21 billion). The company already has a development pipeline of about 600MW across Mumbai, Chennai and Hyderabad.

AirTrunk did not respond to questions on whether the proposed Raigad project would account for most of the planned 5GW capacity, or whether it plans to make additional developments elsewhere in India.

The announcement follows a meeting between AirTrunk CEO Robin Khuda and Prime Minister Narendra Modi, who said in a post on X that the planned investment would help strengthen India’s position as a global hub for cloud computing and artificial intelligence.

AirTrunk joins a growing list of companies investing in infrastructure in the country. Amazon, Google, Microsoft, OpenAI, and Uber have announced major investments in cloud and AI infrastructure, while Indian companies Reliance Industries, Adani Group, and TCS have laid out ambitious plans to expand data center capacity.

However, data centers require vast amounts of electricity, water and land, and industry executives and analysts have pointed to resource issues as a potential bottleneck, particularly regarding power.

Deloitte estimates data center build-outs in the Asia Pacific could require tens of terawatt-hours of additional electricity by the end of the decade.

AirTrunk’s investment thesis is underpinned by government support, a large pool of technical talent, and access to renewable energy, Khuda said.

A new Magecart campaign is using Stripe’s API infrastructure to host the credit card-stealing payload and the data exfiltrated from checkout pages.

The entire malicious activity relies on Google Tag Manager and Stripe domains – googletagmanager.com and api.stripe.com – that are trusted implicitly by online stores.

The new malware family was discovered by researchers at ecommerce security company Sansec, who found that the malicious code is loaded from a Google Tag Manager (GTM) container and executes on every page that loads it.

“Both the payload and the stolen cards move through api.stripe.com. Stores allow that domain by default, so the skimmer slips past Content Security Policy rules and network filters that would otherwise flag traffic to an unknown skimmer domain,” Sansec says.

GTM is a management system that allows website owners to add and manage scripts used for analytics, ads, and tracking, without modifying the site’s source code.

Stripe is a payment processing platform widely used by online stores to accept credit cards, manage customer orders, and handle billing.

According to Sansec, the malicious code is embedded in legitimate-looking GTM containers, which activate when a shopper reaches a checkout page, queuing Stripe’s API for a specific customer record, cus_TfFjAAZQNOYENR, in this case

From the metadata fields of the record, it reads JavaScript code that it reassembles and then executes using new Function().

The card skimmer targets Magento/Adobe Commerce checkout pages and attempts to capture payment data (credit card number, expiration date, CVV code, customer name) as well as billing and email addresses, and phone number.

The stolen data is concatenated into a single string, obfuscated using the XOR operation, and stored locally instead of immediately exfiltrated.

Retrieving the data is done through a separate routine, which executes right after a page load and every minute after, by splitting the data blob in half, creating a new Stripe customer object, and storing the stolen data in metadata fields.

Every stolen payment card becomes a fake customer record in the attacker’s Stripe account, turning Stripe into a storage backend for stolen data.

Once the data is copied, the local file is wiped to eliminate traces of the attack and prevent duplicate uploads.

Sansec also discovered a variant of the attack where Google Firestore, a cloud database service for data storage and real-time retrieval, is used instead of Stripe.

In that version of the campaign, the payload is retrieved from a Firestore document named tracking/captcha in a project called braintree-payment-app. The stolen data is stored in a different localStorage key (_d_data_customer_).

The names of the document and the project help the malware blend in with legitimate payment and bot-protection traffic.

The Stripe customer record containing the skimmer was reportedly created on December 24, 2025, suggesting that the operation may have been active since at least that date.

Customers can protect themselves from such risks by using one-time virtual cards with set limits.

Security teams log 54% of successful attacks and alert on just 14%. The rest move through your environment unseen.

The Picus whitepaper shows how breach and attack simulation tests your SIEM and EDR rules so threats stop slipping by detection.

Advertisement

Get the whitepaper

Switch is trying to raise money at a valuation that would have looked implausible for a data-centre developer a few years ago. The Las Vegas company is in talks to raise billions of dollars at a valuation of at least $50bn, according to The Information, as it moves to capitalise on the demand for the physical infrastructure that AI workloads run on.

The investors named are the large pools of capital now chasing data centres. Brookfield Asset Management, KKR, and other private-equity and institutional investors have been in talks to join the round, the report said, with Goldman Sachs and JPMorgan bankers advising Switch on the raise.

The roster is a signal in itself: the round is being shaped by the kind of infrastructure money that moves in size, the same appetite that recently took VAST Data to a $30bn valuation on a single raise.

The raise could lead somewhere bigger. The funding round might set Switch up for an initial public offering, potentially as soon as next year, turning a private fundraising into a step towards the public markets. That would put Switch on a path several data-centre and AI-infrastructure names have been eyeing as investor appetite for the category has intensified.

The 💜 of EU tech

The latest rumblings from the EU tech scene, a story from our wise ol’ founder Boris, and some questionable AI art. It’s free, every week, in your inbox. Sign up now!

The $50bn figure has history attached. SoftBank had earlier explored buying Switch at around the same valuation before those talks ended, a collapse that left the company seeking capital on its own terms rather than as an acquisition target.

Raising at $50bn-plus from a syndicate of investors is a different route to a similar number, and one that keeps Switch independent.

The backdrop is an industry-wide scramble. Dealmaking across the data-centre and server space has picked up sharply as AI has turned compute capacity into the scarce resource of the cycle, and valuations for the companies that build and operate that capacity have climbed with it.

The physical demands are enormous: US utilities alone plan to spend $1.4 trillion by 2030 to power the boom, while developers race to lock up sites like the 1.35GW Microsoft campus Nscale is building in West Virginia.

A developer commanding a $50bn-plus valuation is a measure of how thoroughly the AI build-out has repriced the unglamorous business of pouring concrete and running power to racks of chips.

Switch’s own footprint explains some of the appetite. The Las Vegas company operates large campus-scale facilities and has continued to expand, including a 382-acre data-centre campus planned near Pittsburgh, the kind of land-and-power assembly that is hard to replicate quickly and increasingly valuable as AI tenants compete for capacity. Investors backing the round are buying into infrastructure that is difficult to build and currently in short supply.

For now the round is in talks, not closed, and the IPO is a possibility rather than a plan. The figures come from reporting rather than from Switch, which had not confirmed the terms.

What the discussions establish is the direction: a data-centre developer being courted by some of the largest investors in the market, at a valuation that treats warehouses full of servers as one of the more valuable assets in technology.

Messaging between blue and green bubbles is getting more secure. With the release of iOS 26.5, end-to-end encrypted RCS messaging will start rolling out in beta for iPhone owners and Android phone users with the latest version of Google Messages, according to a post from Apple on Monday.

End-to-end encryption protects a message’s privacy and security when it’s being sent from one device to another. Apple and Google have long offered encrypted messaging within iMessage and Google Messages, respectively. But this kind of encryption didn’t work for RCS and SMS messages sent between iOS and Android until now.

The feature will gradually roll out to iPhone and Android users over the coming months.

For years, there’s been a “blue versus green bubble” divide between iPhone and Android owners. This ranged from Android users being teased for their green bubbles breaking iMessage group threads to becoming a major social stigma, with people being bullied for not having an iPhone. 

In 2024, Apple added support for Rich Communication Services, or RCS, to the iPhone with the release of iOS 18, bringing some parity between iMessage and Google Messages but lacking end-to-end encryption across the two platforms.

It’s significant that Apple and Google are working together to bring end-to-end encryption to the GSMA’s RCS Universal Profile.

Cross-platform RCS chats will be encrypted for iPhone users on iOS 26.5 and Android users on the latest version of Google Messages with supported carriers. There’ll be a lock icon on the chat indicating that the conversation is encrypted — something RCS Google Messages already has. The lock will also appear in iMessage-only threads (blue bubbles) to indicate they’re encrypted. 

As iMessage and Google Messages’ end-to-end encryption reaches all users, it will automatically apply to new and existing RCS conversations.

Watch this: How to Enable RCS on iPhone

03:09

Plus, NASA ends a Mars mission and Meta’s still being creepy.

NASA’s Mars MAVEN probe is dead

NASA

Nintendo will launch a Switch 2 with replaceable batteries in the EU

Nintendo

Wired found code for an unreleased facial recognition feature in Meta’s AI app

Karissa Bell for Engadget

Marshall Milton ANC review: Making the rare case for premium on-ear headphones

James Trew for Engadget

The conversation at this year’s NY Tech Week is about AI. The panels, the pitch decks, the happy hours: agents that code, agents that sell, infrastructure for the agents. Then a screen mounted to a truck shows a man sitting on a toilet, staring at his phone in open panic.

The line underneath: “His prospect just asked for SOC 2.”

The ad belongs to Scytale, an AI GRC platform that took over the streets of New York this week, running billboards, street screens and an LED truck through the same blocks where founders and investors were converging for Tech Week. While many NY Tech Week companies are looking many years out, Scytale built its campaign around a feeling founders know now: the moment a deal that looked closed turns out to depend on a security audit that nobody started.

The Question That Stalls the Deal

SOC 2 (System and Organization Controls 2) is the security compliance framework that tells enterprise buyers one thing clearly: this company can be trusted with your data. For SaaS companies today, it’s less a nice-to-have and more a ticket to the table. For years it lived in the fine print of enterprise procurement cycles, a box ticked late in the process by companies big enough to have a compliance team.

That timeline has collapsed. Security reviews now sit at the front of the buying process, and buyers ask for a SOC 2 attestation report the way they ask for pricing. Surveys across the compliance industry put the share of enterprise buyers requiring SOC 2 from their software vendors at over 80 percent, and roughly a third of vendors report losing deals over a missing report.

The founders this hits hardest for are the ones selling upmarket for the first time. A seed-stage company lands a meeting with an enterprise buyer, the demo goes well, the champion is sold. Then procurement sends a security questionnaire with 200 questions, and question one asks for a current SOC 2 Type II report. The audit takes months. The buyer’s timeline doesn’t.

“We see it constantly,” says Meiran Galis, CEO and founder of Scytale, who spent years as a security compliance manager at EY before starting the company. “A founder spends six months getting a deal to the finish line, and the deal dies in security review. Nothing was wrong with the product. They were three months of audit work away from the signature, and they found out at the worst possible time.”

AI Gets the Stage. Compliance Gets the Deal.

The founders filling Tech Week’s AI sessions this week are the campaign’s exact audience, and most of them have a compliance problem coming that nobody on stage is discussing.

AI startups touch more sensitive data than any previous generation of software companies, and they sell into enterprises earlier. A two-year-old AI company today negotiates with Fortune 500 procurement teams that a SaaS startup in 2018 wouldn’t have met until Series C. Those buyers respond to the data exposure by tightening security review, and new frameworks keep arriving behind SOC 2: ISO 42001, the standard for AI governance, is showing up in questionnaires barely a year after auditors began certifying against it.

Caught Off Guard, By Design

The campaign image works because the panic is specific. The man on the toilet isn’t worried about competition or runway. He’s freaking out because his prospect just asked him for SOC 2, and he doesn’t have it. That’s it, he knows at that moment that he might be totally screwed, and could very likely lose the deal. He should have seen this coming. He should have started the process already. Scytale says the creative came from listening to founders describe the moment they learned what SOC 2 was. “No one discovers compliance at a good time. You discover it mid-deal, in an email, with money on the table. We wanted the ad to capture how that feels rather than explain what we sell.”

Scytale’s advice to founders at Tech Week is to treat compliance the way they treat hiring: a thing you start before you need it. “Compliance has moved from a post-deal checkbox to a pre-deal asset. The companies that close enterprise deals fastest are the ones that can answer the security questionnaire the same day it arrives.”

Winter Comes for Every Startup

Compliance used to be an enterprise problem. Now the security questionnaire arrives with a startup’s first serious deal, and the gap between the companies that prepared and the companies that didn’t is measured in lost quarters.

That makes the toilet billboard a decent litmus test. Some founders at Tech Week will see it and laugh. Some will see it and feel their stomach drop, because they have a deal in security review right now. The difference between the two groups is whether they saw the question coming.

from the saving-the-internet-from-the-fifth-circuit dept

It seems hardly a day goes by when another state doesn’t try to keep young people off the Internet. These attempts not only violate their First Amendment rights to interact with lawful speech, but everyone else’s as well, because the things platforms would need to do to comply with these laws inevitably impinge on everyone else’s rights to interact with online expression freely.

Fortunately challenges have been brought against many of these laws, and most have even been enjoined. Unfortunately, however, many of these injunctions have wound up appealed to the Fifth Circuit, which seems to be where the First Amendment goes to die. Even just on the online speech front there was NetChoice v. Paxton from a few years ago, challenging a social media regulation law, where the Fifth Circuit summarily ignored clear precedent in order to uphold the law, which the Supreme Court—yes, this Supreme Court—then had to undo with its combined Moody v. NetChoice decision and some shadow docket action (that challenge still lingers, waiting for the Fifth Circuit to eventually take another swing at it). And then just last year the Fifth Circuit undid two injunctions in age-gating laws in Free Speech Coalition v. Paxton and NetChoice v. Fitch, which this time the Supreme Court did not fix, and just last week did the same to the Texas App Store law, letting it go into force despite the injunction the district court had earlier granted in CCIA v. Paxton.

With the challenge to Louisiana’s unconstitutional age-gating law now before it in NetChoice v. Murrill, it seemed worth trying to see if the court could at last be convinced to join most other courts that have considered age-gating laws and see the constitutional infirmities with them, and so this week the Copia Institute—the think tank arm of Techdirt—filed an amicus brief to try to do so. In it we made three basic points: age-gating laws like Louisiana’s actually harm young people, they also harm everyone else, and, if this one were allowed, it would open the door to lots of other similar laws that would cause even more harm.

With regard to young people themselves, we first reminded that even young people have First Amendment rights, and that the Supreme Court has long held that the state has no role to play in deciding what ideas are suitable for them to encounter, which Louisiana is trying to do with this law. Even its tortured definition of a social media platform, which manages to exclude plenty of social media platforms (and, as the district court found, is unconstitutionally vague about which are covered or not), shows the state being selective as to which ideas were acceptable for young people to encounter.

Furthermore, as Australia’s experience with its social media ban for young people is illustrating, cutting young people off from social media causes explicit harm. Already there is evidence of young people experiencing isolation and being cut off from news, two ways young people are being hurt, which Louisiana now wants to risk for young people who they claim they are ostensibly trying to help. Louisiana’s law conditions access to covered social media platforms on parental consent, but it ignores that not every young person lives in a safe home with a caring parent who could give that consent. In fact, there is all sorts of offline harm that young people may be facing, including at home, which being cut off from social media means now being cut off from the help they may need to deal with it.

They also would face increased risk of identity theft from having to upload sensitive documents to try to verify their identity, as would everyone who now needs to provide them in order to be able to access any covered social media platforms. In its brief Louisiana argued that its age requirements were “nothing new, nothing costly, and nothing that compromises privacy.” But it is actually all three. As we explained, online age verification is nothing like the offline age verification we have used for such things as refusing to sell young people cigarettes—in general, young people could still enter the store and buy other things. We also noted the elevated identity theft risk, which news story after news story about database hacks shows is not a hypothetical concern. And then there is the privacy angle, because there is no way to ask, “How old are you?” without also inherently asking, “Who are you?” Given that the right of free expression also includes the right to express oneself anonymously, which the Supreme Court has recently emphasized, the latter is a question no one should be obligated to answer to be able to speak, and yet, with a law like Louisiana’s, everyone, young people and adults, would have to.

It’s also not just Louisiana’s law that we need to worry about. The problem is that if the courts can look past the constitutional problems with this one, then it can look past the constitutional problems with any of them, including ones that are even more onerous or restrictive. So even though Louisiana’s may not currently reach every user of every platform, it offers no comfort to anyone, for several reasons, with one of them being that even if the law just affects some social media platforms, it will still have chilling effects on anyone who might have used them for any purpose. As we explained to the court, the Copia Institute is in the business of expression and uses social media platforms to spread its expression. But if a law like Louisiana’s can go into effect, it could eliminate those platforms, large swaths of their users, or even the ability of the Copia Institute to use them at all. In other words, even though we write about age-gating laws, if they are allowed to go into effect we may lose the ability to tell anyone.

It’s important that laws like these remain enjoined, but maintaining a preliminary injunction is a separate area of concern raised by the Fifth Circuit’s recent jurisprudence, which keeps undoing sensible preliminary injunctions of laws like these unconstitutionally burdening speech rights. First, it should be enough for plaintiffs to anticipate that they will be harmed by such laws and seek preliminary relief enjoining them before they have had to directly experience such obviously inevitable expressive harm. Furthermore, courts are supposed to consider several factors in deciding whether to grant a preliminary injunction, including the likelihood of success of one of the parties and the risk of irreparable harm if the injunction is not granted. As even Justice Kavanaugh telegraphed in NetChoice v. Fitch, NetChoice is also likely to prevail in its constitutional challenge here.

But more importantly, the potential harm of perhaps unduly enjoining this law while the litigation challenging it continues pales to the harm of not doing so. If Louisiana’s law remains enjoined the status quo will be preserved, and no one will be any worse off than they were yesterday, last week, last year, or last century. As we also pointed out, the online interconnectivity of social media has existed in some form for upwards of forty years, dating back to pre-Internet dial-up bulletin board services in the 1980s. Generations of young people have grown up online since then and turned out fine.

But more importantly: the Constitution does not have an off switch. If these laws really do offend constitutional rights—as they clearly do—then they should not be able to offend them for even a moment. The Constitution protects rights every hour of every day, and there is no constitutional mechanism that allows them to be unilaterally taken away from everyone, even temporarily.

Filed Under: 1st amendment, 5th circuit, age verification, louisiana

Companies: netchoice