Recently, my kindergartner climbed onto the scale and asked me what dinosaurs also weighed 50 pounds. Thanks to Claude, we quickly learned, to my son’s delight, that he is the size of a juvenile velociraptor.

Artificial intelligence helped me with a question I couldn’t have answered on my own. But it didn’t replace me as a parent or my son’s role as a learner. A few weeks later, I had forgotten the answer, but my son didn’t. He was the keeper of knowledge, and I was the conduit.

Something like this is happening in schools and colleges, too. Information is more easily accessible than ever before. Anyone anywhere can ask an AI tool a question and receive an answer that seems reasonable, at least on the surface. It’s not surprising, then, to see predictions of the demise of traditional schools and colleges.

But education has never been only about access to information. Students need much more to become capable members of society. They need the ability to assess the quality of information, recognize strong work, and connect ideas. Students also need to grapple with the reality that not everyone agrees, and that’s ok. This kind of learning requires human relationships that expose students to the friction of life that sycophantic AI models tend to obscure.

The big question is how to know when AI supports real learning and when it leads to the “cognitive surrender” of accepting AI-generated answers with minimal scrutiny. Recent research findings shed some light on that.

Learning by AI Type

First, learning varies significantly based on the type of AI used. The dangers of cognitive surrender are greater when students use the standard, free versions of LLMs. Those models are designed to be helpful and therefore simply provide answers to the questions they are asked. Brain activity and retained learning are lower when students are working with AI in this way.

In contrast, tools that scaffold learning and support in-person instruction can produce outcomes even more impressive than my son’s memory of the size of teenage dinosaurs. One study of an introductory undergraduate physics course found that students using a carefully designed AI tutor had twice the learning gains of those receiving active, in-person instruction.

Learning Process Matters

Second, the role that AI plays in the learning process matters, and it should be off-limits at times. The authors of the physics course study cautioned that structured AI tutoring may not be appropriate for tasks “requiring complex synthesis of multiple concepts and higher-order critical thinking.” In a larger-scale example, Estonia’s education minister—who is overseeing the country’s ambitious partnership with OpenAI to provide a custom AI platform in upper secondary schools—has described a blended model. Students use handwriting to form memories early in the learning process and, later, use digital tools for feedback and AI-assisted learning. Estonia is not introducing AI in earlier grades so that students can build foundational knowledge and skills first.

Support for Educators Needed

Third, because the outcomes are so far apart between good and bad AI use in learning, educators need support to add AI to their teaching toolkit responsibly. In one study from Sierra Leone, secondary school educators completed a one-day training before adding AI tools in the learning process and only then saw math learning gains equivalent to more than a year of additional schooling.

Google, OpenAI, and Anthropic all offer learning modes and other supports built on these ideas. Still, those features are typically opt-in and getting harder to find for non-enterprise users. OpenAI, for example, launched “study mode” in July 2025 but quietly removed it from the standard ChatGPT interface this spring. The feature remains available to schools and systems with enterprise contracts. These contracts are expensive but drive demand for the types of AI that educators actually want, especially when leaders collaborate across systems and make similar asks of tech companies in procurement.

Schools, colleges, and educators should not be alone in navigating these waters. Philanthropy can help, for example, by supporting training that respects teachers’ expertise, conducting independent research on what works, and advancing advocacy work that counterbalances the size of tech firms. They can also help make enterprise contracts more affordable and support the development of procurement standards that protect learning, student data, and educational institutions’ sovereignty over their own systems.

This fits with philanthropy’s history of helping the benefits of new learning approaches reach everyone. For example, as compulsory schooling laws were passed at the turn of the 20th century, communities benefited from Andrew Carnegie’s 2,509 libraries (many of which served as classrooms) and Julius Rosenwald’s 5,000 schools that educated a third of Black children in the rural South.

Looking even further back in time gives me confidence that humans can weather tech-driven transitions and come out in a better place. German apprenticeship programs are strong today in part because, during the Industrial Revolution, German guilds adapted their models to fit an evolving economy rather than resisting change outright.

Today’s overflowing supply of information began with the printing press, which expanded access to texts and eventually reshaped who could claim expertise. I can capture and share these thoughts with you in part because, very long ago, writing transformed curriculum, credentialing, and information exchange.

Humans may not be as cool as velociraptors, but we have incredible agency and potential to evolve to meet the moment. All of us—including tech providers, educators, and philanthropy—can play an active role in shaping what’s next for students.

Baidu’s robotaxis are heading to the Alps. AmiGo, a venture between the Chinese giant’s Apollo Go robotaxi unit and Swiss Post’s PostBus, has won a special permit from Switzerland’s Federal Roads Office for Level 4 autonomous driving, Baidu said.

Level 4 means the vehicle drives itself within a defined area. Open-road trials began on 1 June across about 80 square kilometres of eastern Switzerland, in the cantons of St Gallen and the two Appenzells. For now, a safety operator still rides in each car.

What AmiGo is

AmiGo pairs Chinese self-driving technology with a Swiss public-transport operator. PostBus runs the country’s distinctive yellow postal buses; Apollo Go supplies the autonomous driving system. Riders book trips through the AmiGo app.

The cars are Apollo Go’s RT6: fully electric pods that carry up to three passengers and pack more than 30 sensors. The steering wheel is built to be removed once the service goes fully driverless. “With AmiGo, we are making automated mobility in public transport tangible,” said PostBus chief executive Stefan Regli.

Why the Apollo Go robotaxi permit matters

The 💜 of EU tech

The latest rumblings from the EU tech scene, a story from our wise ol’ founder Boris, and some questionable AI art. It’s free, every week, in your inbox. Sign up now!

Europe has almost no robotaxis, and the few efforts are early. Riders still cannot hail one across most of the continent. Uber is only now starting a programme in Munich, and most pilots remain just that.

A Chinese operator winning a European Level 4 permit is a notable first. It also extends Apollo Go’s reach beyond China, where it ran into trouble in Wuhan when a fleet froze in traffic.

The numbers behind the push

Apollo Go is scaling fast. Baidu says the service delivered 3.2 million fully driverless rides in the first quarter of 2026, peaking above 350,000 in a single week in March. Cumulative rides passed 22 million by April, across 27 cities.

That scale is the pitch to European regulators and partners alike. But the Swiss permit is narrow and the trial zone small. The partners are clear about the path: a closed user trial, then rides with no safety operator, then regular service from 2027, in what they call the largest planned automated public-transport operation of its kind in Europe. Chinese rivals are expanding too, and Europe’s patchwork of national rules still makes every market a fresh fight. The question is whether a careful Swiss pilot becomes a template, or stays a postcard.

Meta had a bad Friday morning. A major Meta outage knocked out Facebook, Instagram, WhatsApp, and Messenger for users around the world, starting shortly before 10am ET. By midday it was recovering, unevenly, region by region.

The trouble appeared to begin on WhatsApp, then spread. Facebook users were abruptly logged out, met with a “Query Error” or a “Sorry, something went wrong” message, and unable to log back in. Others could open the app but not post, comment, react, search, or load Stories and Marketplace.

What Down Detector shows

The outage-tracking site Down Detector logged a sharp spike. Facebook bore the brunt, with reports passing 130,000; Instagram logged around 9,500, and WhatsApp far fewer. Across all three, most people flagged problems with the app, then login.

Those numbers are self-reported, so they track complaints, not Meta’s own data. But the reports came in from far beyond the US, from the Philippines and Taiwan to Australia, Spain, and South Africa, which points to something central rather than a local glitch.

Businesses caught out

The 💜 of EU tech

The latest rumblings from the EU tech scene, a story from our wise ol’ founder Boris, and some questionable AI art. It’s free, every week, in your inbox. Sign up now!

It was not just scrolling. Meta’s status page logged “high disruptions” across its business products, including Facebook Ads Manager, the Messenger Platform, the Messenger API for Instagram, and the WhatsApp Business Platform. Advertisers could not create or edit ads, and Meta apologised “for any inconvenience.” On a Friday, the timing stung.

Meta confirms the disruption, but not the cause

Meta acknowledged the problems on its status page, flagging “high disruptions” and saying its engineering teams were “actively looking to resolve the issue as quickly as possible.” It did not say what caused the outage, or how many users were hit.

There is no word yet on whether it was a configuration error, an infrastructure failure, or something else.

Recovery was already under way. Meta marked some services, such as ad delivery, as resolved, with others “in the process of being restored.” On the consumer side, Facebook was loading closer to normal and Down Detector reports were falling, though some users still saw an empty Stories bar, a stale feed, or a “Try Again” error.

The scale is the point: Meta’s apps reach billions, and even a couple of hours offline ripples through messaging, businesses, and logins far beyond the feed. It capped an eventful day for Meta, which this morning pledged free AI glasses to every blind US veteran. This is a developing story; we will update it with Meta’s explanation and an all-clear.

It promises to be a fantastic Friday in Toronto as FIFA World Cup 2026 co-hosts Canada open their Group B campaign against Bosnia and Herzegovina.

Jesse Marsch’s squad is packed with exciting talents ready to shine on home soil including Bayern Munich’s Alphonso Davies, Villarreal winger Tajon Buchanan and Juventus striker Jonathan David, who is Les Rouges’ all-time record goalscorer. Davies has been ruled out of the opening game after failing to recover from a hamstring injury, but the noises from the Canada camp suggest they are confident their captain will play some part in the group stage. Nevertheless, the co-hosts will be confident of securing their first-ever point – or three – at the finals against Bosnia after returning empty-handed from their previous two World Cup appearances.

from the going-great,-thanks-for-asking dept

Back in March I noted how the Trump FCC under Brendan Carr had announced a “new ban” on all routers made overseas (which is pretty much all of them). At the time we also noted how this was less of a ban and more of a shakedown, with router manufacturers required to beg the Trump FCC for conditional waivers (fees, favors, whatever) to continue doing business in the States.

Several router manufacturers (like Amazon’s Eero and Netgear) have subsequently received exemptions from the Trump administration, but because there is zero transparency to the process, we have no idea what they agreed to. Did they pay the Trump administration a bribe? Did they agree to surveillance backdoors for ICE operations? Who knows? Great stuff.

Now the cable lobby appears to be balking at the purported foreign router ban. In a petition filed with the FCC last week (spotted by Ars Technica) NCTA (The Internet & Television Association) — the cable industry’s biggest lobbying org — asked for a massive exemption from the restrictions, noting that they’re simply not practical in real-world practice:

“NCTA requests an expedited grant of this waiver to enable its members and their suppliers to navigate unavoidable supply chain shortages and prevent disruptions in the availability of broadband for NCTA members’ customers, while still fulfilling the rules’ national security and public safety purpose.”

So basically you’ve got a ban on foreign routers that is more about extortion than protecting national security. Which the cable industry says it can’t adhere to because AI hype, tariffs and unnecessary wars have driven up the costs of many internal router components, making adherence expensive if not impossible. Great stuff, very savvy policymaking by people who definitely know what they’re doing.

Part of the “foreign router ban” was supposed to involve forcing hardware manufacturing to return to the states. But because Trump and much of his administration have a fourth-grader-level understanding about how this stuff works (like his desire to suddenly have smartphones built in the U.S.), the cable industry’s filing notes that the “onshoring” of manufacturing and supply chains isn’t realistically possible either:

“Like AT&T, NCTA members are encouraging their suppliers to quickly pursue required onshoring, and, in the meantime, seek Conditional Approvals for Covered Routers as necessary. However, unavoidable supply chain shortages in critical substrate material and memory modules (including both volatile and nonvolatile memory) significantly constrain the industry. AT&T’s suppliers are not unique; the same impediments they are experiencing impose inevitable limitations on NCTA’s suppliers. Accordingly, NCTA seeks the same relief on behalf of its suppliers. Given the immediacy of these issues and the concrete harms that would result from disruptions to the availability of broadband to large swaths of US consumers and businesses, the grant of this Petition is warranted.”

These companies, many of which supported and enabled Trump, now have to pretend this all makes sense as they navigate a costly minefield of weird bullshit that won’t accomplish any of its purported goals.

This is all exceptionally chaotic and dumb, and it’s unlikely that Brendan Carr, who spends most of his time trying to censor comedians and whining about “wokeness,” is capable of managing the scale of this sort of overhaul — even if it were practical, which it isn’t.

When you read most press coverage of this router ban, they don’t really make it clear to readers that this is all very unworkable and stupid. Trump and his administration are given undeserved credit on competency and policy, as the press, companies, and policymakers all try to trip over themselves to normalize the sheer pointless stupidity and expense of it all.

If the country cared about national security we’d focus on corruption. We’d pass a meaningful modern internet privacy law. We’d shore up, staff, and properly fund cybersecurity regulators. We’d regulate data brokers. Instead we get a giant pile of unworkable extortion slop being overseen by weird zealots.

Filed Under: brendan carr, hardware, national security, onshoring, privacy, router ban, routers, telecom

Companies: ncta

OFFBEAT

It might also make Musk the world’s first trillionaire

SpaceX has priced its blockbuster initial public offering at $135 a share, raising $75 billion and valuing Elon Musk’s rocket biz at roughly $1.78 trillion.

The haul could rise to about $86 billion if underwriters exercise their option to buy more stock, making it the largest IPO in US history.

The company confirmed [PDF] that 555.6 million shares of Class A common stock were sold in the offering, with another 83.3 million available to underwriters.

SpaceX is a loss-making company. In its Form S-1, filed with the US Securities and Exchange Commission, it divided operations into Space (Falcon 9 and the like), Connectivity (Starlink), and AI. Only the Connectivity segment is turning a profit, to the tune of $4.4 billion in 2025, while the others continue to rack up losses. Making a profit from AI continues to elude many companies – SpaceX is not the only entity where investment exceeds revenue, and Starship remains a work in progress.

In the company’s Form S-1, SpaceX reported a net loss of $4.9 billion on revenue of $18.7 billion in 2025. The IPO values the company at more than 90 times that revenue.

According to The Financial Times, the IPO was heavily oversubscribed – orders exceeded the number of shares on offer by more than three times. Retail investors also ordered more than $100 billion of shares, and were allocated between 20 and 25 percent of the shares sold.

The record-breaking IPO reflects investor appetite for AI-related companies, as well as a bet that SpaceX’s estimate of a $28.5 trillion total addressable market, including $22.7 trillion in “Enterprise Applications,” proves realistic.

Skeptics may recall that promises and assurances associated with Elon Musk rarely survive contact with reality.

We will update when trading kicks off today. Depending on how trading goes, Musk could be a paper trillionaire by the end of the day, thanks to his shares in SpaceX. That figure could climb further if SpaceX ever delivers on its more ambitious plans, from a human settlement on Mars to space-based datacenters.

Musk may also be in line for a vast Tesla payout if the carmaker hits targets including a sharp rise in valuation and the delivery of a million robots over the next decade. ®

• NordVPN’s next-gen antivirus blocked 96% of phishing sites in the 2026 AV-Comparatives test
• The software perfectly distinguished between active malicious links and 200 legitimate banking URLs
• Detection rates jumped by 6% compared to the previous test in May 2025

When you’re searching for the best VPN to secure your online traffic, you increasingly need an app that does more than just encrypt your data. As phishing attacks grow more sophisticated, top providers are evolving into robust, all-in-one cybersecurity suites, and independent testing shows these built-in tools are making a real impact.

In the newly released 2026 Anti-Phishing Comparative Test by independent cybersecurity evaluation authority AV-Comparatives, NordVPN’s next-generation antivirus achieved a massive 96% phishing detection rate.

Supply chain attacks continue, with Microsoft’s own open source Azure repositories being automatically disabled by GitHub following a compromise of the packages by the Miasma worm.

OpenSourceMalware reports that the infection resulted in 73 Microsoft-related package repositories being flagged and taken offline in a little over a minute by the GitHub automated security system, with over 40 repositories being related to Azure and the rest distributed across the Microsoft organization.

The center of the infection appears to be the Microsoft Durabletask package, which was previously compromised in May and used to push infected packages to PyPi. Considering that all of the supply chain worms also steal credentials for every service they can find in the build or developer environment they infect, it seems likely that credentials stolen in the original attack were never properly disabled.

Disabling the repositories can help stem the infected packages and GitHub actions from spreading and infecting more organizations, but of course any build processes depending on those packages will not function. In May, the Durabletask package showed over 400,000 downloads per month.

The OpenSourceMalware report includes a full list of the impacted repositories.

Microsoft Fixes GitHub Token Exploit

Microsoft has finally fixed a bug in GitHub which could steal a GitHub authentication token with access to all of an accounts repositories via the embedded web-based VSCode editor which is part of GitHub itself.

Ammar Askar discovered the bug and discusses it on their blog; by manipulating the sandboxed VS Code into treating an embedded web view as user keyboard strokes, it is possible to to cause it to install a VS Code extension which is then used to exfiltrate the GitHub authentication tokens of the user using the embedded VS Code instance.

TP-Link Taeover via Unregistered Domain

Julian B demonstrates capturing traffic from TP-Link routers and access points thanks to an unregistered domain name in the firmware.

After finding an archive of the firmware releases for every TP-Link product, Julian simplified the list to the latest versions, and ran a custom scraper tool to extract domain names referenced in the firmware and search for matching domain names.

After registering an available domain, Julian began receiving requests from TP-Link devices checking in to a server which had lapsed, likely years ago. Fortunately, Julian reported the issue to TP-Link and was able to transfer the domain.

It’s unclear what the risks of the unregistered domain name were in the context of the TP-Link devices, however unregistered domain names can lead to all sorts of issues in the wrong situations.

A Pile of OpenSSL Vulns

The OpenSSL library has a new collection of vulnerabilities which range from low-severity flaws in message verification in functions which aren’t used in any of the OpenSSL implemented protocols to a high-severity use-after-free bug in PKCS7 handling which could be used to run arbitrary code.

Use-after-free bugs occur when a chunk of memory is dynamically allocated, then freed and returned to the memory pool, but a later piece of code re-uses the memory that is no longer claimed. In the meantime, this memory could have been assigned to another variable or otherwise restructured, leading to memory corruption. In the case of OpenSSL, the memory associated with a PKCS7 container (a certificate storage method) or a S/MIME message (usually used in secure email) can be manipulated into using freed memory.

The advisory warns that applications processing PKCS7 or S/MIME are affected; fortunately most uses of OpenSSL are unlikely to be directly impacted (neither of those functions are common in web servers or similar), but as always, update as soon as possible!

NightmareEclipse is Back

The researcher previously identified as NightmareEclipse, known for releasing advanced Windows vulnerabilities with working proof of concept code, has returned as MSNightmare releasing several new exploits after previously being removed from GitHub. Despite a strongly worded (and poorly received) public statement by Microsoft threatening criminal investigations, the researcher returns with the RoguePlanet vulnerability.

RoguePlanet exploits race conditions in Windows Defender under Windows 10 and Windows 11 to gain a system-level shell, a fairly common trend in the vulnerabilities found by this researcher.

Additionally, another BitLocker bypass has been released, called GreatXML, which unlocks BitLocker protected drives if a Windows Defender offline scan has ever been run.

Of course, these releases coincide with Patch Tuesday, so they’re unlikely to be addressed before the July patch day.

It appears Microsoft has backed down from their initial press release which appeared to claim that vulnerability research and development outside of the guidelines Microsoft decided would be treated as criminal behavior; this was not well received by much of the security industry. At the start of the modern security industry in the late 1990s, public release of vulnerabilities was common. Companies had no way to reach a security contact to get it fixed, simply did not care to fix it, or were actively hostile to researchers. Through years and decades of community programs, it is now normal to reach out to a company with security flaws and have an expectation they will be fixed, and often rewarded either monetarily through structured bounty programs like HackerOne or through public credit to the researchers who found the flaws (nobody wants to be paid in exposure, but security is now an industry, and having a well-known name and track record can be valuable.)

Unfortunately, recently, it seems Microsoft may have forgotten that while disclosure to the vendor has become the norm, it is simply a social contract. Having already publicly alienated one skilled researcher (NightmareEclipse), the company seems to be doing the best it can to alienate others by burning community good will. Expect more publicly released vulnerabilities in the wake.

Linux Arm Fixes

Phoronix reports that the Linux kernel has patched a critical-severity flaw on Arm CPUs in the memory allocation logic. The list of processors affected continues to grow, including some NVIDIA embedded platforms.

The flaw lies in specific ordering requirements for accessing memory via the TLB, or “Translation Lookaside Buffer”, a critical part of the virtual memory and memory protection system. The TLB is a cache of recently resolved lookups of physical memory locations, so any corruption of the TLB can cause invalid memory reads, leading to almost the same results as recent kernel vulnerabilities in the Linux page cache system which allowed binaries to be replaced in RAM.

The bug was found thanks to advisories from Arm themselves clarifying that additional protections were needed around modifications to the TLB cache on these chips. The real-world impact remains to be seen, but now that the bug and patches are public, I’d expect proof of concept code to follow soon after. It’s also safe to assume that this flaw affects other operating systems on Arm platforms, as well, but there is no public information yet.

FreeBSD Gets a Page-Cache Bug

FreeBSD racks up another kernel bug this week, the amusingly named Bumsrakete (“Bum Rocket” or “Bang Rocket”), complete with a well-crafted troll of an announcement, right down to the use of Comic Sans for the announcement site.

Beneath the crap-posting exterior lies a legitimate CVE (CVE-2026-45257) where any user with access to the PMAP_HAS_DMAP system (the standard configuration) can overwrite the disk page cache in memory. This is the FreeBSD flavor of the kernel cache flaws in Linux used by CopyFail, DirtyPipe, and friends, and even involves decryption primitives in the kernel similar to the original CopyFail process.

It’s not surprising that following the multiple disk cache corruption bugs in Linux disclosed this spring, other operating systems with similar functionality are being examined and new flaws showing up.

NPM to Block Auto Install Scripts

NPM is introducing major changes in NPM 12 to attempt to stem the flood of supply-chain vulnerabilities by removing the automatic execution of commands from the install phase of packages and disabling the use of remote URLs as dependencies.

Most of the NPM-based worms infecting packages at record rates use the install script process, hooking either pre-install, install, or post-install scripts to run commands automatically as a package dependency is included. Since the install script runs as the user (or build service) pulling the dependencies, it has direct access to any credentials or files that user and service has. Under the new model an infected package could still perform malicious actions inside a compiled application or site, but a major mechanism for automatic spreading of malicious packages will be addressed.

It’s good to see progress made towards addressing the underlying weaknesses in the package ecosystem which aid in spreading malicious packages.

Libinput Security Fix

The libinput library sees a pair of security fixes this week, centered around the handling of device names for uinput and uhid devices. Maliciously named devices could execute commands as root.

To be able to exploit this, a user needs to already be on the system and have the ability to create new uinput devices. This is normally restricted to root, however if steam-devices, antimicrox, or kdeconnectd packages are installed, the permissions to create a device are modified and any user logged into the system can create a uinput device.

Go forth, and update!

Mini Shai-Hulud Hides in Censorship

The Shai-Hulud, Mini Shai-Hulud, and Miasma worms have been prolifically infecting packages on NPM and PyPi as well as VS Code extensions and GitHub actions. Using a combination of captured worm code and publicly released versions of the worms, researchers have been reverse engineering the behavior of the worm using the decrypted payloads.

Amusingly, they have discovered that the Mini Shai-Hulud worm attempts to hide from automatic analysis and detection via AI prompt injection. The payload file executed during a NPM package install contains a block of comment text referencing biological and nuclear weapons, topics many AI models refuse to allow.

Interpreting the comment as a banned request, the AI models may immediately stop processing the rest of the file, either blocking further analysis by researchers or disabling AI-based malware detection tools scanning for malicious payloads.

Another Record Patch Tuesday

For the second time this year, Microsoft has a record-breaking number of fixes included in Patch Tuesday with more than 200 security fixes, including fixes for two vulnerabilities released by NightmareEcllipse in recent weeks, however none of the fixes specifically reference the conflict between Microsoft and the researcher.

Outside of the Patch Tuesday fixes, Microsoft also fixed 360 browser vulnerabilities.

With the increasing automatic bug finding via AI tools, this may become the new normal for Patch Tuesday fix counts.

Python Linter Blocks Shai-Hulud

Sometimes pedantry pays off. StepSecurity brings the tale of a supply chain infection of the popular Pythagoria-io GPT Pilot package, an AI coding assistant tool. After one of the developers was infected by the Miasma supply chain worm, the worm performed the typical trick of attempting to reversion and push compromised versions of all accessible packages.

This time, the commits containing the trojaned were rejected by the Python linter, Ruff, for not matching the style guidelines of the project. Linters analyze code for style, comments, and syntax (think the pretty printing in a code editor that highlights incorrect tabs and spaces or deprecated functions.)

The developer will still need to clean up their system and make sure to revoke all tokens the worm has access to, but the project itself was spared infection by a humble syntax styler.

Deep Dive into Miasma

Finally, we have a dive into the Miasma worm thanks to SafeDep.

The payload source for Miasma has been open sourced, apparently by some of the developers of the malware. Previously the payload was heavily encrypted, however progress was made in decoding it during the initial wave of attacks. By open sourcing the worm, the developers likely hope to muddy the waters by creating copy-cat worms using modified techniques and signatures.

SafeDep takes a deep look into the capabilities of the payload, noting several unusual abilities including disabling GitHub environment protections, a full list of the credential harvesting capabilities, and more. Be sure to check out the full write up for an extremely detailed breakdown of each major component of the worm and the actions it takes, if that sort of thing is interesting to you!