A supply-chain attack on one of JavaScript's most common HTTP libraries turned `npm install` into a credential-theft risk. StepSecurity says an attacker hijacked an axios maintainer account and published malicious versions `1.14.1` and `0.30.4`, each wired to pull in a fake dependency, `plain-crypto-js@4.2.1`, whose only job was to run a hidden postinstall script. That script reached out to a live command-and-control server, fetched separate second-stage payloads for macOS, Windows, and Linux, and dropped a cross-platform remote-access trojan before trying to erase traces of itself. The practical problem is not just poisoned app code; it is poisoned developer and CI machines. Any runner or laptop that installed the bad versions may have exposed npm tokens, SSH keys, cloud credentials, and secrets sitting in environment variables. StepSecurity's advice is blunt: assume compromise, rebuild from known-good systems, and rotate credentials rather than trying to clean the machine in place.
Axios is a foundational web-request library across Node and frontend builds. Supply-chain attacks on packages like this are especially dangerous because install scripts can execute before any human reviews the dependency tree.
Australia's youth-social-media crackdown is moving from legislation to enforcement, and the regulator is signaling that the platforms are still behind. The eSafety commissioner said Meta, TikTok, Snapchat and YouTube have not yet shown they are taking "reasonable steps" to keep children under 16 off their services, and AP reported that about 38 percent of Australian 14- and 15-year-olds still had at least one account. Companies were ordered to explain by Thursday how they will meet the law's requirements or face fines that can reach A$50 million and possible court action. That turns the country's headline-grabbing ban into a more serious test: not whether politicians can pass a youth-protection law, but whether large platforms can actually verify age at scale without simply turning the rule into a box-ticking exercise. Australia is effectively becoming the pilot case for the rest of the world.
Australia approved the restriction after a long debate over youth mental health and addictive platform design. The hard part was always going to be enforcement, because the law depends on workable age checks rather than account self-reporting.
GitHub backed off a change that made Copilot-generated pull requests feel less like tooling and more like ad inventory. Developers noticed that PR descriptions drafted by Copilot were appending promotional text for other GitHub features, including its Raycast integration, and some of the messaging was tucked into HTML that was easy to miss at first glance. The reaction was fast and unusually unified: people who already tolerate AI writing commit messages and boilerplate did not want the code-review surface quietly repurposed into a marketing channel. By later in the day, GitHub had reversed the change. The episode matters because Copilot is moving closer to the center of everyday software work, which means even small product experiments inside PRs, code review, or issue drafting can feel coercive. Once the assistant sits inside the workflow, the line between help and manipulation gets much thinner.
Copilot now drafts PR descriptions, commit messages, and review text across much of GitHub's product surface. That makes changes inside those writing flows especially sensitive, because developers treat them as part of the work channel, not the marketing one.
Ant Group is completing the deal that gives it control of Hong Kong broker Bright Smart Securities, filling in a conspicuous hole in its financial-services map. According to 36Kr, Ant's Shanghai Yunjin unit is buying 50.55 percent of Bright Smart at HK$3.28 a share, for a total of about HK$2.814 billion, after the approvals it needed from mainland authorities and Hong Kong regulators cleared earlier this month. The appeal is obvious: Ant already has payments, money-market products, consumer finance, and wealth-management distribution, but not a clean in-house securities channel. Bright Smart gives it the licenses to offer stock trading and a fuller "content-data-trading" loop in Hong Kong. The catch is that investors are debating whether this can be another East Money story or just a respectable but narrower add-on. Bright Smart's shares soared far above the deal price after trading resumed, but the article argues Hong Kong's low commissions and institution-heavy market make the old mainland internet-brokerage playbook harder to replay.
Ant had chased a brokerage foothold before through mainland deals that never fully landed. Bright Smart, known in Chinese as 耀才证券, gives it a Hong Kong-regulated path into securities trading and asset-management services.
A federal judge has frozen the Nexstar-Tegna merger, turning what looked like a done deal into a fresh test of how far regulators can bend media-ownership law. Ars Technica reports that the FCC had granted Nexstar a waiver from the national TV-ownership rule, even though the combined company would reach roughly 80 percent of U.S. households without the old UHF accounting break and about 54.5 percent even with it. Judge Troy Nunley then sided with DirecTV's argument that the merger posed a serious antitrust risk and ordered the companies to stop integrating while the case proceeds. That matters because the fight is not just about abstract media concentration. It is about bargaining power. A larger Nexstar can demand more from cable and satellite distributors in retransmission talks, and those costs eventually wash back onto viewers. The ruling suggests courts may be less willing than the FCC to treat local-TV consolidation as a paperwork problem.
Nexstar is already the biggest owner of local TV stations in the United States. Buying Tegna would expand its leverage in retransmission-fee fights with distributors such as DirecTV and deepen the concentration of local broadcast ownership.
A new coronavirus lineage nicknamed "Cicada" is showing up in U.S. surveillance, but the case for panic is weaker than the case for paying attention. Scientific American reports that BA.3.2 carries mutations that could help it slip past immunity from vaccines or prior infection, which is why virologists are watching it closely, but the variant is still circulating at low levels and there is no evidence so far that it causes more severe illness than the strains already around. In other words, this is a watch-list story, not a restart-the-pandemic story. The public-health question is whether BA.3.2 can turn modest immune escape into a larger spring wave once it has more room to spread. For now the safer reading is that COVID surveillance still matters even when the signal is small, because by the time a variant becomes obvious in hospital data, it has usually been spreading quietly for weeks.
Names like "Cicada" are informal tracker nicknames, not official WHO labels. The scientific designation is BA.3.2, and the main concern at this stage is immune escape rather than any proven jump in severity.
China's commercial space push cleared an important symbolic threshold on Monday when CAS Space successfully flew Kinetica-2, a medium-lift liquid-fueled rocket, from the Dongfeng Commercial Space Innovation Pilot Zone in the northwest. CGTN says the maiden mission carried three satellites, including the New March-01 technology demonstrator, the heavier New March-02 experimental spacecraft, and the TS-01 educational satellite. The launch matters less as an isolated technical feat than as evidence that Beijing wants private or quasi-private launch providers doing more than small one-off demos. CAS Space is already tied to projects connected to China's cargo system for the space station, and Kinetica-2 pushes the commercial sector toward the heavier, more operational missions that used to sit firmly in the state program. If these launches become routine, the line between "commercial" and "national" space activity in China will keep getting blurrier.
China's planners have elevated commercial space to a national priority industry. The current push is to move beyond small solid-fuel launches and build providers that can handle heavier payloads and eventually support reusable or logistics-focused missions.
The three-year bachelor's degree is back in fashion, but the Chronicle's reporting suggests the phrase sells a cleaner story than many of the programs deliver. A lot of the new offerings are really reduced-credit degrees that depend on summer study, heavy course loads, prior AP or dual-enrollment work, or unusually careful advising to make the timeline work. That means the students most likely to benefit are often the students who were already well positioned to finish efficiently. Everyone else faces a messier trade-off: a credential with fewer built-in electives and less slack, or a supposedly faster path that still takes close to four calendar years once internships, work, and scheduling constraints intervene. Colleges are pitching these programs as proof that they heard the affordability backlash. The harder question is whether they are lowering the cost of college in a meaningful way or just repackaging the same degree into a tighter and less forgiving container.
Pressure for shorter degrees is growing because families are more skeptical of tuition and many campuses are searching for a stronger value argument. The appeal is obvious; the execution depends on whether institutions cut waste or simply cut flexibility.
Static electricity sounds elementary until you try to predict it, which is why this new result is so appealing. Nature reports that researchers found a thin layer of adventitious carbon on oxide grains can change how those surfaces exchange electric charge when they touch and separate. That may help explain why experiments on the triboelectric effect have stayed frustratingly inconsistent: two materials that look identical at ordinary scales may not be electrically identical once a nearly invisible carbon film changes the surface chemistry. The result will not make sweater shocks disappear tomorrow, but it does offer a cleaner physical handle on a problem that matters in places far stranger than doorknobs, including dust transport, industrial powders, chip fabrication, and environments where a small spark can become a large hazard. Sometimes the hardest old physics problem is not missing a grand theory. It is missing one contaminant layer everyone kept treating as background noise.
Researchers have struggled with static electricity because tiny differences in surface condition can flip which object ends up positively or negatively charged. The new work suggests surface contamination is part of the reason the field has been so hard to standardize.
Eurovision is finally trying the obvious franchise move: an Asia edition built around the same national-broadcaster format that turned the original contest into a yearly spectacle. BBC reports that broadcasters from 10 countries, including South Korea and the Philippines, are joining the first competition. The interesting part is not just geography. Eurovision's appeal comes from a very particular mix of state broadcasters, camp nationalism, tactical voting, and songs designed for instant continental recognition. Exporting that machinery to Asia tests whether the format is a European historical accident or a reusable entertainment system. If it works, it opens a new lane for cross-border pop politics in a region with huge music markets and very different language blocs. If it does not, it will show that what looks like a generic song contest from the outside is actually a delicate civic ritual that depends on more shared institutions than Eurovision fans usually admit.
Eurovision stopped being strictly European years ago when Australia became a recurring entrant. An Asia edition has been discussed before, but this is the first version to move forward with a concrete broadcaster lineup.
