Feed aggregator

Article URL: https://www.joanwestenberg.com/the-costco-theory-of-the-internet/

Comments URL: https://news.ycombinator.com/item?id=48308053

Points: 3

# Comments: 0

Article URL: https://www.youtube.com/watch?v=EfeGc02nzC4

Comments URL: https://news.ycombinator.com/item?id=48308050

Points: 1

# Comments: 0

Article URL: https://arxiv.org/abs/2605.22781

Comments URL: https://news.ycombinator.com/item?id=48308043

Points: 1

# Comments: 0

Article URL: https://matthew-johnston.com/embeddings-llm-best-kept-secret/

Comments URL: https://news.ycombinator.com/item?id=48308035

Points: 1

# Comments: 0

Article URL: https://nltimes.nl/2026/05/27/china-use-kill-switch-buses-dutch-cities-says-cabinet-member

Comments URL: https://news.ycombinator.com/item?id=48308015

Points: 1

# Comments: 0

Article URL: https://arxiv.org/abs/2605.27295

Comments URL: https://news.ycombinator.com/item?id=48307969

Points: 2

# Comments: 0

There are 200 machines running Unreal Engine in just one ride.

Carnival Corporation, parent of Carnival Cruise Line, is sending out fresh “Notice of Cybersecurity Event” letters dated May 27, 2026. If you feel like you’ve read that sentence before, you’re not imagining things. Over the last decade, the world’s largest cruise operator has accumulated a worrying track record of breaches, ransomware incidents, and regulatory penalties, with this 2026 incident adding yet another entry to an already lengthy cybersecurity history.

There are several data breaches involving Carnival Corporation or one of its subsidiaries in our database.

Between 2019 and 2021 alone, Carnival reported four separate cybersecurity events to the New York Department of Financial Services. These included two ransomware attacks and a phishing incident in which attackers deployed malware, accessed and encrypted internal systems, and stole personal customer and employee information.

In this latest case, an attacker used social engineering to trick a Carnival employee into granting access to part of the company’s IT systems on April 14, 2026. By April 22, they used a compromised account to access a “limited portion” of Carnival’s IT systems, where they were able to copy personal data before being blocked.

According to the data breach notice filed in Maine, a total of 5,995,277 people were affected. Carnival determined that the intruder had illegally copied files containing personal information and is now writing to affected individuals to tell them that “data elements” relating to them were obtained.

Researchers cited by Gblock say the stolen data appears to include:

• Full names
• Email addresses
• Dates of birth
• Genders
• Mariner Society membership status and tier
• Internal customer identifiers

The template letter does not list specific data fields. Instead, it uses a placeholder:

“We have determined that your <<data elements>> were obtained.”

This strongly suggests that Carnival is populating each letter with data categories relevant to that particular individual, a common pattern in large breaches where people may have provided different information at different times.

Furthermore, the letters contain the usual content about the speed with which the company acted, involving third‑party experts, and frame the affected systems as a limited subset of the environment. For recipients, the important fact is not how limited the breach was from the company’s point of view, but whether the exposed information could be used for identity theft, fraud, or highly convincing phishing attacks.

Breaches happen every day. Don’t be the last to know.

SEE PLANS

We do know from past Carnival incidents that exposed data has included names, addresses, dates of birth, passport numbers, health information, and payment details. In previous breaches affecting cruise lines, compromised data has ranged from basic contact details to Social Security numbers and credit card information. Carnival has not publicly disclosed the full categories of data involved in the 2026 incident, but given that this 2026 event again involves “personal information” copied from internal systems, it is reasonable to treat it as a serious privacy incident, even if the exact mix of data varies per person.

The attack was claimed by extortion group ShinyHunters, which is known to steal data and then ask for a ransom. If the victim does not agree to the terms, the data will be published and/or sold to the highest bidder.

ShinyHunters offers Carnival data for download

From a cybercriminal’s perspective, cruise industry data is highly prized. Cruise passengers are often relatively wealthy, and passenger records can combine identity data (names, addresses, dates of birth, passport numbers), contact data (emails, phone numbers), and potentially payment data (card numbers and sometimes bank details), making them valuable for identity theft, targeted phishing, and fraud.

What to do if you’re affected

To mitigate the fallout, Carnival is offering a complimentary 24‑month TransUnion credit‑monitoring package, delivered via the MyTrueIdentity platform and supported by Cyberscout for fraud assistance.

Be cautious of emails, texts, or calls claiming to come from Carnival or credit-monitoring providers, as cybercriminals often exploit breaches with phishing scams. Read our advice on what to do when you find out you’re involved in a data breach.

What do cybercriminals know about you?

Use Malwarebytes’ free Digital Footprint scan to see whether your personal information has been exposed online.

SCAN NOW

The smart ring is thinner, more accurate, and lasts longer, and it now tracks GLP-1 response, but it also costs $50 more.

The Huawei Pura 90 Pro Max is a refreshing new slab phone with a striking design and top-notch camera hardware.

CISA is prioritizing the response to multiple emerging software supply chain intrusion campaigns targeting developer ecosystems Continuous Integration/Continuous Development (CI/CD) pipelines. These recent incidents, including the GitHub compromise via a malicious Nx Console Visual Studio Code (VS Code) extension and the “Megalodon” supply chain intrusion campaign, demonstrate how cyber threat actors are abusing tools and processes that support enterprise, cloud, and DevOps environments—specifically CI/CD pipelines, code extensions and workflows. 

Threat actors leveraged a prior compromise of Nx developer systems to compromise a GitHub employee’s device through a poisoned third-party VS Code extension, resulting in unauthorized access and exfiltration of internal GitHub repositories. The malicious extension version (18.95.0) was distributed through VS Code’s automatic update mechanism, meaning systems with Nx Console previously installed may have received the malicious build without developers taking any manual installation action. GitHub released a security advisory on this activity, and CVE-2026-48027 has been assigned to the malicious version of Nx Console and added to CISA’s Known Exploited Vulnerabilities (KEV) Catalog.

Additionally, in a campaign known as “Megalodon,” a cyber threat actor injected malicious GitHub Action workflows to harvest CI/CD secrets, cloud credentials, and tokens, impacting both development and deployment pipelines in public GitHub repositories.

CISA urges organizations to implement the following recommendations to detect and remediate a potential compromise:

• Monitor and audit workflow files and contributor activity for suspicious pull requests and direct commits, particularly those authored by automated accounts.
• Revert unauthorized changes, especially from automated accounts, e.g., build-bot, auto-ci, ci-bot, pipeline-bot and especially those made after May 18, 2026.

If your organization discovers a compromise resulting from previously compromised GitHub or Nx Console software, CISA recommends the following steps:

• Conduct a forensics review of CI/CD logs, cloud audit trails, and affected developer machines. 
• Rotate/revoke all secrets including: all credentials, tokens, and secrets accessible to CI/CD pipelines, including API keys, cloud provider credentials (Amazon Web Services, Google Cloud Platform, Microsoft Azure), SSH keys, Docker/npm/PyPI/Vault/Terraform/Kubernetes tokens, GitHub/GitLab/Bitbucket tokens, and developer or pipeline secrets. 
• Notify proper stakeholders if necessary.

CISA recommends the following best practices for using package repos:

• Wait at least three hours before pulling a new package. This gives the software community time to identify suspicious or malicious packages before they are widely downloaded. 
• Pin software to specific trusted versions. Pinning software prevents pulling a malicious or unscreened package during the build process. 
• Only pull packages from known and trusted sources. Relying on known and trusted sources reduces the likelihood of downloading a package that has been maliciously forked. 

See the following resources for additional guidance on these compromises:

• GitHub: Investigating unauthorized access to GitHub-owned repositories
• Nx: Postmortem: Nx Console v18.95.0 supply-chain compromise
• Ox Security: Megalodon: CI/CD Malware Spreading Across GitHub Repositories
• StepSecurity: Nx Console VS Code Extension Compromised 
• SafeDep: Megalodon: Mass GitHub Repo Backdooring via CI Workflows

Disclaimer

The information in this report is being provided “as is” for informational purposes only. CISA does not endorse any commercial entity, product, company, or service, including any entities, products, or services linked within this document. Any reference to specific commercial entities, products, processes, or services by service mark, trademark, manufacturer, or otherwise, does not constitute or imply endorsement, recommendation, or favoring by CISA.  

France-based startup Edamame says its runtime verification platform uses host telemetry and AI analysis to detect coding-agent “intent drift,” secret theft and supply-chain attacks in real time.

The post New Edamame Platform Aims to Catch AI Coding Agents Going Off the Rails appeared first on SecurityWeek.

Outdoor string lights can help bring whimsy to your yard this summer.

Along with the launch of the Oura Ring 5, there will be new health features focusing on blood pressure, nighttime breathing, GLP-1s and more.

Computer Weekly speaks with Valerie Veatch, the director of a documentary charting the historical development of artificial intelligence, about the difficulties of challenging hype narratives and the pressing need to build a culture of technological refusal

The ramifications of Capita’s botched Civil Service pension contract continue as politicians distance themselves

Article URL: https://www.theregister.com/science/2026/05/26/japanese-space-agency-names-arrival-date-for-bepicolombo-mercury-mission/5245906

Comments URL: https://news.ycombinator.com/item?id=48307572

Points: 1

# Comments: 0

Article URL: https://github.com/tanrikuluozlem/burn

Comments URL: https://news.ycombinator.com/item?id=48307565

Points: 1

# Comments: 0

Article URL: https://commerce.utah.gov/wp-content/uploads/2026/05/Doctronic-Outcomes-May-2026.pdf

Comments URL: https://news.ycombinator.com/item?id=48307561

Points: 1

# Comments: 0