Hey, it's me, future you, loving retired life. Just wanted to say thanks for choosing Welfare FI to manage my pension. Turns out you don't even have to think about your pension when a team of investment experts do it all for you. Anyway, ciao for now! Voted best pension provider at the Your Money Awards for the past two years. Take the tiring out of retiring with a Welfare FI pension, with investing your capital is at risk. Hey guys, it's GK Barry here from the Saving Grace podcast and this week my podcast is sponsored by L'Oreal Paris True Match Foundation and Infallible 3 Second Setting Mist. So if I hadn't mentioned, I've been in my wifed up era for a while now, it's secure, it's reliable and honestly I've realised that's the exact same energy I want from my makeup. With 46 shades and a skincare infused formula, True Match Foundation is the definition of a reliable partner. I lock it all in with the Infallible 3 Second Setting Mist. One spray and it's a literal set and forget situation with zero transfer and a 36 hour makeup hold shop online or in store. This is the Daily Tech News for Tuesday, March 31st, 2026. We tell you what you need to know, give you the important context and help each other understand. Yeah, and today there's a lot to understand. We have a supply chain attack on a JavaScript package that is affecting millions of apps. This is the kind of thing that you may think doesn't affect you right away, but if something goes weird, you might want to know that this could be why. And if you're a developer, you're definitely going to want to know about this. Absolutely, if you're a developer, but we're going to get into what it actually is. I'm Jason Howell. I'm Tom Merritt and we're going to start with what you need to know with a big story. And big thank you to Motang who noted this story in our subreddit. So much activity happening in the subreddit. Love it. One of the most popular packages for developers to get their apps front end or back end to communicate suffered a supply chain attack. This is what Tom was talking about at the top. How did they do this? Well, I'm going to hand it over to Tom because he's the one that did some deep, deep learning on this because it is very developer focused. Yes, Jason prompted my deep learning package. So and security professionals, we are going to simplify some things here. So do forgive it, but I think this is mostly going to give people the accurate permission or accurate, accurate impression and you should go dig into it more if you are affected. An attacker compromised the maintainer account of the lead maintainer of the node package manager for, as Jason said, one of the most widely used JavaScript HTTP client libraries known as Axios. This has nothing to do with the publication Axios. I was a little confused when I first started seeing the headlines here. This just happens to share the same name. Developers use the Axios NPM in apps to make requests to servers and APIs. So it's how your app is going to communicate with other thing. It can manage requests between browsers, between Node.js apps, between servers, and it just makes things simple. You take this package, you put it in your app and now you can communicate with things. And so as you might expect, it's downloaded approximately 100 million times a week. People are putting it in their stuff all the time. The attacker was able to put a dependency in Axios 1.14.1 and Axios 0.30.4 that would install a remote access Trojan, or something very like a remote access Trojan, on machines running macOS Windows and Linux. So pretty much any machine. The Trojan worked a little differently, depending on the platform, but you'd end up with the same Trojan. It was disguised as a legitimate cryptography library. The malicious package was not referenced or imported anywhere in the Axios source code. So there weren't any obvious things to look for if you were scanning for it. It executed a post install script to install a backdoor, which was capable of remote command execution. And then, once it got all the stuff it wanted, removed the modified package and replaced that package with a clean file to avoid detection. So if you scanned it afterwards, you wouldn't see any trace of it. The Trojan could then execute commands and maintain persistence through reboots and all of that. They were published without an automated OIDC package origin or GitHub commit. So all that means is some of the automated alerts that would tip you off to something untoward being in there were avoided. They took like 18 hours to set up a fake history to make sure that you couldn't tell that this was coming from a compromised account. The malicious versions were actually live for about two to three hours before they were unpublished and a security hold was placed on the affected package. If you are a user of Axios, you should lock at Axios 1.14.0 and Axios 0.30.3 and treat any system that ran the malicious packages as fully compromised. Don't try to figure out if they got in. Just assume they did. Rotate your credentials. Rebuild your environments from a pre-infection state. We don't know who did this yet. Usually, there's a clue. We don't have a clue about who's responsible. Nobody's taking responsibility. It was a pretty sophisticated attack, though. So this isn't just somebody random. And we don't know who or how many apps were infected at this point or if any damage has been done as a result. Yeah, I think as I've been trying to poke through some of the reporting on this and understand it on a deeper level because I'm not a developer. I say that all the time. I love talking about these things because I learn a lot more about, well, at least my understanding of how these things happen on the back end. But I'm sure developers listening to this understand this on a deeper level and know what the payload could potentially be if they're running apps that are running or interacting with Axios. My mind goes to the safety advice that's being spread around right now is largely placed on the developers. Here's what you do if potentially your app was impacted. We are the end users on the other side. Is there anything that users should be doing? Because I'm sure a lot of people who aren't developers look at a story like this and are like, okay, well, what can I do if I, you know, how do I know I'm not using an app that was impacted by this? And now suddenly I'm, you know, my data is at risk. Yeah, it's a fair question. The target of this is probably the developer, not you. This doesn't necessarily mean they were going after your information. We'll find that out. And the real answer is we don't know. At the point where we're recording this, and you may know more now because you're listening to it later, we don't know who was infected. So we don't know if some app installed this Trojan, didn't get to it in time, and there's evidence that someone accessed a database, and that database has your user information. Even if we did know that, there's nothing you could do about it. This is that kind of attack where there's not much you could do. And it's the kind of thing that it's not a vulnerability, I don't think, in your software on your machine. It is the kind of vulnerability that is in their back end and front end servers and cloud communication stuff. The tools that they're using to create and iterate and all that kind of stuff. You, your information could be the target if you're dealing with a service that stores your information, but you are not the target for this. The target is that bigger payload. And because of the sophistication of it, my guess is they either wanted to cause trouble, you know, so discord and cause havoc, which there are plenty of sophisticated attackers out there trying to do that on purpose right now, just, you know, in order to disrupt the enemy, so to speak, a lot of Iranian hackers, a lot of North Korean hackers are doing that. Yeah, that's where my mind went, obviously. I'm sure a lot of other people don't know. Potentially, they don't know. I always hesitate to throw out like, well, it looks like it might be X, because if I'm a good attacker, I want to make it look like it's not me. I'm going to make it look like the usual suspects, but it also might be the usual suspects. Anyway, I go down that road only to say their goal could be to just cause disruption. Their goal could also be to go after particular kinds of information and use the cloud of a massive attack to make it harder to tell what they were really after. And I guess, I mean, all things considered is probably cold comfort, but, you know, a couple of hours is not a huge amount of time, but when you're talking about 100 million times, you know, downloaded per week, that's a few million. That's that still ends up being a huge number. And I would expect that a lot of developers have immediately jumped on this and, you know, locked themselves back, rolled back their versions. If you got a weird update to an app, that could be why. If you had a service outage and you don't know why there's a service outage, for instance, I tried to get my Echo to turn on my lights this morning and it was like, I can't do that right now. It was like, is that just a coincidence? Probably a coincidence, but you never know. There could be something related to this. Yeah, interesting. All right. I know a little more. Thank you, Tom. You're welcome. We like to shove no a little more in the Daily Tech News Show. And honestly, you know, if you are a developer who is like, oh, let me shed a little extra light on this, I can answer one of those questions. I can tell you an example. Feedback at Daily Tech News Show.com. Love it. DTNS is made possible by you, the listener. Thank you, folks who support the show. Like that Charlie dude, Justin Zellers, Carmine Bailey. You want to be like them? Go to patreon.com slash DTNS. Another morning, another reminder, there's a gap to be careful of, but maybe it's time to bridge the 9-5 and your dream of living life on your own terms. At HSBC, we know ambition looks different to everyone. Whether it's retiring early or leaving more for your family, we can help. Because when it comes to unlocking your money's potential, we know wealth. Search HSBC wealth today. HSBC UK, opening up a world of opportunity. HSBC UK current account holders only. There is plenty more we need to know today. Let's get to the briefs. Let's do. Anthropic Claude Code had its full TypeScript source code exposed thanks to an MPM package. You just learned what an MPM package is. It is in fact a node package manager. This is a different sort of vulnerability. This is an own goal sort of vulnerability. The MPM included a source map that pointed directly to an unprotected zip archive in Anthropics R2 cloud storage. Maybe the zip archive shouldn't have been unobfuscated, but definitely the MPM should not have had a source map in it. That source map is something you would have in there for troubleshooting. Take it out. Researcher Chalfon show publicly disclosed the issue today saying Claude code source code has been leaked via a map file in their MPM registry. The leak has about 1,900 files, more than 512,000 lines of TypeScript code, major internals that cover the core LLM engine, details about 40 internal agentic tools, also includes some flags that might indicate coming features. The kind of thing you're always finding in Android in advance. They're called proactive, voice mode, bridge mode, and kairos. Anthropic has not, at least as we are recording this issue, to public statement about this. It's embarrassing. How critical though? Because this is the engine that runs the knowledge, right? It is embarrassing that this happened. It is potentially going to give something to your competitors because they can now see a bunch of your source code. You don't see MF details. But yeah, if I'm open AI, I'm having a meeting where we pour over this, see if there's anything we can learn from it about how this works. Certainly, if I'm deep seek or somebody else, I am too. You may or may not learn a bunch, but if I'm anthropic, I wouldn't want them to have it. There are potential security issues, but then it's also the kind of thing that can help your security because now everybody knows what your source code is, and the white hats can flag vulnerability. You get some of the benefit of an open source situation, at least temporarily, without having an open source situation. But yeah, not great, Bob. Yeah, and apparently, this is not the first time this has happened with the Anthropic even. It happened early 2025. That was patched. So, you know, they've got a little history with this. Kairos, by the way, there are some more details that people have been able to pull out. It really does feel like Android APKs being thrown down. They're like, oh, there's a clue. Kairos being an always on autonomous agent mode. There's something called Dream, which is nightly memory consolidation. There's a team mem, which would be shared project memory. That could be interesting. And then this was weird. Buddy, which is apparently a Tamagotchi like pet system with models and ASCII art sprites. Okay. Okay. But again, this is something somebody was playing around with and set it up to be put in, but didn't launch it yet. Maybe there's a reason. That's fascinating. Yeah. I love that. Even if Tamagotchi's don't come to Anthropic Cloud Code, at least we know that they considered it. That they thought about it. Yeah. Now we know. We would have never known. Would have never known. I got to ask the question. One of us has to, did this map get left in because they vibed coded it? Oh, that's a good question to ask. Maybe we'll never know. But yeah. If it was my fault, I wouldn't admit it. Very interesting. Samsung has been busy. We got a couple of different related stories to Samsung. First, Samsung's new Galaxy Tab S11 Ultra Pro keyboard. So this is the keyboard accessory for the S11 Ultra. Now available in the US and Europe, it's a heavy aluminum laptop style case, has a track pad, has, you know, a dedicated AI key, turns that S11 Ultra into a near laptop. And I imagine, you know, launches Bixby and all that kind of stuff. But it costs $400. And digital trends notes that for only $100 more, if you're a student and you can get the discount through Apple, you can buy a MacBook Neo. So value proposition probably depends on whether you're in the Apple ecosystem. Or you don't have to spend $100 and you get the Galaxy Tab S11. There you go. That's a better way to think about it. Yeah. Actually both are compelling depending on your, yeah, totally. Samsung also just activated blood pressure tracking on Galaxy Watch 4 and newer devices running Wear OS 4.0 in the US. The feature does require the Samsung Health Monitor app to be installed. Also requires periodic calibration with a separate cuff every 28 days in order for it to continue to work. And with that, you get, what is it, systolic and diastolic measurements. Yeah, that's your 180 over 70 stuff. Right, right. And Samsung is, by the way, labeling this as a wellness tool, not something that they say, quote, is used to prevent or diagnose high blood pressure. So it's neat that it can do it, but don't rely on it. Basically. Kind of what I understand there anyways. Samsung also launched a here, here, here, H-E-A-R-A-P. So here therapy kind of combined. Too clever. They're trying to do here in therapy together. And I get it. It's one of those words that looks better than it sounds. Yeah. Sometimes that happens. Anyways, it's an app called here, to reduce motion sickness. And I've not heard of this before, by playing 100 Hertz frequencies, so really low frequencies for 60 seconds at a time into headphones that can support those frequencies. Of course, Samsung's earbuds can do that. It's meant to stimulate the inner ear balance system. And it's actually based on research from Nagoya University in Japan, where they learned that playing those tones uninterrupted can actually improve balance of the wearer inside of the headphones. So yeah, interesting approach. Inner ear is important to balance. So that kind of ties in. I like that you could use ties in. Did you do that on purpose? I did not. I wish I had. I'm going to pretend that I did, though. That's funny. If you know, you know. I love that this would work, even if you're not using Samsung's buds. As long as you've got a device that can play 100 Hertz frequencies, which most of your earbuds can, you can take advantage of this. That's cool. I mean, 100 Hertz is not like ultra, ultra low. I think that's pretty baseline for most headphones. You would have had to buy your headphones on T-MU for them not to be able to totally totally that. Meta is releasing a new version of its Ray-Ban smart glasses, refreshing their Gen 2 model with two new, more prescription friendly styles. This is so confusing to me. It doesn't seem to be confusing to many other journalists out there, but you can do prescription lenses in the Ray-Bans right now. But these are more prescription-y. We'll get to why that might be. Blazer Optics gives you the more squared approach, and Scripter Optics give you a rounded design. There's also a change in the frame design. They start at $499 before you spend money on the lenses. The lenses are going to cost you extra. The frames are slimmer, a little bit slimmer, have swappable nose pads, adjustable temple tips, and a design that works with a wider range of prescription lenses, including progressives and transitions. Temple tips and adjustable stuff is one of the reasons these are better for prescriptions because your optician can then use them to fine-tune the adjustment. So that's part of this too. Meta also launching some new software features along with this that will go to the full Meta Glasses lineup. That includes expanded Meta AI translation support for Japanese, Mandarin, and Arabic, along with food and nutrition tracking through on-device image analysis. You just look at your food, take a picture. Neural handwriting on the Meta Ray Band display is rolling out to everybody in the coming weeks. It'll let you write with your finger on any surface so that you can silently reply to a message. That'll work with Instagram, WhatsApp, Messenger, and native Android and iOS messaging apps. Ooh, that's kind of cool. I want to play around with that and see if that's actually as useful as it can sound. Yeah, yeah. And there's definitely times when you don't want to say your response out loud. Yeah. Like, yes, I'm still stuck with this boring guy. I'll message you when we're done, right? That might not be something you want to say out loud. And he's like, what are you scribbling on the invisible ink on the table right now? I'm taking imaginary notes on these fascinating things you're saying right now. The Ray-Ban Meta Blazer Optics Gen 2 and Scribber Optics Gen 2 will be available at US Optical Retail that's another part of this. You can go to your local Optical Store and get them as well as select international markets starting April 14th. Right on. Well, people ask, I mean, I've been on the show a number of times in the last couple of, last month or so, where people are constantly curious about the prescription implications of these things. And it's not like the previous Ray-Bans couldn't do prescriptions like you said. But like the different shapes of the frames and everything, is that just because, I mean, that requires a different type of cut for the lenses? Yeah, that's the specificity that this is solving. Yeah, that's part of it, right? You now get the typical style choices that you can get for your lenses. Some people have a particular type. The frame is part of the style, right? But then the lens shape is also part of the style and part of the working of it. Good. Well, then all this does is bring those smart glasses even closer to normal glasses, which I think is just necessary. And I guess the difference was before you would order your Ray-Bans and say, here's my prescription and whatever they could do to put it in there, they would, but you couldn't get them fine tuned with the nose pads and all of that. You couldn't get a particular shape of lens. You couldn't get transitions. And I can't, you know, you can do all the, almost all the things you would do if you bought the glasses from your optometrist. Yeah, solid. Yeah. Well, folks, if you want to tell us why they still left out that one feature that you need from your glasses or anything else, we're having great conversations in the Discord these days, by the way, join in. You can join your Patreon account to Discord and get in on the conversation. Just link your Discord, your Patreon account at patreon.com Please stop there with a gap. Another morning, another reminder, there's a gap to be careful of, but maybe it's time to bridge the one between your nine to five and your dream of living life on your own terms. At HSBC, we know ambition looks different to everyone. Whether it's retiring early or leaving more for your family, we can help because when it comes to unlocking your money's potential, we know wealth. Search HSBC wealth today, HSBC UK, opening up a world of opportunity. HSBC UK current account holders only. All right, we got a bunch of quick headlines that are good to know and make you look real smart while you're wearing those new Ray-Bans that you're about to get because of the description and all that. You're going to look smarter than Ronald Wayne did when he joined Steve Jobs and Steve Wozniak to file a partnership for Apple 50 years ago today. Happy 50th birthday to Apple. Everybody pitched in and got Tim Cook a little something. He got to ring the Nasdaq opening bell just as he dreamed when he was a child, I guess. I don't know. You're welcome, Tim. It's a thing they did. We did that for you. 50 years. Wow. Yeah. I was today years old when I realized that I'm as old as Apple. So there you go. Maybe not exactly. Today's not my birthday. I was six years old when they filed that paperwork. Crazy. Probably eating an apple. Yeah, I was. Yeah, I remember. Oh, I remember that day well. SpaceX reported that Starlink satellite 34343 for those who are counting, broke apart after an in orbit anomaly, likely an internal failure, not a collision. This happened on March 29th. And yes, it's sprinkled debris in orbit. Though analysis has concluded that that debris is not a threat to the ISS, the Artemis-2, or other Starlink missions. Yeah, just in time for people to go back to the moon. We sprinkle a little dust. I heard another way of referring to this. SpaceX reported that Starlink satellite exploded. A sploded. It exploded. Haven't heard that in a while. Instagram will reduce its use of the PG 13 label for teen accounts and add a disclaimer after reaching a deal with the Motion Picture Association. After the Motion Picture Association, who has never seen a seasoned assist, it doesn't want to send, sent one to Metta, which called Instagram's PG 13 language, false and highly misleading. That's our label. Only the MPA gets to say something's PG 13. Yeah. And unless we strike a deal. And then, you know, let's talk. And you put a long disclaimer to make it really confusing. It's been a long time coming, but Google is officially rolling out the ability for US users to change their Gmail address in account settings. One time per year, you keep that old address in the link for an alternate login. So that doesn't entirely go away. All your inbox, email and everything is preserved in the process. You're going to do it, Tom? No, no, no. I probably should. My personal email address is totally the kind you make when you're like fresh out of college. My Gmail address was the first one I didn't make ACE detect. Oh, okay. Yeah. So I'm fine. Yeah. I'm smarter than I was. But it was kind of fun to have an alt. You could have an alternate email address, I guess. Oh, that's true. I mean, you'd have them both. Yeah. Cause you keep the old one. Oh, yeah. I hadn't considered that. Yeah, that's true. Maybe I'll do it. Google Drive has a new ransomware detection feature coming out of beta that auto pauses sync alerts, collaborators and restores clean file versions by default for all users. Nice way to automatically protect you against ransomware. Thank you. Indeed. Google Drive. Thank you. Proton Workspace. It's a new encrypted business suite. It handles Proton's suite of apps and services, mail, calendar, drive, docs, sheets, and VPN, along with a new Proton Meet app for private audio and video calls and chats. The suite starts at $12.99 per user per month. That's kind of the baseline and then upgrades for premium users and then of course, enterprise users as well. Man, I use Proton Pass and I got some, I have Proton Mail. I'm telling you. It is good. Proton's on the march. Raspberry Pi Holdings reported 2025 revenue up 25% year over year on strong industrial demand from the US and China after raising prices twice in four months to cover higher memory chip costs. But as long as nothing stops industry from having demand, they'll be fine. Yeah. So that's working for them. What could go wrong? Go Raspberry Pi. Yeah. Nothing. Everything's going to be great, Tom. That's how I feel. Thanks to RW Nash and the subreddit for passing along that Apple briefly and mistakenly began rolling out its Apple intelligence features to some iPhone users in China before securing cyberspace administration approval, which is required before it could do that. Apple has since removed the features. Yeah. They have to try all variations of Tankman on Apple intelligence before they can approve it. Reviews of the Apple AirPods Max 2 are out in a nine to five Mac interview. Tim Millet, Apple VP of platform architecture shared that the one and a half times stronger active noise cancellation is due to the new H2 chips compute power and improved algorithms. In other words, it better. It's it's better with software, not hardware. I think that's kind of what I walked away with. It's not like that's good. That's a good way to put it. Newly inserted hardware thing. I mean, unless you consider the H2 chip hardware, but yeah, it's made which it is. But yeah, mostly so. Yeah, it is. Amazon is rolling out Alexa plus food ordering on Echo show eight and larger devices so users can now link your Grubhub account, your Uber eats account. You can browse and place orders using, of course, natural language if you're talking to it or on screen controls if you prefer. If you got the display, I'm going to have to do this. I'm going to have to order some food just to test this out. Oh, dang. And it is Tuesday. Delicious food might have to be tacos. Okay. All right. You do you, man. I love tacos. Order me some too. We end every episode of DTS. I wonder if you could order and have it delivered to me. You probably could. I can Uber eats. That I think DoorDash does it too. We end every episode of DTS with some shared perspectives and today Puy Ryan. Oh, did I? Is that? Yeah, I don't know where that came from. It's just Ryan. Let me try that again. Ryan, no Puy involved would love a tiny Mac mini along the lines of a Mac book, Neo. Yes. Puy writes, I'm sorry, Ryan writes. That was in her script. Neither one of us know where it came from. Anyway, Ryan, we apologize. Ryan writes, I would love a Mac mini for sub $300. That's that small. This is something Rob and I were speculating on yesterday. I've installed a few stick PCs or mini PCs on the back of TV screens and business settings with wireless keyboards and mice for video conferencing systems and basic web browsing for meetings, being able to do it with Mac instead of Windows would be very appealing in the media space. Interesting. That sounds very appealing. I would normally say, oh, Apple will never do that. But I mean, hey, the Neo came out. Yeah, we were like, what if they did what they're doing with the Neo, but in a small form factor for the Mac mini? And we were like, but who would want that? And Ryan's like me. I would want that. Thank you. Please do that. I think it would find a lot of a lot of use. I think you're right. Well, if you have got something you think would get a lot of use and you want to tell us about it, there's always room for more insight into a story. If we don't get to it here, we often get to it on our mailbag live stream on our YouTube channel as well. But do share it with us feedback at daily tech news show.com. Yes. And thank you to Puy. Sorry, Ryan for contributing to today's show. Thank you for being along for daily tech news show. You can keep us in business by becoming a patron at patreon.com slash DTNS. See you later, everybody. The DTNS family of podcasts helping each other understand. The Diamond Club hopes you have enjoyed this program. Please stop. Another morning, another reminder, there's a gap to be careful of, but maybe it's time to bridge the one between your nine to five and your dream of living life on your own terms. At HSBC, we know ambition looks different to everyone, whether it's retiring early or leaving more for your family. We can help because when it comes to unlocking your money's potential, we know wealth. Search HSBC wealth today. HSBC UK opening up a world of opportunity. HSBC UK current account holders only. Seconds. That's the difference between life and death. I've seen it first hand. I'm Javad Abdu'manem, a doctor with mid-sense en frontière. As conflicts continue to spread across the world, it's crucial we connect fast. As an MSF doctor, I may need to stop life threatening bleeding, treat gunshot wounds or care for blast victims all in a matter of seconds. That's why at mid-sense en frontière, we don't waste any time. We're working in more conflict zones than you may be aware of, giving everything to give people a chance. Just 30 pounds will keep our life saving work going. Please help us save more lives. Because with trauma care, every second counts. You can buy us vital time. Please give just 30 pounds. Search MSF doctor or call 0800 0557979. That's 0800 0557979. Thank you.
