Jayson Tatum in elimination games excluding G7 versus Miami, where he got hurt: 27.3 PPG (leads NBA) 8.6 RPG 6.0 APG 1.1 SPG 1.1 BPG 44/38/84% He’s 11-5 in that span… nobody in the association is better in do-or-die situations 🍀

$HD Q1’26 EARNINGS HIGHLIGHTS 🔹 Revenue: $41.77B (Est $41.51B) 🟢; +4.8% YoY 🔹 Adj. EPS: $3.43 (Est $3.41) 🟢 🔹 Comp Sales: +0.6% (Est +0.9%) 🔴 🔹 U.S. Comp Sales: +0.4% 🔹 Net Earnings: $3.3B FY26 Guide: 🔹 Comp Sales Growth: Flat to +2.0% (Est +1.55%) 🟡 🔹 Sales Growth: +2.5% to +4.5%, reaffirmed 🔹 Adj. EPS Growth: Flat to +4.0%, reaffirmed 🔹 New Stores: ~15 🔹 Adj. Operating Margin: 12.8%-13.0% Commentary: 🔸 “Our first quarter results were in line with our expectations.” 🔸 “The underlying demand in our business was relatively similar to what we saw throughout fiscal 2025, despite greater consumer uncertainty and housing affordability pressure.”

NGINX rift: We autonomously discovered this 18 yr old heap overflow (CVE-2026-42945) in @nginx impacting version 0.6.27 to 1.30.0. If you use rewrite and set directive, you maybe impacted! Please update your NGINX or change the config to mitigate it. Read more at

The UK reported 831 Tesla sales and 0.6% market share in April. BEV penetration is 26.2% and Tesla has 2.1% of this segment. 🇬🇧 • +62% vs. April last year and +16% compared to January the first month of the previous quarter • Last three months +10.0% vs. November - January • Year-to-date -3% over same period last year • Year-to-date is 28% or 3.3/12 of last year's total

i just tried a new “private” instant swap exchange as they claim to have 0.2% fee $1000 USDT -> $997 USDC (0.3%) wow still great but if you scroll down, that doesn’t include the extra 0.6% they charge when you swap in total, it charges the same as Houdini, FixedFloat, etc: 1% fee, plus swaps take ~11 mins if you need a private instant swap exchange, just use @AnySwapBot, from 55% to 75% cheaper on EVERY swap & with better features

🚨 SlowMist TI Alert 🚨 The Shai-Hulud malware has resurfaced via the npm account atool(i@hust.cc), with over 600 malicious versions published. Notably, high-download packages such as size-sensor@1.1.4 (4.2M dl/mo), echarts-for-react@3.1.7 (3.8M dl/mo), and @antv/scale@0.6.2 (2.2M dl/mo) are at elevated risk. The attack carries risks: 1. AI agent hijacking: Claude Code, Codex, and VS Code tasks can trigger a Bun bootstrapper that re-executes the malicious payload. 2. Credential harvesting: The malware collects credentials from cloud services, GitHub, npm, local environments, and CI/CD pipelines. Using ^ to specify version ranges may cause npm to automatically install versions that have been compromised or contain security risks. Detection & Mitigation Measures: • Audit dependencies for any package published by atool (i@hust.cc) and check for suspicious preinstall scripts • Remove compromised packages and rotate all exposed credentials • Inspect CI/CD pipelines and local Node.js projects for malicious hooks or workflows • Revert to safe package versions or known-good dependencies ⚠️ Critical Action: Treat any system with affected packages as potentially compromised. Apply mitigation steps immediately.

⚡️ @BNBCHAIN is absolutely dominating the RWA space with +567.4% YTD growth in holders, reaching 59.8K total RWA holders and adding +54.06K new holders so far this year. Followed by: 🔸@base: +84.5% 🔸@solana: +73% 🔸@StellarOrg: +66.7% 🔸@ethereum: +47.8% 🔸@arbitrum: +35.8% 🔸@0xPolygon: +10.1% 🔸@avax: +0.6% 🔸@plumenetwork: - 5.1% 🔸@HyperliquidX: -9.8%

🚨 node-ipc is compromised again. Three new malicious versions just dropped: 9.1.6, 9.2.3, and 12.0.1. Socket’s AI scanner flagged them as malware within three minutes of publication. The attack vector: a dormant maintainer account (atiertant) was likely taken over via an expired email domain. The attacker registered the lapsed domain, triggered an npm password reset, and gained publish rights to a package with millions of historical downloads. The payload is a credential stealer embedded in the CommonJS entrypoint (node-ipc.cjs). It activates on require(“node-ipc”), not through a postinstall script. Here’s what it does: •Fingerprints the host (OS, arch, hostname, uname) •Harvests 113-127 credential file patterns depending on platform (AWS, GCP, Azure, SSH keys, Kubernetes configs, npm tokens, .env files, shell histories, macOS Keychain databases, and more) •Dumps the entire process.env, capturing every CI secret and cloud credential in memory •Builds a gzip archive in a temp directory •Exfiltrates everything over DNS TXT queries to bt[.]node[.]js, using a bootstrap resolver at sh[.]azurestaticprovider[.]net:443 (a deliberate lookalike of Microsoft’s Azure Static Web Apps domain) The DNS exfiltration is chunked. A 500 KB archive generates roughly 29,400 TXT queries. The body is XOR-encrypted with a SHA-256 keystream, base64-encoded, alphabet-substituted, and split into 31-character chunks before hex-encoding into DNS labels. Header, data, and footer queries use xh, xd, and xf prefixes respectively. The malware forks a detached child process (env var __ntw=1) so credential theft runs silently in the background. It also exposes a __ntRun export, meaning any downstream code that calls require(“node-ipc”).__ntRun() can trigger a second collection/exfiltration cycle. ESM-only consumers using the import path are not affected by the reviewed package metadata. CommonJS consumers are. This is the same package involved in the 2022 protestware incident. It has a history. If you use node-ipc: •Do not install 9.1.6, 9.2.3, or 12.0.1 •Audit your lockfiles for these versions •If you loaded the CommonJS entrypoint, treat all environment variables, SSH keys, cloud credentials, npm tokens, and local secrets as compromised. Rotate immediately. •Hunt for DNS TXT queries to bt[.]node[.]js and sh[.]azurestaticprovider[.]net in your network logs •Check for temp files matching /nt-/.tar.gz Credit to Ian Ahl (@TekDefense) for first publicly identifying the expired-domain account takeover vector. Developing story. Full technical breakdown and IOCs on the Socket blog: