🚨 SlowMist TI Alert 🚨 The Shai-Hulud malware has resurfaced via the npm account atool(i@hust.cc), with over 600 malicious versions published. Notably, high-download packages such as size-sensor@1.1.4 (4.2M dl/mo), echarts-for-react@3.1.7 (3.8M dl/mo), and @antv/scale@0.6.2 (2.2M dl/mo) are at elevated risk. The attack carries risks: 1. AI agent hijacking: Claude Code, Codex, and VS Code tasks can trigger a Bun bootstrapper that re-executes the malicious payload. 2. Credential harvesting: The malware collects credentials from cloud services, GitHub, npm, local environments, and CI/CD pipelines. Using ^ to specify version ranges may cause npm to automatically install versions that have been compromised or contain security risks. Detection & Mitigation Measures: • Audit dependencies for any package published by atool (i@hust.cc) and check for suspicious preinstall scripts • Remove compromised packages and rotate all exposed credentials • Inspect CI/CD pipelines and local Node.js projects for malicious hooks or workflows • Revert to safe package versions or known-good dependencies ⚠️ Critical Action: Treat any system with affected packages as potentially compromised. Apply mitigation steps immediately.

Turkey reported 880 Tesla sales and 1.1% market share in April. BEV penetration is 21% and Tesla has 5.2% of this segment. 🇹🇷 • Market share is 10 basis points or 10% above the 3-month trailing average of 1.0% • 100% Model Y • +577% vs. April last year and +80% compared to January the first month of the previous quarter • Best April ever • 3rd best first month of the quarter ever and +80% vs. the previous one • Last three months -44.6% vs. November - January • Year-to-date -15% over same period last year • Year-to-date is 10% or 1.2/12 of last year's total

NVIDIA $NVDA has missed revenue expectations just once in the last 5 years: 🟢 Q1 2022: $5.66B (+4.6%) 🟢 Q2 2022: $6.51B (+2.8%) 🟢 Q3 2022: $7.10B (+4.3%) 🟢 Q4 2022: $7.64B (+3.0%) 🟢 Q1 2023: $8.29B (+2.1%) 🔴 Q2 2023: $6.70B (-6.9%) 🟢 Q3 2023: $5.93B (+2.8%) 🟢 Q4 2023: $6.05B (+0.7%) 🟢 Q1 2024: $7.19B (+10.3%) 🟢 Q2 2024: $13.51B (+20.9%) 🟢 Q3 2024: $18.12B (+12.0%) 🟢 Q4 2024: $22.10B (+7.5%) 🟢 Q1 2025: $26.04B (+5.9%) 🟢 Q2 2025: $30.04B (+4.5%) 🟢 Q3 2025: $35.08B (+5.8%) 🟢 Q4 2025: $39.33B (+3.1%) 🟢 Q1 2026: $44.06B (+2.3%) 🟢 Q2 2026: $46.74B (+2.4%) 🟢 Q3 2026: $57.01B (+4.3%) 🟢 Q4 2026: $68.13B (+3.9%) NVIDIA reports next earnings this Wednesday. 97% chance they beat it. Trade here →

Announcing agentic performance benchmarking for Speech to Speech models on Artificial Analysis. We use 𝜏-Voice to measure tool calling and customer interaction voice agent capabilities in realistic customer service scenarios Even the strongest Speech to Speech (S2S) models today resolve only about half of realistic customer service scenarios end-to-end - a meaningful gap relative to frontier text-based agents on the same tasks. Voice channels introduce significant complexity: challenging accents, background noise, and packet loss, all while requiring fast responses, consistency across long multi-turn conversations, and reliable tool use. Performance also varies considerably by audio condition: in clean audio some models perform notably better, but realistic conditions continue to pose a challenge. Conversation duration also varies meaningfully across models, with implications for both customer experience and operational cost. About 𝜏-Voice: Our Agentic Performance benchmark is based on 𝜏-Voice (Ray, Dhandhania, Barres & Narasimhan, 2026), which extends 𝜏²-bench into the voice modality to evaluate S2S models on realistic customer service tasks. It measures multi-turn instruction following, support of a simulated customer through a complete interaction, and tool use against simulated customer service systems. The simulated user combines an LLM-driven decision model with realistic audio synthesis: diverse accents, background noise, and packet loss modelled on real network conditions. This complements our Big Bench Audio benchmark measuring intelligence and Conversational Dynamics (Full Duplex Bench subset) benchmark measuring conversational naturalness. Scores are the average of three independent pass@1 trials. We evaluate under realistic audio conditions using the 𝜏²-bench base task split across three domains: ➤ Airline (50 scenarios): e.g., changing a flight, rebooking under policy constraints ➤ Retail (114 scenarios): e.g., disputing a charge, processing a return ➤ Telecom (114 scenarios): e.g., resolving a billing issue, troubleshooting a service problem Task success is determined by deterministic checks against expected actions and final database state, consistent with the 𝜏²-bench evaluator. Key results: xAI's Grok Voice Think Fast 1.0 is the clear leader at 52.1%, averaging 5.6 minutes per conversation, the second-longest overall. OpenAI's GPT-Realtime-2 (High) (39.8%, 3.0 min) and GPT-Realtime-1.5 (38.8%, 4.8 min) follow, with Gemini 3.1 Flash Live Preview - High close behind at 37.7% (3.8 min). Speech to Speech is a fast evolving modality and we expect movement in rankings as we continue to add new models with these capabilities, and model robustness improves. Congratulations @xAI @elonmusk! See below for further detail ⬇️

🚨 node-ipc is compromised again. Three new malicious versions just dropped: 9.1.6, 9.2.3, and 12.0.1. Socket’s AI scanner flagged them as malware within three minutes of publication. The attack vector: a dormant maintainer account (atiertant) was likely taken over via an expired email domain. The attacker registered the lapsed domain, triggered an npm password reset, and gained publish rights to a package with millions of historical downloads. The payload is a credential stealer embedded in the CommonJS entrypoint (node-ipc.cjs). It activates on require(“node-ipc”), not through a postinstall script. Here’s what it does: •Fingerprints the host (OS, arch, hostname, uname) •Harvests 113-127 credential file patterns depending on platform (AWS, GCP, Azure, SSH keys, Kubernetes configs, npm tokens, .env files, shell histories, macOS Keychain databases, and more) •Dumps the entire process.env, capturing every CI secret and cloud credential in memory •Builds a gzip archive in a temp directory •Exfiltrates everything over DNS TXT queries to bt[.]node[.]js, using a bootstrap resolver at sh[.]azurestaticprovider[.]net:443 (a deliberate lookalike of Microsoft’s Azure Static Web Apps domain) The DNS exfiltration is chunked. A 500 KB archive generates roughly 29,400 TXT queries. The body is XOR-encrypted with a SHA-256 keystream, base64-encoded, alphabet-substituted, and split into 31-character chunks before hex-encoding into DNS labels. Header, data, and footer queries use xh, xd, and xf prefixes respectively. The malware forks a detached child process (env var __ntw=1) so credential theft runs silently in the background. It also exposes a __ntRun export, meaning any downstream code that calls require(“node-ipc”).__ntRun() can trigger a second collection/exfiltration cycle. ESM-only consumers using the import path are not affected by the reviewed package metadata. CommonJS consumers are. This is the same package involved in the 2022 protestware incident. It has a history. If you use node-ipc: •Do not install 9.1.6, 9.2.3, or 12.0.1 •Audit your lockfiles for these versions •If you loaded the CommonJS entrypoint, treat all environment variables, SSH keys, cloud credentials, npm tokens, and local secrets as compromised. Rotate immediately. •Hunt for DNS TXT queries to bt[.]node[.]js and sh[.]azurestaticprovider[.]net in your network logs •Check for temp files matching /nt-/.tar.gz Credit to Ian Ahl (@TekDefense) for first publicly identifying the expired-domain account takeover vector. Developing story. Full technical breakdown and IOCs on the Socket blog:

🚨 BREAKING: node-ipc compromised. Again. Three malicious versions of node-ipc (9.1.6, 9.2.3, 12.0.1) were published today carrying an identical credential-stealing payload. This package has 10M+ weekly downloads. Here's what happened: An attacker injected an 80KB obfuscated IIFE into the CommonJS bundle. It fires on every require('node-ipc') call. No special config needed, just importing the package is enough. What it steals: → AWS, Azure, GCP credentials → SSH private keys → Kubernetes configs → Docker tokens → GitHub CLI tokens → AI tool configs (including Claude) → Terraform state → 90+ credential file patterns in total Everything gets gzipped and exfiltrated to an attacker-controlled domain (sh[.]azurestaticprovider[.]net) via DNS TXT queries and HTTPS POST, designed to look like normal traffic. The attacker published across two major version lines simultaneously (9.x and 12.x) to maximize blast radius. Semver ranges like ^9, ~9.1.x, ~9.2.x, ^12, and ~12.0 all resolve to compromised versions automatically on the next install or lockfile refresh. Key details: Only the CommonJS bundle (node-ipc.cjs) is affected. ESM imports are clean. The 9.x releases are fabricated. The 9.x line never shipped a .cjs bundle before this attack. This is a different actor from the 2022 peacenotwar incident. Purely financial, credential-theft motivation. If you installed any of these versions, assume all secrets on that machine are compromised. Rotate everything. Our full technical breakdown covers the attack chain stage by stage, IOCs, and how to check if you're affected:

Open-sourced Research-LLM (MIT): real StructureGuard T1 runs on long-context (~120k) synthetic corpora — committed JSON/MD, raw completions, failure analysis. Same corpus + format enforcement (2026-06-04): grok-3 & claude-sonnet-4-6 IPR 1.0; gemini-2.5-flash & gpt-4o-mini IPR 0.0. Baseline without enforcement: only grok-3 scored 1.0 (OpenAI row used gpt-4o-mini, not gpt-4o).

🚨 SlowMist TI Alert 🚨 MistEye has received critical threat intelligence regarding an active supply chain attack compromising node-ipc, a foundational Node.js library. The malicious releases have been identified as versions 9.1.6, 9.2.3, and 12.0.1. Threat actors injected an obfuscated credential-stealing payload into the CommonJS bundle. Once loaded, it silently harvests over 90 categories of developer data—including AWS, Azure, GCP, SSH, K8s tokens, and Terraform states—and exfiltrates it to attacker-controlled infrastructure. We have synchronized this IOC with our clients immediately. Detection & Remediation: Please urgently audit your environments for exposure: • Dependencies: Run npm ls node-ipc --all to identify direct or transitive inclusions. • Lockfiles: Search package-lock.json, yarn.lock, or pnpm-lock.yaml for the affected version ranges. • CI/CD: Review pipeline jobs executed after May 14, 2026, that may have pulled loose semver updates (~9.1.x, ^12, etc.). ⚠️ Critical Action: If a compromised version was installed, assume certain compromise. Do not wait for exfiltration confirmation. Downgrade to a known safe version immediately and aggressively rotate all credentials, tokens, and environment secrets present on the affected machine or CI runner. As always, stay vigilant!

[📢] 𝗗-𝗟𝗜𝗧𝗘 𝗝𝗔𝗣𝗔𝗡 𝗟𝗜𝗩𝗘 𝗧𝗢𝗨𝗥 𝟮𝟬𝟮𝟰 - 𝗘𝗻𝗰𝗼𝗿𝗲- 𝗨𝗺𝗯𝗿𝗲𝗹𝗹𝗮 (傘) (𝗗’𝘀 𝗜𝗦 𝗠𝗘 𝗟𝗶𝗺𝗶𝘁𝗲𝗱 𝗘𝗱𝗶𝘁𝗶𝗼𝗻) 𝗢𝗡-𝗦𝗜𝗧𝗘 𝗦𝗔𝗟𝗘 𝗢𝗡𝗟𝗬 ⠀ ■詳細 1.OUT BOX (68x99mm) 2.IMAGE CARD (55x85mm) CARD (55x85mm / Random 1ea out of 2ea) PHOTO CARD (55x85mm) 5.SCRATCH CARD (85x55mm / Random 1ea out of 2ea) 6.LYRICS (255x165mm) ⠀ ■当日直接販売開始時間 ✔ 2024年11月30日(土) 東京・武蔵野の森総合スポーツプラザ メインアリーナ 会場前物販ブースにて　12:00～終演後まで ✔ 2024年12月1日(日)　 東京・武蔵野の森総合スポーツプラザ メインアリーナ 会場前物販ブースにて　11:00～終演後まで ✔ 2024年12月14日(土)　 兵庫・神戸ワールド記念ホール 会場前物販ブースにて　12:00～終演後まで ✔ 2024年12月15日(日)　 兵庫・神戸ワールド記念ホール 会場前物販ブースにて　11:00～終演後まで ⠀ ■PLVEアルバムの使い方 2.SNSアカウントで認証後、ログイン。 3.画面下部の「イメージボタン」をタップして、イメージカードをスキャン。 4.シリアルナンバーを登録。 5.アルバムをダウンロード。 ※一度登録したアルバムは、再登録不可になりますので、予めご了承ください。 ※2024年11月30日(土)19時以降にシリアルナンバーが記載されているイメージカードのスキャンが可能となります。 ※商品に不備がない限り、返品はご遠慮いただきますようお願いいたします。ご購入時に商品に不備がないか必ずご確認ください。 ⠀ ■PLVE販売 ※本商品は、各会場のグッズ販売所にて販売いたします。 ※音楽の視聴開始は、11月30日19時からとなります。 ※本商品は会場限定・数量限定での販売となります。 予めご了承ください。 ※当日の公演チケットをお持ちのお客様のみ、お一人様2点までご購入いただけます。 ※当日の状況により、販売時間が変更となる場合がございます。予めご了承ください。 ⠀ ■PLVEお問い合わせ ✔ アプリ内：設定ボタン（⚙️）>> 「1対1お問い合わせ」 ✔ メールアドレス：umkent@gadi.co.kr ⠀ #대성# #DAESUNG# #DLITE# #Ds_IS_ME# #Encore# #Live_tour#