Six mil­lion fake stars, $0.06 per click, and a VC fund­ing pipeline that treats GitHub pop­u­lar­ity as proof of trac­tion. We ran our own analy­sis on 20 re­pos and found the fin­ger­prints.

Six mil­lion fake stars, $0.06 per click, and a VC fund­ing pipeline that treats GitHub pop­u­lar­ity as proof of trac­tion. We ran our own analy­sis on 20 re­pos and found the fin­ger­prints.

A GitHub star costs $0.06 at the low end. A seed round un­locks $1 mil­lion to $10 mil­lion. The math is ob­vi­ous, and thou­sands of repos­i­to­ries are ex­ploit­ing it.

This in­ves­ti­ga­tion maps the full ecosys­tem: from the peer-re­viewed re­search quan­ti­fy­ing the prob­lem, to the mar­ket­places sell­ing stars openly, to the ven­ture cap­i­tal pipeline that con­verts star counts into fund­ing de­ci­sions. We ran our own analy­sis on 20 repos­i­to­ries us­ing the GitHub API, sam­pling thou­sands of stargazer pro­files to in­de­pen­dently ver­ify which pro­jects show fin­ger­prints of ma­nip­u­la­tion - and which don’t.

The pic­ture that emerges is a ma­ture, pro­fes­sion­al­ized shadow econ­omy op­er­at­ing in plain sight.

The de­fin­i­tive ac­count comes from a peer-re­viewed study pre­sented at ICSE 2026 by re­searchers at Carnegie Mellon University, North Carolina State University, and Socket. Their tool, StarScout, an­a­lyzed 20 ter­abytes of GitHub meta­data - 6.7 bil­lion events and 326 mil­lion stars from 2019 to 2024 - and iden­ti­fied ap­prox­i­mately 6 mil­lion sus­pected fake stars dis­trib­uted across 18,617 repos­i­to­ries by roughly 301,000 ac­counts.

The prob­lem ac­cel­er­ated dra­mat­i­cally in 2024. By July, 16.66% of all repos­i­to­ries with 50 or more stars were in­volved in fake star cam­paigns - up from near-zero be­fore 2022. The re­searchers’ de­tec­tion proved ac­cu­rate: 90.42% of flagged repos­i­to­ries and 57.07% of flagged ac­counts had been deleted as of January 2025, con­firm­ing GitHub it­self rec­og­nized these as il­le­git­i­mate.

AI and LLM repos­i­to­ries emerged as the largest non-ma­li­cious cat­e­gory of fake-star re­cip­i­ents, ahead of blockchain/​cryp­tocur­rency pro­jects in ab­solute vol­ume at 177,000 fake stars. The study notes that “many of which are aca­d­e­mic pa­per repos­i­to­ries or LLM-related startup prod­ucts.” Critically, 78 repos­i­to­ries with de­tected fake star cam­paigns ap­peared on GitHub Trending, prov­ing that pur­chased stars suc­cess­fully game the plat­for­m’s dis­cov­ery al­go­rithm.

Earlier foun­da­tional work in­cludes Dagster’s March 2023 in­ves­ti­ga­tion, where en­gi­neers pur­chased stars from two ven­dors to study the phe­nom­e­non. They found ser­vices via ba­sic Google search. A pre­mium ven­dor - GitHub24, a reg­is­tered German com­pany (Moller und Ringauf GbR) - charged EUR 0.85 per star and de­liv­ered re­li­ably, with all 100 stars per­sist­ing af­ter one month. A bud­get ser­vice (Baddhi Shop) sold 1,000 stars for $64, though only 75% sur­vived.

The star-sell­ing ecosys­tem spans ded­i­cated web­sites, free­lance plat­forms, ex­change net­works, and un­der­ground chan­nels. At least a dozen ac­tive web­sites sell GitHub stars di­rectly, in­clud­ing SocialPlug.io, Buy.fans, Boost-Like.store, GitHubPromoter.com, Followdeh.com, and Vurike.com.

On Fiverr, 24 ac­tive gigs sell GitHub pro­mo­tion, with pack­ages from $5 for ba­sic stars and forks to $25+ for “organic pro­mo­tion.” Many use ob­fus­cated lan­guage to evade plat­form fil­ters. Star ex­change plat­forms like GithubStarMate.com and SafeStarExchange.com - both live and op­er­a­tional - en­able free mu­tual star­ring through credit-based sys­tems.

The in­fra­struc­ture ex­tends be­yond stars. At least seven open-source tools on GitHub (fake-git-history, com­mit-bot, Commiter, and oth­ers) ex­ist specif­i­cally to fab­ri­cate GitHub con­tri­bu­tion graphs. Pre-built GitHub pro­files with five-year com­mit his­to­ries and Arctic Code Vault Contributor badges sell for ap­prox­i­mately $5,000 on Telegram.

Some ven­dors of­fer re­place­ment guar­an­tees - Followdeh ad­ver­tises 30-day cov­er­age, and pre­mium ser­vices promise “non-drop” stars that sur­vive GitHub’s de­tec­tion sys­tems. SocialPlug claims 3.1 mil­lion stars de­liv­ered across 53,000+ clients and of­fers a for­mal API for pro­gram­matic pur­chas­ing.

A Tsinghua University study (ACSAC 2020) doc­u­mented Chinese QQ and WeChat pro­mo­tion groups with 1,020+ mem­bers pro­cess­ing roughly 20 re­pos per day, gen­er­at­ing an es­ti­mated $3.4 to $4.4 mil­lion an­nu­ally in pro­moter prof­its.

To move be­yond re­ported sta­tis­tics, we built a GitHub API analy­sis tool and ran it against 20 repos­i­to­ries: pro­jects flagged by StarScout, fast-grow­ing AI re­pos from the Runa Capital ROSS Index, and known or­ganic base­lines. For each repo, we sam­pled 150 stargazer pro­files and mea­sured ac­count age, pub­lic re­pos, fol­low­ers, and bio pres­ence.

The fin­ger­prints of ma­nip­u­la­tion are un­mis­tak­able once you know what to look for.

Organic repos­i­to­ries are starred by de­vel­op­ers who have been on GitHub for years, main­tain their own pro­jects, and fol­low other users. Ghost ac­counts - zero re­pos, zero fol­low­ers, no bio - make up about 1% of a healthy pro­jec­t’s stargazer base.

These re­pos share a dis­tinc­tive fin­ger­print. The ac­counts aren’t ob­vi­ously new - me­dian ages of 1,000+ days - so they pass sim­ple “young ac­count” fil­ters. But they’re empty: a third have zero re­pos, half to four-fifths have zero fol­low­ers, and a quar­ter are com­plete ghosts. These are aged ac­counts pur­chased or farmed specif­i­cally for star cam­paigns.

The fork-to-star ra­tio is the strongest sig­nal. Flask has 235 forks per 1,000 stars. Shardeum has 22. FreeDomain has 17. When no­body is fork­ing a 157,000-star repos­i­tory, no­body is us­ing it. The watcher-to-star ra­tio tells the same story: FreeDomain’s 0.001 means that for every 1,000 peo­ple who starred the repo, just one ac­tu­ally watches it for up­dates.

FreeDomain is worth iso­lat­ing: 157,000 stars, but only 168 watch­ers and 2,676 forks. That’s a watcher-to-star ra­tio 26x lower than Flask. 81.3% of sam­pled stargaz­ers have zero fol­low­ers. This is a repos­i­tory where al­most no­body who starred it has any vis­i­ble pres­ence on GitHub.

Union Labs is the most con­se­quen­tial case. It was ranked #1 on Runa Capital’s ROSS Index for Q2 2025 - a widely cited VC in­dus­try re­port iden­ti­fy­ing the “hottest open-source star­tups” - with 54.2x star growth and 74,300 stars. Our analy­sis found 32.7% zero-repo ac­counts, 52% zero-fol­lower ac­counts, and a fork-to-star ra­tio of 0.052. The StarScout analy­sis flagged it with 47.4% sus­pected fake stars. An in­flu­en­tial in­vest­ment-sourc­ing re­port that VCs rely on was topped by a pro­ject with nearly half its stars sus­pected as ar­ti­fi­cial.

RagaAI-Catalyst and ope­nai-fm show clear ma­nip­u­la­tion sig­nals. RagaAI has 76.2% zero-fol­lower ac­counts and 28% ghosts - nearly iden­ti­cal to the blockchain pat­tern. ope­nai-fm is the most ex­treme case in our dataset: 66% sus­pi­cious ac­counts, 36% ghosts, and a me­dian ac­count age of just 116 days. Two-thirds of its stargaz­ers are less than a year old with vir­tu­ally no GitHub ac­tiv­ity. (The StarScout analy­sis notes this is likely third-party bots, not OpenAI it­self.)

Langflow - flagged by StarScout at 47.9% fake - showed clean met­rics in our pro­file sam­ple, with a me­dian age of 2,859 days and low ghost rates. This likely re­flects im­proved ac­count qual­ity since the StarScout scan. The 0.060 fork-to-star ra­tio is still no­tably low - roughly a quar­ter of Flask’s - sug­gest­ing less gen­uine adop­tion rel­a­tive to star count.

For com­par­i­son, NousResearch’s her­mes-agent looks rel­a­tively or­ganic: me­dian age 8 years, 6% ghosts, fork-to-star ra­tio of 0.133. Despite Reddit ac­cu­sa­tions of as­tro­turf­ing, the stargazer pop­u­la­tion is mostly real de­vel­op­ers. The pro­jec­t’s crypto-ad­ja­cent au­di­ence in­cludes more ca­sual GitHub users, which ex­plains slightly el­e­vated zero-fol­lower rates, but the fun­da­men­tal en­gage­ment pat­tern is le­git­i­mate.

The con­nec­tion be­tween GitHub star counts and startup fund­ing is not spec­u­la­tive - it is ex­plic­itly doc­u­mented by the in­vestors them­selves.

Jordan Segall, Partner at Redpoint Ventures, pub­lished an analy­sis of 80 de­vel­oper tool com­pa­nies show­ing that the me­dian GitHub star count at seed fi­nanc­ing was 2,850 and at Series A was 4,980. He con­firmed: “Many VCs write in­ter­nal scrap­ing pro­grams to iden­tify fast grow­ing github pro­jects for sourc­ing, and the most com­mon met­ric they look to­ward is stars.”

Those num­bers set an im­plicit tar­get. For $85 to $285 in bud­get stars, a startup can man­u­fac­ture the 2,850-star seed me­dian. For $990 to $4,500, it can reach Series A ter­ri­tory. Against typ­i­cal seed rounds of $1-10 mil­lion, the ROI ranges from 3,500x to 117,000x.

Runa Capital pub­lishes the ROSS (Runa Open Source Startup) Index quar­terly, rank­ing the 20 fastest-grow­ing open-source star­tups by GitHub star growth rate. Per TechCrunch, 68% of ROSS Index star­tups that at­tracted in­vest­ment did so at seed stage, with $169 mil­lion raised across tracked rounds. GitHub it­self, through its GitHub Fund part­ner­ship with M12 (Microsoft’s VC arm), com­mits $10 mil­lion an­nu­ally to in­vest in 8-10 open-source com­pa­nies at pre-seed/​seed stages based partly on plat­form trac­tion.

* Lovable (formerly GPT Engineer): 50,000+ stars, $7.5M pre-seed, $200M Series A at $1.8 bil­lion val­u­a­tion with 45 em­ploy­ees

Dagster’s Fraser Marlow, who led the fake star in­ves­ti­ga­tion, ad­mit­ted di­rectly: “In the run-up to the fundrais­ing, I spent a fair amount of time pre­oc­cu­pied with GitHub stars.” An aca­d­e­mic pa­per in Organization Science pro­vided rig­or­ous sta­tis­ti­cal ev­i­dence that GitHub en­gage­ment cor­re­lates with startup fund­ing out­comes - star­tups ac­tive on GitHub are 15 per­cent­age points more likely to have raised a fi­nanc­ing round.

The in­cen­tive loop is self-re­in­forc­ing: VCs use stars as sourc­ing sig­nals, so star­tups ma­nip­u­late stars, so VCs see in­flated trac­tion, so more VCs adopt star-track­ing, so more star­tups ma­nip­u­late. Redpoint’s own pub­lished bench­marks give star­tups an ex­act tar­get to buy to­ward.

Our analy­sis re­vealed the fork-to-star ra­tio as the strongest sim­ple heuris­tic for iden­ti­fy­ing po­ten­tial ma­nip­u­la­tion. The logic is straight­for­ward: a star costs noth­ing and con­veys no com­mit­ment. A fork means some­one down­loaded the code to use or mod­ify it.

Any repos­i­tory with a fork-to-star ra­tio be­low 0.05 and more than 10,000 stars war­rants scrutiny. The watcher-to-star ra­tio is even more telling: or­ganic pro­jects av­er­age 0.005 to 0.030; FreeDomain reg­is­ters 0.001.

These ra­tios aren’t per­fect - ed­u­ca­tional re­pos and cu­rated lists nat­u­rally have low fork rates. But as a first-pass fil­ter, they catch the most egre­gious cases that raw star counts miss en­tirely.

The prob­lem ex­tends to every plat­form where pop­u­lar­ity met­rics in­flu­ence trust.

npm down­loads are triv­ially in­flat­able. Developer Andy Richardson demon­strated this by us­ing a sin­gle AWS Lambda func­tion (free tier) to push his pack­age is-in­tro­spec­tion-query to nearly 1 mil­lion down­loads per week - sur­pass­ing le­git­i­mate pack­ages like urql and mobx. Zero ac­tual users. The CMU study found that of re­pos with fake star cam­paigns, only 1.23% ap­peared in pack­age reg­istries, but of those 738 pack­ages, 70.46% had zero de­pen­dent pro­jects.

VS Code Marketplace ex­ten­sions are sim­i­larly vul­ner­a­ble. Researchers demon­strated 1,000+ in­stalls of a fake ex­ten­sion in 48 hours. AquaSec found 1,283 ex­ten­sions with known ma­li­cious de­pen­den­cies to­tal­ing 229 mil­lion in­stalls.

X/Twitter pro­mo­tion am­pli­fies ar­ti­fi­cial GitHub vi­ral­ity through en­gage­ment pods - pri­vate groups where mem­bers agree to like, re­post, and com­ment on each oth­er’s con­tent. Growth Terminal sells this as a prod­uct fea­ture. NBC News and Clemson University re­searchers iden­ti­fied a net­work of 686 X ac­counts that posted more than 130,000 times us­ing LLM-generated con­tent, some con­tain­ing tell­tale ar­ti­facts like “Dolphin here!” from the un­cen­sored Dolphin model they em­ployed.

The Higgsfield AI case doc­u­ments cross-plat­form as­tro­turf­ing at in­dus­trial scale: over 100 con­firmed spam posts across 60+ sub­red­dits, com­bined with mass tem­plate DMs to con­tent cre­ators of­fer­ing pay­ment for pro­mo­tion.

The FTC Consumer Review Rule, ef­fec­tive October 21, 2024, ex­plic­itly pro­hibits sell­ing or buy­ing “fake in­di­ca­tors of so­cial me­dia in­flu­ence” gen­er­ated by bots or fake ac­counts for com­mer­cial pur­poses. Penalties: up to $53,088 per vi­o­la­tion. The FTC is­sued its first warn­ing let­ters to 10 com­pa­nies in December 2025. A GitHub star pur­chased to pro­mote a com­mer­cial prod­uct fits this frame­work.

The SEC prece­dent is more di­rect. HeadSpin’s CEO was charged with wire fraud (maximum 20 years) and se­cu­ri­ties fraud for in­flat­ing met­rics to de­ceive in­vestors out of $80 mil­lion. ComplYant’s founder faced charges for claim­ing $250,000 monthly rev­enue when ac­tual rev­enue was $250.

The SEC’s mes­sage: “Startup fundrais­ers can­not use the ‘fake it un­til you make it’ ethos to white­wash ly­ing to in­vestors.”

If a startup buys fake GitHub stars to in­flate per­ceived trac­tion dur­ing a fundrais­ing round, and in­vestors rely on those met­rics to de­ploy cap­i­tal, the wire fraud frame­work ap­plies: us­ing elec­tronic com­mu­ni­ca­tions to mis­rep­re­sent ma­te­r­ial facts for fi­nan­cial gain. No one has been charged specif­i­cally for fake GitHub stars yet. Given the CMU re­search doc­u­ment­ing the prac­tice at scale and the FTC rule ex­plic­itly cov­er­ing fake so­cial in­flu­ence met­rics, it may only be a mat­ter of time.

GitHub’s Acceptable Use Policies ex­plic­itly pro­hibit “inauthentic in­ter­ac­tions, such as fake ac­counts and au­to­mated in­au­then­tic ac­tiv­ity,” “rank abuse, such as au­to­mated star­ring or fol­low­ing,” and “creation of or par­tic­i­pa­tion in sec­ondary mar­kets for the pur­pose of the pro­lif­er­a­tion of in­au­then­tic ac­tiv­ity.” The poli­cies even specif­i­cally pro­hibit star­ring in­cen­tivized by “cryptocurrency air­drops, to­kens, cred­its, gifts or other give-aways.”

Enforcement is re­ac­tive and asym­met­ric. GitHub re­moved 90.42% of repos­i­to­ries flagged by StarScout, but only 57.07% of the ac­counts that de­liv­ered those stars. The in­fra­struc­ture for fu­ture cam­paigns largely re­mains in­tact. When Dagster pub­lished its in­ves­ti­ga­tion, fake star pro­files were deleted within 48 hours - but only af­ter pub­lic em­bar­rass­ment, not proac­tive de­tec­tion.

GitHub has never pub­lished an en­gi­neer­ing blog post about its de­tec­tion meth­ods or en­force­ment sta­tis­tics. No trans­parency re­port ex­ists for star ma­nip­u­la­tion. The com­pa­ny’s VP of Security Operations told Wired only that they “disabled user ac­counts in ac­cor­dance with GitHub’s Acceptable Use Policies,” de­clin­ing to elab­o­rate - though that com­ment was specif­i­cally about the Stargazers Ghost Network mal­ware op­er­a­tion, not van­ity met­ric ma­nip­u­la­tion.

The CMU re­searchers rec­om­mended GitHub adopt a weighted pop­u­lar­ity met­ric based on net­work cen­tral­ity rather than raw star counts. A change that would struc­turally un­der­mine the fake star econ­omy. GitHub has not im­ple­mented it.

Bessemer Venture Partners calls stars “vanity met­rics” and in­stead tracks unique monthly con­trib­u­tor ac­tiv­ity - any­one who cre­ated an is­sue, com­ment, PR, or com­mit. Fewer than 5% of top 10,000 pro­jects ever ex­ceeded 250 monthly con­trib­u­tors; only 2% sus­tained it across six months.

Jono Bacon at StateShift rec­om­mends five met­rics that cor­re­late with real adop­tion: pack­age down­loads, is­sue qual­ity (production edge cases from real users), con­trib­u­tor re­ten­tion (time to sec­ond PR), com­mu­nity dis­cus­sion depth, and us­age teleme­try.

The fork-to-star ra­tio our analy­sis sur­faced is the sim­plest first-pass fil­ter. A healthy pro­ject has roughly 100-200 forks per 1,000 stars. Projects be­low 50 forks per 1,000 stars with high ab­solute counts de­serve a closer look.

As one com­menter put it: “You can fake a star count, but you can’t fake a bug fix that saves some­one’s week­end.”

First, the in­cen­tive loop. VCs use stars as sourc­ing sig­nals. Startups ma­nip­u­late stars. VCs see in­flated trac­tion. More VCs adopt star-track­ing. More star­tups ma­nip­u­late. Redpoint’s pub­lished bench­marks - 2,850 at seed, 4,980 at Series A - ef­fec­tively give star­tups a price list for how many stars to buy.

Second, the AI sec­tor’s spe­cific vul­ner­a­bil­ity. The com­bi­na­tion of ex­treme hype, crypto-ad­ja­cent fund­ing mod­els that re­ward to­ken price over prod­uct qual­ity, and a re­viewer ecosys­tem on X/Twitter pop­u­lated partly by fab­ri­cated per­sonas cre­ates a per­fect en­vi­ron­ment for man­u­fac­tured cred­i­bil­ity. Our analy­sis con­firmed this: the re­pos with the worst ma­nip­u­la­tion sig­nals were over­whelm­ingly blockchain and crypto-ad­ja­cent AI pro­jects.

Third, GitHub’s en­force­ment asym­me­try. Removing re­pos but leav­ing 57% of fake ac­counts in­tact pre­serves the la­bor force of the fake star econ­omy while do­ing lit­tle to de­ter re­peat of­fenses. Until GitHub im­ple­ments struc­tural changes - weighted pop­u­lar­ity met­rics, ac­count-level rep­u­ta­tion scor­ing, or trans­par­ent en­force­ment re­port­ing - the gap be­tween star counts and gen­uine de­vel­oper adop­tion will con­tinue to widen.

The star econ­omy is a $50 prob­lem with a $50 mil­lion con­se­quence. Until the plat­forms, in­vestors, and reg­u­la­tors catch up, the mar­ket will keep pay­ing the $50.

UPDATE–Vercel, a widely used cloud plat­form for de­vel­op­ing and de­ploy­ing apps, has dis­closed a breach of its in­ter­nal sys­tems, and says a “limited sub­set of cus­tomers” is af­fected.

The in­ci­dent came to light on Sunday and the com­pany says it has brought in an in­ci­dent re­sponse provider to in­ves­ti­gate the in­tru­sion. The com­pany rec­om­mends that cus­tomers check ac­tiv­ity logs for sus­pi­cious ac­tiv­ity and also ro­tate en­vi­ron­men­tal vari­ables as a pre­cau­tion. Vercek also sug­gests that cus­tomers use its sen­si­tive en­vi­ron­men­tal vari­ables fea­ture to mark things such as API keys as sen­si­tive, which then causes Vercel to store them in an un­read­able for­mat.

Vercel said the in­tru­sion was re­lated to the com­pro­mise of a third-party app.

“Our in­ves­ti­ga­tion has re­vealed that the in­ci­dent orig­i­nated from a third-party AI tool whose Google Workspace OAuth app was the sub­ject of a broader com­pro­mise, po­ten­tially af­fect­ing hun­dreds of its users across many or­ga­ni­za­tions,” the com­pany said.

Vercel did not iden­tify the app but in­cluded IOCs the iden­ti­fier for it. Given that the in­tru­sion orig­i­nated with a third-party app, there may well be other re­lated in­ci­dents emerg­ing in the com­ing hours or days.

“We’ve iden­ti­fied a se­cu­rity in­ci­dent that in­volved unau­tho­rized ac­cess to cer­tain in­ter­nal Vercel sys­tems. We are ac­tively in­ves­ti­gat­ing, and we have en­gaged in­ci­dent re­sponse ex­perts to help in­ves­ti­gate and re­me­di­ate. We have no­ti­fied law en­force­ment and will up­date this page as the in­ves­ti­ga­tion pro­gresses,” the com­pany said in a state­ment.

“At this time, we have iden­ti­fied a lim­ited sub­set of cus­tomers that were im­pacted and are en­gag­ing with them di­rectly.”

Vercel pro­vides a wide range of ser­vices for de­vel­op­ers and en­ter­prises, and has a num­ber of of­fer­ings that are fo­cused on agen­tic AI work­loads.

Vercel did not spec­ify which of its sys­tems were com­pro­mised or how many of its cus­tomers are af­fected, but said it has con­tacted the cus­tomers that it has iden­ti­fied as be­ing af­fected.

“Initially we iden­ti­fied a lim­ited sub­set of cus­tomers whose Vercel cre­den­tials were com­pro­mised. We reached out to that sub­set and rec­om­mended an im­me­di­ate ro­ta­tion of cre­den­tials. If you have not been con­tacted, we do not have rea­son to be­lieve that your Vercel cre­den­tials or per­sonal data have been com­pro­mised at this time,” the com­pany said.

Later on Sunday, Context, an AI provider, pub­lished a se­cu­rity no­tice re­lated to the Vercel in­tru­sion, say­ing that it had iden­ti­fied and halted an in­ci­dent in March that turned out to be con­nected to Vercel’s in­ci­dent. Context of­fi­cials said an at­tacker gained ac­cess to the com­pa­ny’s AWS en­vi­ron­ment and com­pro­mised OAuth to­kens for some of Context’s con­sumer users.

“Today, based on in­for­ma­tion pro­vided by Vercel and some ad­di­tional in­ter­nal in­ves­ti­ga­tion, we learned that, dur­ing the in­ci­dent last month, the unau­tho­rized ac­tor also likely com­pro­mised OAuth to­kens for some of our con­sumer users. We also learned that the unau­tho­rized ac­tor ap­pears to have used a com­pro­mised OAuth to­ken to ac­cess Vercel’s Google Workspace,” the Context state­ment says.

“Vercel is not a Context cus­tomer, but it ap­pears at least one Vercel em­ployee signed up for the AI Office Suite us­ing their Vercel en­ter­prise ac­count and granted ‘Allow All’ per­mis­sions. Vercel’s in­ter­nal OAuth con­fig­u­ra­tions ap­pear to have al­lowed this ac­tion to grant these broad per­mis­sions in Vercel’s en­ter­prise Google Workspace.”

This story was up­dated on April 19 to add in­for­ma­tion about the source of the in­tru­sion and on April 20 to add in­for­ma­tion from Context.

I spend a lot of time ne­go­ti­at­ing this in the soft­ware world:

And if you’re won­der­ing why this hap­pens, it’s nor­mally be­cause:

So lots of de­sign­ers and prod­uct peo­ple have leapt onto 1, ba­si­cally try­ing to turn talk­ing to peo­ple into terms en­gi­neer­ing peo­ple find more cud­dly. Like “framework”. Or “system”. Or even that term that’s in vogue, so­cio-tech­ni­cal sys­tem.

Stop. The prob­lem is­n’t that you need a bet­ter sys­tem. The prob­lem is you’re avoid­ing do­ing the work.

The prob­lem is, 2 is much harder than 1. So how do you lis­ten to peo­ple?

Listening is not the same as just do­ing what some­one tells you they want

Tonnes of frame­works around this con­cept, so I won’t re­peat what oth­ers have done de­cently al­ready. Jobs To Be Done, Outcome Driven Innovation, and in the UX camp, em­pa­thy map­ping.

You un­der­es­ti­mate the spe­cial­ism ef­fect on your own world­view

You spend so long learn­ing a sub­ject but a spe­cific set of “surely they know this?!”. It can even be an area that the per­son is an ex­pert in! Well, no, they don’t. They know other things in­stead. You need to un­der­stand more about what they know to be able to lis­ten prop­erly.

You as­sume “technical” is one thing

Such a com­mon pit­fall for soft­ware de­vel­op­ers. Technical is a whole het­eroge­nous beau­ti­ful spec­trum of knowl­edge ar­eas, and it’s not “exactly the knowl­edge I gained as a soft­ware de­vel­oper with the ex­act jobs I had”. If you are still think­ing of peo­ple with the bi­nary of “technical” and “non-technical”, you def­i­nitely will be miss­ing in­sights and most likely, you’re not lis­ten­ing prop­erly.

You as­sume every­one has the same re­sources as you

The same en­ergy, the same skills, etc. So maybe you have a health con­di­tion, and you man­age it a cer­tain way, but when you chat with some­one else with the same health con­di­tion, they just can’t do the things you do, or vice versa. Some peo­ple are great at maths. Some peo­ple are great at other things. Some peo­ple have less money or re­serves and act more risk averse. Some peo­ple don’t. And so on.

You as­sume that be­cause you met one per­son with one char­ac­ter­is­tic, that the rest will be like that.

See also: as­sum­ing older peo­ple don’t un­der­stand com­put­ers. Some don’t. Some do. Not every woman is your mother or daugh­ter.

On the macro level - per­son­al­i­ties change over time.

On the mi­cro level - work per­sonas are dif­fer­ent to peo­ple at home, judge­ment al­ters when things are stress­ful or when cer­tain sit­u­a­tions arise.

This is fun­da­men­tally why a “fixed” pro­ject man­age­ment just does­n’t work for mak­ing soft­ware. You set the re­quire­ments up front. People change in the in­terim. It comes out. At the very very best, it matches what was re­quested at the start. But it’s not what is wanted any­more. And peo­ple load in their own ex­pec­ta­tions, of­ten not ar­tic­u­lated, as they wait for The Thing and the re­al­ity never matches all of that.

You as­sume what they say is the same as what they are think­ing

Some peo­ple say what they mean. Some don’t. A lot of peo­ple say they say what they mean but ac­tu­ally aren’t do­ing that.

Yeah. I said it. Stop hat­ing or dis­miss­ing peo­ple for mis­un­der­stand­ing the thing you doc­u­mented badly. Stop as­sum­ing they are bad at their job or their lives.

If you’re dis­mis­sive of some­one, you are ex­tremely un­likely to be able to lis­ten to them prop­erly.

You as­sume 80 peo­ple are the same as 1 x 80 in­di­vid­u­als.

Turns out, B2B is more hu­man than B2C - all those messy re­la­tion­ships, dy­nam­ics, soft power vs org chart, and so on. Group dy­nam­ics add more here.

If you can’t lis­ten to them, then you’re gonna be miss­ing the juici­est stuff that’s gonna make you the most money, and steam you ahead of the com­peti­tors, and even, weirdly, help min­imise some sources of tech debt too - turns out every mis­un­der­stand­ing adds a new thing in the code you gotta work with later.

Hopefully, this will give a lit­tle clue for when we fall into not lis­ten­ing… so we can all lis­ten bet­ter.

Last week, pop­u­lar World of Warcraft pri­vate server Turtle WoW got hit with a cease and de­sist from Blizzard af­ter a judge ruled in the stu­dio’s fa­vor re­gard­ing a copy­right in­fringe­ment suit filed last September. Court doc­u­ments re­vealed that the two par­ties reached a set­tle­ment that hinged on “certain ac­tions that are re­quired to be taken by cer­tain par­ties,” and to­day, the other shoe dropped for any­one still play­ing the mod­ded MMO: a fo­rum post an­nounced a com­plete shut­down of the pro­ject.

“Working on Turtle WoW has been the high­light of our lives,” said Turtle WoW de­vel­oper Torta in the post. “The ad­ven­tures you had, the bat­tles you fought, and the friends you met are what made it all worth­while. We hope you will cher­ish those mo­ments. What we leave be­hind are fond mem­o­ries of an 8-year-long jour­ney, and we hope you’ll re­mem­ber it every now and then.”

The servers will close on May 14, and all servers have been shot for­ward to the fi­nal patch “for those who want to see the new raids be­fore the pro­jec­t’s sun­set.” All as­so­ci­ated so­cial me­dia chan­nels, in­clud­ing the fo­rum site, will close later this year on Oct. 16.

Fans of the server say­ing their farewells on the sub­red­dit and fo­rum. “Wish I ended up play­ing more and ding­ing 60 in the end, but the time I did spend was fun. Thanks for the game and wish­ing every­one all the best,” wrote fo­rum user Zeran. Reddit user ElChuppolaca wrote, “This is gen­uinely heart­break­ing but I fig­ured it would come see­ing as they de­layed any re­sponse for so long.”

If you’re un­fa­mil­iar with the server, it takes an Old School RuneScape ap­proach to World of Warcraft’s pre-ex­pan­sion era, back be­fore you could roll a pal­adin on the Horde or get an epic mount with­out grind­ing for hours. There are new raids, zones, playable races, and dun­geons, but noth­ing that raises the max level or in­cor­po­rates lore from re­cent story arcs.

The server aimed to de­liver the “Classic Plus” ex­pe­ri­ence fans of vanilla WoW have clam­ored for since of­fi­cial pre-ex­pan­sion servers landed, and with Blizzard teas­ing its own take on the idea fol­low­ing the end of the game’s Season of Discovery, it’s hard not to see par­al­lels with the shut­down of Nostalrius (which came just a year be­fore World of Warcraft Classic was an­nounced).

Regrettably, it seems that pub­lisher-ap­proved fan servers like EverQuest’s Project 1999 and City of Heroes’s Homecoming are the ex­cep­tion and not the rule, as in the end, the Turtle WoW team’s open plea for a fan server li­cens­ing frame­work proved fruit­less.

La voiture au­tonome promet­tait un rêve, elle se trans­forme en cauchemar pour cer­tains us­agers. Une en­quête révèle com­ment Elon Musk et Tesla ont util­isé les routes comme ter­rain d’es­sai en pré­cip­i­tant la mise sur le marché d’un sys­tème de con­duite au­tonome par in­tel­li­gence ar­ti­fi­cielle.

Le con­struc­teur au­to­mo­bile a passé sous si­lence des mil­liers d’in­ci­dents graves. Certains ont coûté la vie à des con­duc­teurs et des pas­sagers. D’autres us­agers de la route se sont retrou­vés im­pliqués sans le savoir.

L’enquête s’ap­puie sur une fuite mas­sive de don­nées in­ternes à Tesla. Ces doc­u­ments révè­lent l’am­pleur du prob­lème. Le con­struc­teur était con­scient depuis des an­nées des dé­fail­lances de ses sys­tèmes.

Les fichiers mon­trent des mil­liers de plaintes de clients. Plus de 2400 con­cer­nent des ac­céléra­tions spon­tanées et le nom­bre d’ac­ci­dents dé­passe les 1000. Dans de nom­breux cas, le statut in­diqué était “non ré­solu”.

Certaines voitures Tesla ont ac­céléré ou freiné bru­tale­ment sans rai­son. En in­tel­li­gence ar­ti­fi­cielle, on ap­pelle ces dys­fonc­tion­nements des “hallucinations”, comme lorsque ChatGPT donne une réponse com­plète­ment fausse.

Sur la route, les con­séquences sont désas­treuses. Le sys­tème de con­duite au­tonome peut mal in­ter­préter son en­vi­ron­nement. A grande vitesse, ces er­reurs de­vi­en­nent mortelles.

Je ne savais pas que le pi­lote au­toma­tique ex­is­tait. Quand je l’ai dé­cou­vert, je me suis senti comme un cobaye Dillon Angulo, im­pliqué dans un ac­ci­dent avec une Tesla

Le prob­lème touche tous les us­agers. Alors que beau­coup n’ont ja­mais ac­cepté d’être les cobayes de Tesla, ils se retrou­vent mal­gré eux ex­posés aux dé­fail­lances du sys­tème “Autopilot”.

>> Lire à ce su­jet : Les au­to­mo­bilistes en­core “cobayes” des sys­tèmes d’aide à la con­duite

Naibel Benavides avait 22 ans. Cette sim­ple pié­tonne est morte dans un ac­ci­dent im­pli­quant une Tesla en mode “Autopilot”. Son com­pagnon Dillon Angulo a survécu avec de graves blessures.

“Je ne savais pas que le pi­lote au­toma­tique ex­is­tait. Quand je l’ai dé­cou­vert, je me suis senti comme un cobaye”, té­moigne Dillon Angulo, qui souf­fre en­core au­jour­d’hui des con­séquences de l’ac­ci­dent.

La famille de Naibel a dé­cidé d’at­ta­quer Tesla en jus­tice. Elle ac­cuse le con­struc­teur d’avoir caché des in­for­ma­tions cru­ciales. Tesla a tou­jours re­jeté la faute sur le con­duc­teur.

Les en­quê­teurs ont ren­con­tré des ob­sta­cles in­hab­ituels. Les don­nées de l’ac­ci­dent au­raient dû être disponibles dans la “boîte noire” du véhicule. Or, Tesla a af­firmé que ces don­nées étaient cor­rompues.

Les av­o­cats des vic­times ont fait ap­pel à des ex­perts, qui ont réussi à récupérer les don­nées sup­primées. Ces in­for­ma­tions prou­vent que Tesla était au courant de la dé­fail­lance dès le soir de l’ac­ci­dent.

La voiture en mode “Autopilot” avait dé­tecté les ob­sta­cles. Elle n’a pour­tant rien fait pour éviter la col­li­sion. Seule une alerte a re­tenti juste avant l’im­pact.

Un jury a con­damné Tesla à verser plus de 243 mil­lions de dol­lars de dom­mages et in­térêts. Cette sanc­tion mar­que une pre­mière dans les af­faires liées à l’“Au­topi­lot”. Les ju­rés ont jugé que Tesla et le con­duc­teur étaient re­spon­s­ables.

“C’est un jour his­torique pour la jus­tice”, a déclaré l’av­o­cat des vic­times. Le ver­dict mon­tre que les con­struc­teurs ne peu­vent pas utiliser les routes publiques comme lab­o­ra­toire.

Tesla a tenté de faire an­nuler ce ver­dict. Fin février, un juge fédéral a con­firmé la sanc­tion con­tre le con­struc­teur. L’entreprise peut en­core faire ap­pel.

Tesla fait l’ob­jet de plusieurs en­quêtes aux Etats-Unis. Le min­istère de la Justice ex­am­ine si le con­struc­teur a trompé les con­som­ma­teurs. L’Administration na­tionale de la sécu­rité routière en­quête égale­ment.

>> Lire aussi : Tesla évite un long procès sur sa tech­nolo­gie d’aide à la con­duite

Des lanceurs d’alerte ont té­moigné auprès des au­torités. Ils décrivent une en­tre­prise qui priv­ilégie la ra­pid­ité au détri­ment de la sécu­rité. La ver­sion test de la con­duite au­tonome a été pré­cip­itée sur le marché, alors que plusieurs em­ployés avaient alerté la di­rec­tion sur les dan­gers de l’“Au­topi­lot”.

Les ex­perts s’at­ten­dent à ce que d’autres pour­suites ju­di­ci­aires suiv­ent. Le pre­mier ver­dict ou­vre la voie à de nou­veaux procès con­tre Tesla.

Five of those six users have placed no more bets since, but one of the ac­coun­t’s re­cent ac­tiv­ity shows it has sub­se­quently made $163,000 by cor­rectly bet­ting on a US-Iran cease­fire by 7 April, which was an­nounced by Washington and Tehran on that day.

The Swiss voice in the world since 1935

How Switzerland got caught in the Magnitsky case — again

Read more: How Switzerland got caught in the Magnitsky case — again

Read more: Millions of dol­lars linked to Magnitsky fraud case leave Switzerland

Read more: City of London urges Swiss air­ports to give UK trav­ellers e-gate ac­cess

Read more: Afghanistan’s Taliban tap Swiss, other trav­ellers for fly­over fees

Read more: Our newslet­ter on geopol­i­tics

How Switzerland got caught in the Magnitsky case — again

Read more: How Switzerland got caught in the Magnitsky case — again

When is a democ­racy no longer a democ­racy?

Read more: When is a democ­racy no longer a democ­racy?

Why Merantix founder Adrian Locher chose Berlin over Zurich for his AI start-up

Read more: Why Merantix founder Adrian Locher chose Berlin over Zurich for his AI start-up

How are you deal­ing with the ris­ing cost of fos­sil fu­els?

Read more: How are you deal­ing with the ris­ing cost of fos­sil fu­els?

The Swiss Connection Podcast: Hear Swiss sci­ence sto­ries for the world

Read more: The Swiss Connection Podcast: Hear Swiss sci­ence sto­ries for the world

A queer film­maker in Switzerland cap­tures the di­vide on her visit home to China

Read more: A queer film­maker in Switzerland cap­tures the di­vide on her visit home to China

The right to pri­vacy, ex­cept dur­ing wartime

Read more: The right to pri­vacy, ex­cept dur­ing wartime

At what point does some­one be­long in Switzerland?

Read more: At what point does some­one be­long in Switzerland?

Justice in sight for the Swiss con­victed for help­ing the Resistance

Read more: Justice in sight for the Swiss con­victed for help­ing the Resistance

To what ex­tent do you think as­sisted sui­cide should be a legally avail­able op­tion to those who want to end their lives?

Read more: To what ex­tent do you think as­sisted sui­cide should be a legally avail­able op­tion to those who want to end their lives?

From e-cig­a­rettes to lab de­vices: sur­pris­ing facts about Swiss patents

Read more: From e-cig­a­rettes to lab de­vices: sur­pris­ing facts about Swiss patents

Cured but unin­sur­able: the hid­den fi­nan­cial bur­den of sur­viv­ing can­cer in Switzerland

Read more: Cured but unin­sur­able: the hid­den fi­nan­cial bur­den of sur­viv­ing can­cer in Switzerland

How the war in Iran is af­fect­ing the Swiss food in­dus­try

Read more: How the war in Iran is af­fect­ing the Swiss food in­dus­try

Read more: A brain scan be­fore a pre­scrip­tion? Geneva’s bet on pre­ci­sion psy­chi­a­try

Reality hits: hard truths come to light in the fi­nal episode of ‘Lost Cells’

Read more: Reality hits: hard truths come to light in the fi­nal episode of ‘Lost Cells’

Read more: Swiss di­as­pora di­vided af­ter Orbán’s fall in Hungary elec­tion

Swiss vot­ers to de­cide on stricter rules for con­sci­en­tious ob­jec­tion

Read more: Swiss vot­ers to de­cide on stricter rules for con­sci­en­tious ob­jec­tion

Where cows com­pete to be­come queens

Read more: Where cows com­pete to be­come queens

The SWIplus app: your con­nec­tion to Switzerland

Read more: The SWIplus app: your con­nec­tion to Switzerland

Swiss au­thor­i­ties want to re­duce de­pen­dency on Microsoft

Copyright 2024 The Associated Press. All Rights Reserved

The Swiss gov­ern­ment is aim­ing to grad­u­ally shift away from a de­pen­dency on Microsoft prod­ucts, ac­cord­ing to the NZZ am Sonntag news­pa­per.

+Get the most im­por­tant news from Switzerland in your in­box

A spokesman for the Federal Chancellery told the news­pa­per that the fed­eral ad­min­is­tra­tion “aims to re­duce its de­pen­dency on Microsoft, step by step and in the long term”.

This comes as a sur­prise, as Microsoft 365 was re­cently in­stalled on some 54,000 ad­min­is­tra­tion work­sta­tions — de­spite con­cerns about data se­cu­rity. Calls for al­ter­na­tives pre­vi­ously met with in­ter­nal re­sis­tance and charges of “tinkering”, the NZZ am Sonntag writes.

‘Switzerland must not give in to the Big Tech nar­ra­tive’

This con­tent was pub­lished on

Switzerland can be more in­de­pen­dent from tech gi­ants like Microsoft when it comes to ar­ti­fi­cial in­tel­li­gence, says a lead­ing dig­i­tal sov­er­eignty ex­pert.

Read more: ‘Switzerland must not give in to the Big Tech nar­ra­tive’

However, for­mer army chief Thomas Süssli called for al­ter­na­tive so­lu­tions to be ex­am­ined more quickly. A fea­si­bil­ity study now shows that re­place­ment with open-source soft­ware is pos­si­ble. Germany serves as a ref­er­ence: there, work is un­der­way on an in­de­pen­dent open-source so­lu­tion in which Bern is also in­ter­ested.

The German state of Schleswig-Holstein has al­ready switched over its ad­min­is­tra­tion. Open-source soft­ware can be used freely, while it can also be fur­ther de­vel­oped in­de­pen­dently of cor­po­ra­tions.

Swiss au­thor­i­ties have spent a tidy amount on Microsoft soft­ware in re­cent years: an in­ves­ti­ga­tion by SRFExternal link last year showed that the fed­eral gov­ern­ment and can­tons spent over CHF1.1 bil­lion ($1.4 bil­lion) on li­cences with the tech gi­ant over the past ten years.

The Trump ad­min­is­tra­tion and its ap­proach to the rule of law are in­creas­ing con­cerns among users of US tech­nol­ogy. This is be­cause US law — thanks to the 2018 Cloud Act — al­lows the gov­ern­ment to ac­cess all data stored by US tech cor­po­ra­tions.

This means that if data is stored on servers or clouds of US firms such as Microsoft, Apple or Adobe — no mat­ter where in the world — US au­thor­i­ties may re­quest this data from the US cor­po­ra­tions. This could even be the case if the servers are in Switzerland. Users gen­er­ally have no idea which au­thor­ity is ac­cess­ing the data nor what is be­ing done with it.

We se­lect the most rel­e­vant news for an in­ter­na­tional au­di­ence and use au­to­matic trans­la­tion tools to trans­late them into English. A jour­nal­ist then re­views the trans­la­tion for clar­ity and ac­cu­racy be­fore pub­li­ca­tion.

Providing you with au­to­mat­i­cally trans­lated news gives us the time to write more in-depth ar­ti­cles. The news sto­ries we se­lect have been writ­ten and care­fully fact-checked by an ex­ter­nal ed­i­to­r­ial team from news agen­cies such as Bloomberg or Keystone.

If you have any ques­tions about how we work, write to us at eng­lish@swiss­info.ch

In com­pli­ance with the JTI stan­dards

More:

SWI swiss­info.ch cer­ti­fied by the Journalism Trust Initiative

⚠ This data may be out of date or in­cor­rect. A re­search pro­ject is on­go­ing to fur­ther de­velop such maps.

⚠ This data may be out of date or in­cor­rect. A re­search pro­ject is on­go­ing to fur­ther de­velop such maps.

A map of all ~2,100 Swiss mu­nic­i­pal­i­ties show­ing which provider han­dles their of­fi­cial email — grouped by ju­ris­dic­tion — based on pub­lic DNS records and other pub­lic net­work sig­nals.

Digital sov­er­eignty: US-based providers are sub­ject to the US CLOUD Act, which al­lows US au­thor­i­ties to re­quest stored data, re­gard­less of where it is phys­i­cally hosted. This map makes the cur­rent provider land­scape vis­i­ble.

Each mu­nic­i­pal­i­ty’s of­fi­cial do­main is checked via 11 sig­nals from DNS records, SMTP ban­ners, ASN lookups, and a pub­lic Microsoft API end­point, then clas­si­fied by provider type with con­fi­dence scor­ing.

Disclaimer: DNS records in­di­cate mail rout­ing and au­tho­rized senders, not nec­es­sar­ily where data is stored.

The code and data are on GitHub.

If you have no­ticed an er­ror, please sub­mit an is­sue.

The U. S.-Israeli war with Iran, now in an un­sta­ble cease­fire, has ex­posed a struc­tural fail­ure in the global semi­con­duc­tor mem­ory sup­ply chain, and it is not the one an­a­lysts seem to be track­ing. The story re­ceiv­ing at­ten­tion is he­lium: Qatar’s Ras Laffan fa­cil­ity went of­fline, a 45-day in­ven­tory clock started run­ning, and spot prices dou­bled within days. The story re­ceiv­ing al­most no at­ten­tion is bromine, and it is po­ten­tially the more dan­ger­ous one. Bromine is the raw ma­te­r­ial from which spe­cial­ized chem­i­cal sup­pli­ers pro­duce semi­con­duc­tor-grade hy­dro­gen bro­mide gas, the etch chem­i­cal that South Korean fabs use to carve the tran­sis­tor struc­tures in every Dynamic Random-Access Memory (DRAM) and NAND flash chip on earth. A DRAM chip pow­ers ac­tive com­pu­ta­tion and loses its con­tents the mo­ment power cuts. A NAND chip re­tains data with­out power and un­der­lies every form of dig­i­tal stor­age. Together they un­der­pin every mod­ern com­put­ing de­vice, from the phone in your pocket to the data cen­ter run­ning your AI ap­pli­ca­tions.

South Korea sources 97.5 per­cent of its bromine im­ports from Israel. Beyond that vul­ner­a­ble con­cen­tra­tion, con­vert­ing bromine into semi­con­duc­tor-grade hy­dro­gen bro­mide gas re­quires ded­i­cated pu­rifi­ca­tion in­fra­struc­ture, and pro­duc­ers out­side Israel are al­ready fully com­mit­ted to ex­ist­ing cus­tomers and stretched too thin to ab­sorb ad­di­tional de­mand. Building new con­ver­sion ca­pac­ity takes years of per­mit­ting, equip­ment pro­cure­ment, and fab­ri­ca­tion qual­i­fi­ca­tion.

ICL Group, the Israeli multi­na­tional for­merly known as Israel Chemicals Ltd., cur­rently con­tin­ues Dead Sea op­er­a­tions. Israel routes most trade through Mediterranean ports at Haifa and Ashdod, by­pass­ing the Strait of Hormuz en­tirely. But Iran has been strik­ing the Negev — Israel’s south­ern desert and the heart of its de­fense and in­dus­trial in­fra­struc­ture — with bal­lis­tic mis­siles for three weeks, hit­ting Dimona and Arad, both within 35 kilo­me­ters of ICL’s Dead Sea ex­trac­tion and con­ver­sion com­plex. If Israeli bromine pro­duc­tion is dis­placed, there are no con­ver­sion fa­cil­i­ties out­side Israel ca­pa­ble of im­me­di­ately pro­duc­ing semi­con­duc­tor-grade hy­dro­gen bro­mide gas at the scale re­quired to re­place it, and pol­i­cy­mak­ers have not yet acted on that fact.

The vul­ner­a­bil­ity sits in plain sight, within mis­sile range and out­side any mean­ing­ful pol­icy re­sponse. A dis­rup­tion would be im­me­di­ate and global. Within weeks, short­ages would prop­a­gate across every­thing from con­sumer de­vices to mil­i­tary sys­tems.

Bromine’s role in semi­con­duc­tor man­u­fac­tur­ing is spe­cific and non-sub­sti­tutable. Its pri­mary de­riv­a­tive, hy­dro­gen bro­mide, is con­sumed at the poly­sil­i­con etch­ing stage foun­da­tional to both DRAM and NAND flash pro­duc­tion. Each DRAM mem­ory cell re­quires a poly­sil­i­con gate elec­trode etched with ex­treme pre­ci­sion over a sil­i­con ox­ide layer as thin as 20 angstroms. Hydrogen bro­mide gas plas­mas achieve a poly­sil­i­con-to-ox­ide se­lec­tiv­ity ra­tio of 100 to 1, while chlo­rine-based al­ter­na­tives achieve roughly 30 to 1. At ad­vanced DRAM node geome­tries, that is the dif­fer­ence be­tween a func­tional tran­sis­tor and a de­stroyed one. Bromine also ap­pears in chem­i­cal va­por de­po­si­tion processes and chip pack­ag­ing. There is no vi­able near-term sub­sti­tute in any of these ap­pli­ca­tions.

Three struc­tural re­al­i­ties de­ter­mine why the gap can­not be bridged through mar­ket re­al­lo­ca­tion. First, bromine al­ready con­verted for in­dus­trial use such as flame re­tar­dants and drilling flu­ids can­not be re­con­verted. Those processes are chem­i­cally ir­re­versible at any in­dus­trial scale and the re­sult­ing com­pounds can­not meet the parts-per-bil­lion pu­rity spec­i­fi­ca­tions that fab­ri­ca­tion fa­cil­i­ties re­quire. The two sup­ply chains draw from the same raw ma­te­r­ial but di­verge per­ma­nently at the point of con­ver­sion. Second, con­vert­ing raw bromine to semi­con­duc­tor-grade hy­dro­gen bro­mide gas re­quires ded­i­cated pu­rifi­ca­tion in­fra­struc­ture, specif­i­cally gas-phase dis­til­la­tion columns ca­pa­ble of low­er­ing trace met­als to parts-per-bil­lion con­t­a­m­i­na­tion lev­els. That in­fra­struc­ture does not ex­ist at scale out­side the ex­ist­ing semi­con­duc­tor chem­i­cal sup­ply chain, and build­ing more fa­cil­i­ties re­quires per­mit­ting, equip­ment pro­cure­ment, test­ing, and fab­ri­ca­tion qual­i­fi­ca­tion mea­sured in years. Third, pro­duc­ers such as Resonac, Air Liquide, and Adeka man­u­fac­ture semi­con­duc­tor-grade hy­dro­gen bro­mide gas out­side Israel, but their com­bined ca­pac­ity is al­ready com­mit­ted to ex­ist­ing cus­tomers: Taiwan Semiconductor Manufacturing Company, the world’s dom­i­nant con­tract chip­maker; Samsung, the lead­ing pro­ducer of DRAM and high-band­width mem­ory; and Semiconductor Manufacturing International Corporation, China’s largest state-backed foundry. Critically, those cus­tomers are not hold­ing steady: AI in­fra­struc­ture build­out is ac­cel­er­at­ing de­mand across the board, mean­ing out­side pro­duc­ers are stretched thin against a grow­ing base­line. Even if out­side pro­duc­ers could ex­pand out­put, South Korean fa­cil­i­ties would be com­pet­ing for that ca­pac­ity with Taiwan, Samsung’s own logic plants, and China, all of whom face the same ac­cel­er­at­ing de­mand.

The Dead Sea is among the most bromine-rich bod­ies of wa­ter on earth. ICL Group, which ex­tracts at the low­est cost of any pro­ducer glob­ally, dom­i­nates a sup­ply that Israel and Jordan to­gether ac­count for roughly two thirds of glob­ally. Critically, ICL’s hy­dro­gen bro­mide gas pro­duc­tion, in­clud­ing the semi­con­duc­tor-grade out­put sup­plied to South Korean fab­ri­ca­tion plants, is man­u­fac­tured at the same Sodom fa­cil­ity where ex­trac­tion oc­curs, mean­ing ex­trac­tion and con­ver­sion in­fra­struc­ture are co-lo­cated in the same vul­ner­a­ble cor­ri­dor. Iranian mis­siles have al­ready pen­e­trated Israeli air de­fenses in the Negev on mul­ti­ple oc­ca­sions, wound­ing nearly 200 peo­ple in Dimona and Arad, both in the same ge­o­graphic cor­ri­dor as ICL’s pro­duc­tion and con­ver­sion sites.

The mech­a­nism of dis­rup­tion does not re­quire a di­rect hit on an ICL fa­cil­ity. War risk in­sur­ance for ves­sel calls at Israeli ports has al­ready risen from 0.2 per­cent to be­tween 0.7 and 1.0 per­cent of ves­sel value per seven-day call, adding up to $500,000 in costs per voy­age on a mid-sized cargo ship. Even for ships routed through the Mediterranean rather than the Red Sea, those in­sur­ance costs ap­ply the mo­ment a ves­sel calls at an Israeli port. The war risk pre­mium fol­lows the port, not the route. ZIM, Israel’s pri­mary ship­ping line, has im­ple­mented a “war risk pre­mium sur­charge” on all cargo to and from Israel. Haifa oil re­fin­ery — the coun­try’s largest — was shut down af­ter its power sta­tion was dam­aged in an Iranian at­tack, demon­strat­ing that crit­i­cal in­dus­trial in­fra­struc­ture does not re­quire a di­rect strike to be forced of­fline. The down­stream con­se­quences of even a par­tial dis­rup­tion to that cor­ri­dor would prop­a­gate im­me­di­ately across the global mem­ory sup­ply chain.

Samsung and SK hynix to­gether dom­i­nate ap­prox­i­mately 70 per­cent of the global DRAM mar­ket. SK hynix alone holds roughly 57 per­cent of the high band­width mem­ory mar­ket. Since DRAM and NAND un­der­pin every mod­ern com­put­ing de­vice, a sup­ply dis­rup­tion would prop­a­gate across the full con­sumer and in­dus­trial elec­tron­ics stack, not only AI in­fra­struc­ture. High band­width mem­ory — a spe­cial­ized form of DRAM stacked ver­ti­cally to de­liver the data speeds that AI ac­cel­er­a­tors such as Nvidia’s graph­ics pro­cess­ing units re­quire — is sold out through 2026, and DRAM sup­pli­ers hold only two to three weeks of in­ven­tory. A short­age would force both com­pa­nies to al­lo­cate scarce hy­dro­gen bro­mide gas to their high­est-value lines — high band­width mem­ory for AI ac­cel­er­a­tors — at the ex­pense of com­mod­ity DRAM and NAND used in phones, per­sonal com­put­ers, lap­tops, and data stor­age. The con­se­quences fall hard­est across Africa, South Asia, and Latin America, where mem­ory al­ready ac­counts for 15 to 20 per­cent of the bill of ma­te­ri­als for a mid-range smart­phone. That share rises sharply for bud­get de­vices, the pri­mary gate­way to dig­i­tal par­tic­i­pa­tion across Africa, South Asia, and Latin America. Smartphone prices in Bangladesh have al­ready risen 10 to 25 per­cent in 2026 as a di­rect re­sult of DRAM and NAND in­fla­tion, with sim­i­lar in­creases re­ported in Nigeria and South Africa. Budget smart­phones are re­vert­ing to 4 gi­ga­bytes of RAM in 2026, pre­cisely as on-de­vice AI fea­tures de­mand more, not less. A bromine sup­ply shock would price hun­dreds of mil­lions of peo­ple out of the de­vices through which they ac­cess bank­ing, ed­u­ca­tion, health­care, and eco­nomic op­por­tu­nity.

The ex­po­sure ex­tends be­yond com­mer­cial tech­nol­ogy. The ma­jor­ity of guid­ance sys­tems, radar mod­ules, and elec­tronic war­fare pack­ages fielded by the U. S. mil­i­tary run on DRAM and NAND flash chips sourced from the same com­mer­cial fa­cil­i­ties, on the same al­lo­ca­tion logic, with less pro­cure­ment flex­i­bil­ity than com­mer­cial cus­tomers. Since the Defense Department shifted to com­mer­cial off-the-shelf pro­cure­ment in the 1990s, there is no sep­a­rate de­fense-grade mem­ory sup­ply chain. A short­age that forces Samsung and SK hynix to pri­or­i­tize high-mar­gin high band­width mem­ory for AI cus­tomers would de­pri­or­i­tize the com­mod­ity DRAM used in pre­ci­sion-guided mu­ni­tions, in­tel­li­gence plat­forms, and ship­board radar sys­tems, with no gov­ern­ment vis­i­bil­ity into how that al­lo­ca­tion de­ci­sion gets made. The same war strain­ing ICL’s op­er­a­tional con­ti­nu­ity is si­mul­ta­ne­ously de­plet­ing mu­ni­tions stock­piles whose guid­ance sys­tems de­pend on the same mem­ory sup­ply chain. The sup­ply stress and the de­mand spike are run­ning in the same di­rec­tion at the same time.

The con­se­quences for American AI fol­low di­rectly from the South Korean ex­po­sure but run through a sup­ply chain that most U. S. pol­i­cy­mak­ers have never traced. Every Nvidia Blackwell and Rubin graph­ics pro­cess­ing unit re­quires high-band­width mem­ory stacks that come al­most en­tirely from SK hynix and Samsung, as SK hynix is Nvidia’s pri­mary high-band­width mem­ory sup­plier for both plat­forms. Microsoft, Amazon, Google, and Meta are de­ploy­ing hun­dreds of bil­lions of dol­lars in AI in­fra­struc­ture on de­liv­ery sched­ules that as­sume South Korean plants will have un­in­ter­rupted ac­cess to the etch chem­i­cals they need. A bromine dis­rup­tion pro­duces de­liv­ery slip­page, rene­go­ti­ated con­tracts, higher spot prices, and de­layed server de­ploy­ments.

Three levers are avail­able, and they re­quire ac­tion si­mul­ta­ne­ously. First, the most im­me­di­ate is phys­i­cal pre-po­si­tion­ing. Arkansas bromine from Albemarle and TETRA Technologies can­not be used di­rectly in chip pro­duc­tion, but it could serve as feed­stock for semi­con­duc­tor-grade hy­dro­gen bro­mide gas con­ver­sion if that in­fra­struc­ture ex­isted, which is pre­cisely the gap that ought to be closed. South Korean com­pa­nies could also es­tab­lish bromine for­ward con­tracts lock­ing in sup­ply and price for 12 to 18 months.

Second, the sin­gle most im­por­tant struc­tural ac­tion is the one with the longest lead time: build­ing semi­con­duc­tor-grade hy­dro­gen bro­mide gas con­ver­sion ca­pac­ity out­side Israel. The Chip 4 frame­work should be ex­tended to in­clude a crit­i­cal ma­te­ri­als an­nex with a co­or­di­nated al­lied pro­gram to site, per­mit, and fund ded­i­cated gas-phase dis­til­la­tion in­fra­struc­ture ca­pa­ble of achiev­ing parts-per-bil­lion pu­rity in ge­o­graph­i­cally di­ver­si­fied lo­ca­tions — par­tic­u­larly in South Korea, Japan, and the United States. Private firms will not build con­ver­sion in­fra­struc­ture at this scale and speed with­out gov­ern­ment man­date, off­take guar­an­tees and per­mit­ting pri­or­ity.

Third, each gov­ern­ment should take ac­tion in their own lanes, but in a co­or­di­nated fash­ion. South Korea should des­ig­nate bromine a crit­i­cal min­eral, man­date min­i­mum in­ven­tory lev­els, and fund do­mes­tic con­ver­sion in­fra­struc­ture jointly with Samsung and SK hynix. The United States should add bromine, semi­con­duc­tor-grade hy­dro­gen bro­mide gas, and the full range of spe­cialty gases de­rived from bromine to the crit­i­cal min­er­als list, and use Defense Production Act au­thor­ity and CHIPS and Science Act fund­ing to co-in­vest with al­lies in pu­rifi­ca­tion ca­pac­ity on al­lied soil. Israel should for­mal­ize bromine as a strate­gic ex­port com­mod­ity, harden ICL’s pro­duc­tion sites against mis­sile at­tack, and use the 2030 Dead Sea con­ces­sion ex­pi­ra­tion to bring in al­lied cap­i­tal in ex­change for long-term sup­ply pri­or­ity.

In sum, the bromine risk sits out­side every dash­board any­one is mon­i­tor­ing. The struc­tural fail­ure is not the war: It is that the global mem­ory sup­ply chain has built it­self around a con­ver­sion choke­point with no re­dun­dancy and no fall­back. If ICL’s Sodom fa­cil­ity goes of­fline, the gap does not get filled. The ac­tion that mat­ters most — build­ing semi­con­duc­tor-grade hy­dro­gen bro­mide gas con­ver­sion ca­pac­ity out­side Israel — takes years. The ac­tions avail­able now — for­ward con­tracts, in­ven­tory man­dates, and Arkansas feed­stock de­vel­op­ment — buy months at best, not years. That gap is pre­cisely why these three coun­tries should move now, be­fore an Iranian bal­lis­tic mis­sile makes the an­swer ir­rel­e­vant.

Alvin Camba, Ph. D., is lead sci­en­tist and di­rec­tor of re­search at Lyvi. He is also a non­res­i­dent fel­low in the Indo-Pacific Security Initiative at the Atlantic Council’s Scowcroft Center for Strategy and Security, and a se­nior re­search fel­low at Associated Universities, Inc. His book on Chinese megapro­jects and coali­tion pol­i­tics in Southeast Asia is in pro­duc­tion at Cornell University Press.

**Please note, as a mat­ter of house style, War on the Rocks will not use a dif­fer­ent name for the U. S. Department of Defense un­til and un­less the name is changed by statute by the U.S. Congress.