Forked by Microsoft: When Open Source Meets Corporate Power
đ Trade wars are now hitting Python!
Welcome to HackerPulse Dispatch! Hereâs your weekly roundup of the latest developments in tech, ranging from serious security concerns to satirical software experiments.
Microsoft has raised alarms over a surge in cyberattacks leveraging Node.js for stealthy data theft, while GitHub Copilot has drawn criticism after auto-enabling itself without user consent, raising fresh privacy concerns. EdgeDB engineers uncovered a rare ARM64 crash that slipped past Rustâs safety net, ultimately traced back to a subtle thread-unsafe issue in the C standard library.
On a lighter note, the TARIFF Python package offers a tongue-in-cheek take on software protectionism by letting devs delay imports to defend local code.
Hereâs what new:
đ˘ Microsoft: Node.js Increasingly Used for Malware Delivery and Data Theft: Microsoft has warned about a surge in cyberattacks using Node.js to bypass detection, steal data, and maintain long-term access through phishing and malvertising tactics.
â ď¸ C Stdlib Isnât Threadsafe and Even Safe Rust Didnât Save Us: EdgeDB engineers uncovered a rare ARM64 crash that bypassed Rustâs safety guaranteesâtracing it back not to their own code, but to a subtle, thread-unsafe behavior in the C standard library.
𧢠TARIFF: The Greatest, Most Tremendous Python Package That Makes Importing Great Again!: TARIFF is a satirical Python package that lets developers impose artificial delays on imports to âprotectâ local code â because even numpy needs to pay its fair share.
đ¤ Github Copilot Auto Enabled Itself Without Consent: Devs report that Copilot auto-enabled across all VSCode workspaces after an update, overriding user preferences and raising serious concerns about privacy, control, and client data exposure.
â Getting Forked by Microsoft: A solo developer behind the Kubernetes tool Spegel recounts how early collaboration with Microsoft quietly turned into a copycat release, raising questions about ethics, licensing, and the future of open source.
Microsoft: Node.js Increasingly Used for Malware Delivery and Data Theft (Read Paper)
Cybercriminals are finding new ways to exploit trusted tools, and Microsoft is sounding the alarm. A surge in sophisticated attacks leveraging Node.js is enabling threat actors to infiltrate systems, evade detection, and steal sensitive information.
Since October 2024, Microsoftâs Defender Experts team has tracked multiple campaigns using Node.js in unexpected ways â including in phishing and malvertising attacks. These tactics rely on the legitimate nature of Node.js to mask malware distribution, persistence, and data exfiltration. With attackers now packaging malicious JavaScript and executing it via node.exe, organizations face a rising threat hiding in plain sight.
Key Points
Node.js as a stealthy malware vehicle: Attackers are using Node.js to run compiled JavaScript files outside the browser, evading traditional security tools. These scripts enable silent system data collection and scheduled task creation.
Malvertising meets cryptocurrency bait: Microsoft found campaigns that mimic popular crypto platforms like Binance to trick users into downloading infected software. Once installed, these programs modify Defender settings, download further payloads, and begin siphoning detailed system information.
New phishing tricks with inline Node.js scripts: A separate attack method installs Node.js during phishing attacks and runs malicious JavaScript directly from the terminal. The scripts cloak C2 traffic as Cloudflare activity, perform reconnaissance, and alter registry keys for persistence.
C Stdlib Isnât Threadsafe and Even Safe Rust Didnât Save Us (đ Read Paper)
The EdgeDB team has been hard at work porting critical networking code from Python to Rustâan ambitious project thatâs already delivering performance and stability wins. But during development of a new HTTP fetch feature, they encountered a mysterious failure that only appeared on ARM64 CI runners.
The test suite passed with flying colors on x86_64 and even locally on ARM machines, yet mysteriously hung during CI runs. Initial theories pointed to deadlocks or memory model differences between architectures. But after a deep dive into the Docker container, core dumps, and some classic gdb archaeology, they found something very different.
Key Points
The deadlock that wasnât: What looked like a classic async deadlock turned out to be a process crash silently masquerading as a hang. The CI logs showed no stacktraceâjust a test that spun for six hours until the job timed out.
Why only ARM64?: The team suspected memory model quirks on ARM, which is known for its weaker ordering guarantees compared to Intel.
GDB meets Docker meets GLIBC 2.17: Diagnosing the crash required copying shared libraries out of a minimal container and configuring gdb with the correct paths. The real culprit? A crash in the getenv function inside GLIBCânot their new Rust code at all.
TARIFF: The Greatest, Most Tremendous Python Package That Makes Importing Great Again! (đ Read Paper)
A bold new Python package has entered the arena â and itâs putting foreign imports on notice. Meet TARIFF, a parody tool that lets developers impose âimport tariffsâ on Python packages, adding artificial delays to simulate protectionist programming policies.
Want to slow down pandas by 200%? Go ahead. Need to penalize numpy for stealing your CPU cycles? TARIFFâs got you covered. With customizable rates and patriotic console messages, TARIFF turns every import into a political statement â parody-style.
Key Points
Imports with consequences: TARIFF lets developers set slowdown percentages on specific packages to simulate a "tariffed" import experience. Each taxed import comes with a glorious console message celebrating domestic code.
Customizable slowdown settings: You can slap a 50% penalty on numpy, a 150% penalty on requests, or whatever your protectionist heart desires. TARIFF calculates the original import time and scales it with a delay to enforce the tariff.
Because satire writes itself: TARIFF is completely satirical and shouldnât be used in production â unless your goal is ironic protest coding.
Github Copilot Auto Enabled Itself Without Consent (đRead Paper)
A wave of concern is sweeping through the developer community after GitHub Copilot reportedly enabled itself across all VSCode workspaces without user consent. Developer @rektbuildr raised the issue on GitHub (#7963), describing how Copilot activated itself even in client projects where it had previously been disabled.
With agent mode enabled, this raises serious concerns about the potential exposure of sensitive files, secrets, and proprietary code. Whatâs more troubling is that the change occurred silently after a system update, with users discovering the shift only after restarting their machines. This follows broader fears around Microsoftâs handling of opt-in privacy features, including the Recall tool and CoPilotâs expanding footprint.
Key Points
Consent ignored across workspaces: Copilot re-enabled itself across all open VSCode windows, even where it had previously been disabled for client confidentiality. The user had only approved Copilot in two windows, yet it activated itself elsewhere without any prompt or permission.
Bypassing system settings: Even with GPO policies in place to block Copilot â and running on unsupported hardware â the tool started automatically after a Windows update. It created a new startup task, further indicating that opt-out controls may be ineffective.
Growing trust concerns: The incident has reignited concerns about Microsoft pushing opt-out models for sensitive tools. Devs now question whether privacy switches will be respected in future updates, particularly for environments handling confidential code.
Getting Forked by Microsoft (đ Read Paper)
What starts as a story of collaboration ends with a cautionary tale about power dynamics in open source. After facing critical downtime due to GitHub container registry outages, one developer created Spegel â a lightweight, stateless image mirroring tool for Kubernetes.
The project gained traction, caught Microsoftâs attention, and prompted what looked like a promising collaboration. But months after technical discussions and support, Microsoft silently released Peerd, a strikingly similar tool, with function names, test cases, and even comments resembling those in Spegel. While the MIT license legally permits forking, the developer behind Spegel was left feeling side-stepped, disillusioned, and grappling with the broader implications for solo maintainers.
Key Points
Silent fork, loud disappointment: Microsoft launched Peerd â a project with code and test cases nearly identical to Spegel â without formally forking or clearly attributing the original author. Though the README gives a nod to Spegel, the developer only discovered the release while attending a KubeCon talk.
MIT license, murky ethics: Spegelâs MIT license technically allows for reuse, but doesnât allow removing attribution and claiming authorship. Microsoftâs version reportedly omits license continuity, creating confusion and obscuring the original project's contributions.
Maintainers versus megacorps: Despite Peerdâs release, Spegel still thrives with 1.7k stars and over 14 million pulls. But the experience has left the maintainer questioning how solo devs can coexist with tech giants â and whether a licensing change is the only way to protect their work.
đŹ And that's a wrap. Stay tuned and be the first to know whatâs happening in the industry!