Feed aggregator

The 988 Suicide and Crisis Prevention Lifeline included a service that provided specialized suicide prevention support by phone and text for LGBTQ+ kids. That's ending.

(Image credit: PATRICK T. FALLON/AFP/Getty Images)

• Sysdig exposed how a trusted GitHub feature can silently hand control to attackers
• pull_request_target isn’t just risky, it’s a loaded weapon in the wrong hands
• Even top-tier security projects like MITRE’s can fall to simple GitHub workflow misconfigurations

Experts have revealed several critical vulnerabilities in GitHub Actions workflows which could pose serious risks to some major open source projects.

A recent investigation by Sysdig’s Threat Research Team (TRT) has exposed how misconfigurations, particularly involving the pull_request_target trigger, could let attackers seize control over active repositories or extract sensitive credentials.

The team demonstrated this by compromising projects from well-known organizations such as MITRE and Splunk.

GitHub Actions: A powerful tool with dangerous pitfalls

GitHub Actions is widely adopted in modern software development for its automation capabilities, but this convenience often hides security risks.

“Modern supply chain attacks frequently begin by abusing insecure workflows,” the report states, noting how secrets like tokens or passwords embedded in workflows can be exploited if improperly secured.

Despite available best practices and documentation, many repositories continue to use high-risk configurations, either from oversight or a lack of awareness.

At the core of the problem is the pull_request_target trigger, which runs workflows in the context of the main branch.

This setup grants elevated privileges, including access to GITHUB_TOKEN and repository secrets, to code submitted from forks.

While intended to facilitate pre-merge testing, this mechanism also allows execution of untrusted code, creating an attack surface that is easily overlooked.

The risks are not hypothetical, they are real.

In the Spotipy repository, which integrates with Spotify’s Web API, Sysdig discovered a setup where a crafted setup.py could execute code and harvest secrets.

In MITRE’s Cybersecurity Analytics Repository (CAR), attackers were able to execute arbitrary code by modifying dependencies.

Sysdig confirmed it was possible to take over the GitHub account associated with the project.

Even Splunk’s security_content repository had secrets like APPINSPECTUSERNAME and APPINSPECTPASSWORD exposed, despite the limited scope of the GITHUB_TOKEN.

Developers should reassess the use of pull_request_target, considering safer alternatives - Sysdig recommends separating workflows, using unprivileged checks first, and only allowing sensitive tasks after validation.

Limiting the capabilities of tokens and adopting real-time monitoring with tools like Falco Actions can also provide vital protection.

You might also like

• Take a look at the best malware removal options around
• We’ve rounded up a list of the best endpoint protection tools
• Check out the best antivirus for extra protection too

Get the gains you crave by eating right.

A drug called lenacapavir, administered in two injections a year, offers protection from HIV comparable to daily pills. One looming question: Will it be affordable for lower resource countries?

(Image credit: Nardus Engelbrecht)

Iran's most fortified nuclear facility, called Fordo, is buried deep inside a mountain. Only the U.S. has the 30,000-pound bombs — often referred to as "bunker busters" — capable of reaching it.

(Image credit: AP)

So far, strikes on Iran's facilities have created limited chemical and radiological hazards. Experts say that's not likely to change even if the U. S. uses a big bomb.

(Image credit: Maxar Technologies)

The carrier's prepaid offerings get the same price locks as its premium monthly plans.

• Mailchimp’s subtle updates are stacking up to challenge what we expect from SMB software
• Integrations with TikTok, Meta, and Google are finally making Mailchimp marketing feel connected
• Metrics Visualizer offers 40+ variables, but feels like overdue functionality rather than innovation

Mailchimp’s continued transformation from a straightforward email marketing service into a broader business platform seems less like a pivot and more like a quiet evolution.

Over the past year, the company has introduced more than 2,000 updates, most of them small but collectively significant.

These updates aim to simplify customer engagement and automate key marketing workflows, quietly nudging Mailchimp toward becoming a top CRM offering - at least in ambition, if not yet in capability.

Mailchimp expands beyond email marketing

At its recent FWD: London 2025 event, Mailchimp announced a wave of new features aimed at helping small and mid-sized businesses get more from their customer data.

These include direct lead integrations with platforms like Meta, TikTok, LinkedIn, Google, and Snapchat.

Marketers can now bring in social campaign leads more efficiently and feed them into Mailchimp’s upgraded automation flows for hyper-personalized messaging.

This, paired with over 100 new pop-up templates, seems like a step toward making Mailchimp feel less like a glorified newsletter tool and more like a proper pipeline manager.

“Mailchimp is evolving into the essential bridge between advertising and customer relationships for businesses, seamlessly connecting ad campaigns to powerful marketing automation that nurtures leads and drives sales,” said Ken Chestnut, Director of Global Partner Ecosystem, Intuit.

“We're closing the loop between advertising, marketing automation, and powerful customer insights, giving businesses the tools to engage at the right time and place of the customer journey, from attracting new leads and nurturing relationships to driving conversions and building lasting loyalty.”

Still, it’s hard to ignore that these features look like a patchwork of add-ons rather than a coherent CRM suite, at least for now.

Freya Doggett from Serpentine Galleries acknowledged the improvements but also hinted at the ongoing complexity many users still face.

“It feels like we're not having to do as much digging or joining the dots as much, which is really nice…Mailchimp really simplifies things that are complicated by nature.” It's a compliment, but a cautious one.

The new Metrics Visualizer introduces over 40 reporting variables across email and SMS channels.

Marketers can now assemble custom reports with much greater clarity, a welcome step for anyone still juggling data from multiple platforms.

If Mailchimp hopes to contend with true CRM systems or even compete with the best email marketing service options out there, this kind of cross-channel insight will be essential.

What’s still ahead might be more telling than what’s here now. Mailchimp is pushing toward becoming an all-in-one growth platform, but it's not quite the best website builder, nor a fully mature CRM system, just yet.

You might also like

• Check out our roundup of the best online collaboration tools
• These are the best productivity tools
• LG has a new 5K monitor with a Thunderbolt 5 port, and I love that it is curved and has a LAN connector

Here are hints and the answers for the NYT Connections: Sports Edition puzzle, No. 269, for June 19.

Here are hints -- and answers -- for the NYT Strands puzzle No. 473 for June 19.

Here are some hints -- and the answers -- for the NYT Connections puzzle for June 19, #739.

Here are hints and the answer to today's extra-difficult Wordle No. 1,461 for June 19.

Get cozy with the best heated blankets around. These are our top picks worth your money.

Israeli Prime Minister Netanyahu says Iran is "marching very quickly" toward a nuclear weapon. The U.S. intelligence community says Iran suspended its nuclear weapons program decades ago. We hear from two NPR correspondents who are watching this very closely to find out who is right.

Many of President Trump's nominal media allies are breaking with him over his backing of Israel, arguing it will lead to a wider war.

(Image credit: Brendan Smialowski)

The current Federal Communications Commission has threatened to revoke licenses for broadcasters over their political coverage.

• Over half of tech workers secretly stay late to learn what they pretended to know, survey finds
• YouTube has become the go-to fix for real-time workplace panic and skill gaps
• Fake it in meetings, Google it later - this is the reality for modern tech workers

In the fast-paced environment of today’s tech-driven workplace, employees are feeling increasing pressure to keep up with constantly evolving tools and jargon.

An Adobe Acrobat survey of 1,000 full-time employees found nearly three quarter (71%) of those in tech roles say they use YouTube as a learning resource.

This means they are 35% more likely to use it over conventional online learning platforms - and honestly, I’m not surprised, as I do the same thing.

Just-in-time learning over formal training

The preference for YouTube isn’t just about convenience, it speaks to how learning itself is shifting.

Short, targeted tutorials often win out over structured syllabi when deadlines loom and productivity expectations run high.

When I need to quickly figure out how to format a spreadsheet, compress a PDF, or understand some unfamiliar acronym tossed around in a meeting, I don’t log into a formal course - I head straight to YouTube.

The videos are not only short, they are also illustrative, and you can also watch them at double speed, compressing the time you spend by half.

Unlike structured courses that require commitment and patience, YouTube offers just-in-time solutions, exactly what is needed when a deadline is looming.

That’s why I completely understand why many tech workers would quietly turn to a quick video rather than admit they’re in over their heads.

Adobe’s report claims over half of the surveyed tech employees have stayed late to learn skills they pretended to know during work hours, and nearly half admitted to nodding along in meetings without truly understanding the content.

These coping strategies suggest an environment where appearing tech-savvy carries more weight than actual proficiency. YouTube doesn’t solve the underlying skills gap, but it often softens the impact by offering practical help when it’s needed most.

For non-tech professionals, they are 123% more likely to struggle with cloud-based tools, and 156% more likely to lack competence in AI.

In education, almost half of professionals reportedly cannot merge PDFs, a basic function needed to manage instructional materials.

This misalignment between perception and reality reveals the urgent need for learning tools that meet workers where they are.

YouTube, for all its flaws, does just that. It’s fast, specific, and informal enough to make upskilling less intimidating.

You might also like

• These are the best job site options around
• Take a look at our pick of the best CV builder picks too
• Gigabyte jumps on lucrative AI bandwagon with Threadripper-powered workstation

Read was accused of hitting her boyfriend with her car and leaving him to die in a snowstorm, but alleged she was the victim of a cover-up by his fellow officers. Her 2024 trial ended in a hung jury.

(Image credit: Josh Reynolds)

Search Live is here for Google's mobile users, and it finally lets you talk back to the search engine as you ask it questions.

A federal indictment accuses seven Californians of stealing approximately $100 million worth of gold, precious gems and luxury watches from an armored semitruck leaving a jewelry show in 2022.