The Super Mario Galaxy Movie star (and Minecraft star) says his ideal video game role is in Rockstar Games' Red Dead Redemption — a movie or RDR3.

Katie Deighton, reporting for The Wall Street Journal (main link is a gift link; also on News+):

OpenAI bought TBPN to encourage constructive conversation around the changes AI creates by helping the show grow, according to a memo sent by Fidji Simo, the OpenAI’s CEO of applications. TBPN will report to Chris Lehane, OpenAI’s chief global affairs officer, and will help with company communications and marketing outside of the show.

“They’ve helped many brands market online and because they have a strong pulse on where the industry is going, their comms and marketing ideas have really impressed me,” Simo wrote in the memo.

But TBPN will remain editorially independent, retaining control over its programming, editorial decisions, guest selection and production schedule, OpenAI said.

Yes, I’m sure they’ll remain totally independent. You know, like The Washington Post under Jeff Bezos, and CBS News under David Ellison. Many news and commentary publications have remained steadfastly independent while reporting to the head of PR for a company they ostensibly cover.

After five weeks of muddled messaging, President Donald Trump finally addressed the nation on Wednesday night to make the case for his war on Iran. That message was…still muddled. He did not articulate a clear exit plan from the conflict, fobbed the Strait of Hormuz problem off on other countries, and denied that regime change […]

Here's where you can find Maurice's Black Market Vending Machine this week in Borderlands 4 and grab some nice legendary gear!

StepSecurity:

If you have installed axios@1.14.1 or axios@0.30.4, assume your system is compromised.

There are zero lines of malicious code inside axios itself, and that’s exactly what makes this attack so dangerous. Both poisoned releases inject a fake dependency, plain-crypto-js@4.2.1, a package never imported anywhere in the axios source, whose sole purpose is to run a postinstall script that deploys a cross-platform remote access trojan. The dropper contacts a live command-and-control server, delivers separate second-stage payloads for macOS, Windows, and Linux, then erases itself and replaces its own package.json with a clean decoy. A developer who inspects their node_modules folder after the fact will find no indication anything went wrong.

This was not opportunistic. It was precision. The malicious dependency was staged 18 hours in advance. Three payloads were pre-built for three operating systems. Both release branches were poisoned within 39 minutes of each other. Every artifact was designed to self-destruct. Within two seconds of npm install, the malware was already calling home to the attacker’s server before npm had even finished resolving dependencies. This is among the most operationally sophisticated supply chain attacks ever documented against a top-10 npm package.

Could be my bigotry against JavaScript speaking, but I find it unsurprising that this happened to the same framework that this and this happened to.