A Brutal Week for Microsoft Security, Signal Threatens to Leave Canada, And Bitwarden Quietly Shifts Policies

On Our Radar 🎯

Microsoft's Worst Week Of 2026

In one week: an actively exploited Exchange zero-day, the MiniPlasma exploit giving SYSTEM access on fully patched Windows, Pwn2Own exploits for Microsoft Exchange, SharePoint, and Windows 11, a report showing Microsoft's critical vulnerabilities literally doubled year-over-year, and an Azure vulnerability.

Now here's the thing: vulnerabilities happen on every operating system. Linux just finished getting hammered the last few weeks. But just like I said then, what actually matters is the response, the history, the way a organization communicates, and the way they prioritize. Linux is fragmented because it's open and community-driven, and that's a known tradeoff for the ecosystem people love. But Microsoft is one centralized company that should know what they're doing. For context, MiniPlasma originated from a Google Project Zero report Microsoft sat on for six years.

To me, it feels like we're watching the duct tape come off from years of neglecting the user experience. All of Microsoft's resources poured into AI features nobody asked (earning them the fitting name, Microslop) could have gone toward fixing updates, polishing the user experience, and taking security research seriously. I think Microsoft's pushing their limits on user trust when it's already at a low point.

What you can do: If you run Exchange, apply Microsoft's emergency mitigation for the zero-day ASAP. If you're on Windows, stay patched and watch for the MiniPlasma fix. And if you've been considering reducing your Windows footprint on personal devices or your home network, this is a good week to seriously consider experimenting with alternatives (like Linux!)

Bits & Bytes 🤖

~ Story 1: Shai-Hulud Wave Compromises 600+ npm Packages
A new supply chain attack pushed 639 malicious package versions across 333 npm after hackers compromised a single developer's account. Targets included popular charting and visualization libraries and they were hunting for SSH credentials, database creds, Docker, and vaults.

Our take: Most listeners aren't running npm pipelines, but the underlying lesson applies to everyone: every piece of software you install, from anywhere, requires trusting that the published update was actually authorized by the developer. Never forget the amount of trust required when you install something on your system.

~ Story 2: Signal Threatens To Pull Out Of Canada
Canada's Bill C-22 is looking to force telecoms, ISPs, and messaging services to add surveillance capabilities for police and intelligence services. But Signal's VP said they'd rather leave the country than compromise on privacy. Apple and Meta have also publicly pushed back.

Our take: When a company like Meta is publicly opposing your encryption bill, the bill probably has a problem. Canadian politicians are calling this "encryption neutral," but mandating metadata collection on services that currently collect almost nothing is a massive expansion, and metadata can be just as revealing as the messages themselves! And this fight isn't just Canada's, bills that pass in one country set precedent for others. Watch this closely!

~ Story 3: Meta To Use AI Visual Analysis To Detect Underage Users
Meta is rolling out AI that analyzes user-uploaded photos to estimate age, then auto-restricts accounts it flags as underage.

Our take: This is what age verification legislation actually looks like in practice. More surveillance technology, more data collection, more identity verification, applied to everyone to try and solve a problem about kids. The actual issues, like addictive algorithms and exploitative design, keep getting routed around in favor of treating a human problem as a technology problem.

~ Story 4: Bitwarden Is Quietly Changing, And People Are Worried Bitwarden's longtime CEO and CFO have both stepped down. The company removed "Always Free" from their prominent password manager messaging. Nothing has changed about the product yet, but it's hard to ignore.

Our take: Nothing concrete has happened, and we shouldn't rush to speculation. But these are exactly the kinds of signals worth tracking. Bitwarden's free tier has been the entry point for a huge number of people who get into password management for the first time! If that erodes, we lose a critical onramp into the whole category.

This Week on Techlore 📺

This week we had some fun content. I shared some thoughts on doomerism takes I saw on a viral YouTube video and how we can tackle the hopelessness:

Why Even Smart People Think Privacy Is Dead

“Privacy is dead, lol.” “You’re naive to still care.” If you’ve seen those comments under every privacy story, you’ve witnessed an engineered hopelessness (digital resignation) with a clear designer and a measurable cost. In this video, I break down who built it, why it’s a lie, and the simple, free

TechloreHenry Fisher

We were also SUPER excited to have on Naomi Brockwell to discuss her Surveillance Accountability Act and how we all can fight for a better digital internet:

Naomi Brockwell on Digital Privacy Legislation, the Third Party Doctrine, and Fighting the Surveillance State with The Surveillance Accountability Act

Techlore Talks brings you in-depth conversations with the experts at the forefront of digital rights, privacy and security.

TechloreTori

And finally, I put out a quick review taking a look at a 'dumb' screen from TRMNL for those who are curious about the focused device:

TRMNL: A Screen That Doesn’t Want Your Attention

E-ink displays that promise ambient, distraction-free information sound great in theory. TRMNL delivers on the concept, with open firmware & open hardware, but the reality of living with it is more nuanced. Here are my thoughts! Watch on Techlore.TV for an ad-free, surveillance-free viewing experience

TechloreHenry Fisher

Action Item ✅

Very simple, if you're using any Microsoft services: Get them up-to-date and keep following for changes in the upcoming weeks!

Written by

Share

Copied