https://video.ironsysadmin.com/videos/watch/39c22a2b-9e55-40dc-b153-e445fa050cab Welcome to Hot Takes and Cold Storage! This week: Microsoft snuck Copilot into your git commits (even with AI disabled), the Dutch government goes sovereign with Forgejo, US states are stepping up on privacy where the feds won't, a brilliant project turns your aging Google Home Mini into a local Home Assistant voice device, and CISA's contractor leaves the keys to the kingdom on a public GitHub repo for six months. Then we go deep on the TanStack supply chain worm — the first documented attack to ship with valid SLSA provenance certs. 170+ packages across npm and PyPI compromised in a coordinated campaign. We break down how pull_request_target got exploited, what the worm actually did once inside, and why the community response is the real story. Links: Microsoft Copilot co-author controversy: https://www.msn.com/en-us/news/technology/microsoft-secretly-made-copilot-co-author-your-code-until-developers-revolted/ar-AA22CHBL Dutch government self-hosts Forgejo: https://www.opensourceforu.com/2026/04/dutch-government-backs-forgejo-for-sovereign-open-source-github-alternative/ California AB 2561 & state privacy law roundup: https://www.troutmanprivacy.com/2026/05/proposed-state-privacy-and-ai-law-update-may-18-2026/ Connecticut data broker registration: https://www.troutmanprivacy.com/2026/05/proposed-state-privacy-and-ai-law-update-may-11-2026/ MiciMike Google Home Mini replacement PCB: https://www.cnx-software.com/2026/04/29/micimike-open-source-drop-in-pcb-converts-google-home-mini-into-a-local-voice-assistant/ Back MiciMike on Crowd Supply: https://www.crowdsupply.com/micimike-rev-devices/micimike-home-mini-drop-in-pcb Hot Takes and Cold Storage is a bi-weekly show from The Iron Sysadmin. We cover IT news, open source, privacy, and self-hosted tech through the lens of software freedom and individual technical self-reliance. 🌐 Website: ironsysadmin.com 📺 PeerTube: video.ironsysadmin.com 🎙️ Podcast: pods.ironsysadmin.com 0:00 Intro 0:34 Microsoft sneaks Copilot into your git commits 1:11 Dutch government self-hosts Forgejo for digital sovereignty 2:37 US state privacy laws: California AB 2561 & Connecticut data brokers 4:05 MiciMike turns Google Home Mini into Home Assistant Voice 6:28 CISA contractor leaks credentials on public GitHub repo 8:16 Deep dive intro & show updates 9:08 The TanStack supply chain worm — what happened 9:48 What is TanStack? 10:28 The attack: exploiting pull_request_target 11:52 How pull_request_target works (and why it's dangerous) 13:21 Cache poisoning and token extraction 14:11 The worm's payload: credential theft and self-propagation 15:55 Detection and response — 20 minutes to catch it 17:22 Takeaways: open source response done right 18:41 Outro Mon, 25 May 2026 01:01:03 GMT https://validator.w3.org/feed/docs/rss2.html PeerTube - https://video.ironsysadmin.com https://video.ironsysadmin.com/client/assets/images/icons/icon-1500x1500.png https://video.ironsysadmin.com/videos/watch/39c22a2b-9e55-40dc-b153-e445fa050cab All rights reserved, unless otherwise specified in the terms specified at https://video.ironsysadmin.com/about and potential licenses granted by each content's rightholder.