2026-04-04 03:28:36
Jason Snell:
Last December I complained that Apple was withholding iOS 18 security updates from iPhones capable of running iOS 26, leaving users who didn’t want to upgrade to Apple’s latest OS version yet in some security peril.
Well, I have good news and bad news. The good news: As of Wednesday April 1, Apple is pushing out iOS 18.7.7 to all devices running iOS 18. This update, released last month for devices that were not capable of running iOS 26, is now available even for compatible devices. If you’ve got auto-update turned on but have not gone through the steps to do a full upgrade to iOS 26, this update can be automatically pushed and applied. This is good news, as those who have opted not to run iOS 26 will get to take advantage of several sets of security releases.
Now the bad news: This is happening because of some really bad security breaches like DarkSword and Coruna.
It feels a bit spiteful that Apple doesn’t support staying a year behind the major version of iOS like they do — thankfully — with MacOS. The vast majority of iPhone and iPad users just do what Apple encourages — they accept the default setting to auto-update when Apple pushes updates to their devices. People who update manually do so by choice, and if that choice is offered, it ought to be supported.
That said, after buying an iPhone 17 Pro, I left my year-and-a-half-old iPhone 16 Pro on iOS 18, so I updated that phone to 18.7.7 the other day when this became available. I’ve kept that phone on the old OS mostly for comparing what’s changed in iOS 26. I took this opportunity to switch back to that phone, full-time, for two days. It was, to be honest, no big deal. For all the consternation over “Liquid Glass” overall, on iPhone, nothing really sticks out to me switching from iOS 26 back to iOS 18, or vice-versa. iOS 26 just feels visually tweaked, not radically changed.
I like iOS 26 just fine, but I also still like iOS 18, and the differences just don’t seem that significant. For me at least, it’s nothing like switching between MacOS 15 Sequoia and 26 Tahoe. iOS 26 makes some highly opinionated choices, but it feels like it was thoughtfully designed by people who know and love the core longstanding idioms of iOS. MacOS 26 Tahoe feels like it was carelessly designed by people who’ve never used a Mac and wish it would just go away.
See also: Michael Tsai’s roundup.
2026-04-04 02:20:04
John Voorhees, at MacStories:
It’s a new month and you know what that means: time for a roundup of everything coming to Apple TV and Apple Arcade for April 2026.
What’s still not coming: Jessica Chastain’s political thriller The Savant, originally set for September, but rescheduled for “at a later date” out of cowardice.
Apple’s “at a later date” is looking more and more like Trump’s “in two weeks”.
2026-04-03 04:12:07
John Buck at The Verge (gift link), excerpted from his great book, Inventing the Future:
Steve Perlman: Almost everyone at Apple, and definitely everywhere else, assumed that multimedia would always require specialized hardware — and be expensive. A few of us thought otherwise.
One of the few was Gavin Miller, a research scientist in Apple’s Graphics Group, who worked with Hoffert to crack the problem of software compression and decompression, otherwise known as codec.
Gavin Miller, research scientist: We went for a lunchtime walk, and by the end of it, we had generalized the model to include constant color blocks and 2-bit per-pixel interpolating blocks. This allowed us to trade off quantization artifacts in large flat areas for more detail in textured areas. The result was an increase in quality and performance that helped to make the codec practical for really small video sizes.
Just a typical lunchtime walk-and-talk.
Fun anecdote from 1990:
He asked Peppel to create a product plan that he could announce at Apple’s Worldwide Developers Conference on May 7th. That day, Casey took to the stage and announced QuickTime to a stunned audience, saying, “Apple intends to develop real-time software compression/decompression technology that will run on today’s modular Macintosh systems. A system-wide time coding to allow synchronization of sound, animation, and other time-critical processes.”
Casey explained that Apple’s new multimedia architecture would be delivered by the end of the year. He did not say that QuickTime had no budget, staff, or offices.
Worthington: We were dumbfounded.
Konstantin Othmer, QuickDraw engineer: I was standing next to Bruce Leak, and asked him, “What the heck was that?” He said he had no idea.
QuickTime actually shipped by WWDC 1991, teaching Apple the important lesson that anything they announce at WWDC, no matter how premature, will ship as promised.
2026-04-03 03:37:10
Great roundup of links from Stephen Hackett:
The crew is made up of Reid Wiseman, Victor Glover, Christina Koch, and CSA (Canadian Space Agency) astronaut Jeremy Hansen. They are now on their way to the moon, set to return in 10 days. Their rocket may be the product of a hugely-flawed program, but right now, that doesn’t matter. They are getting us closer to returning to the lunar surface than we’ve been in 50 years. That’s worth celebrating.
2026-04-03 02:58:50
Katie Deighton, reporting for The Wall Street Journal (main link is a gift link; also on News+):
OpenAI bought TBPN to encourage constructive conversation around the changes AI creates by helping the show grow, according to a memo sent by Fidji Simo, the OpenAI’s CEO of applications. TBPN will report to Chris Lehane, OpenAI’s chief global affairs officer, and will help with company communications and marketing outside of the show.
“They’ve helped many brands market online and because they have a strong pulse on where the industry is going, their comms and marketing ideas have really impressed me,” Simo wrote in the memo.
But TBPN will remain editorially independent, retaining control over its programming, editorial decisions, guest selection and production schedule, OpenAI said.
Yes, I’m sure they’ll remain totally independent. You know, like The Washington Post under Jeff Bezos, and CBS News under David Ellison. Many news and commentary publications have remained steadfastly independent while reporting to the head of PR for a company they ostensibly cover.
2026-04-03 02:42:39
StepSecurity:
If you have installed [email protected] or [email protected], assume your system is compromised.
There are zero lines of malicious code inside
axiositself, and that’s exactly what makes this attack so dangerous. Both poisoned releases inject a fake dependency,[email protected], a package never imported anywhere in theaxiossource, whose sole purpose is to run apostinstallscript that deploys a cross-platform remote access trojan. The dropper contacts a live command-and-control server, delivers separate second-stage payloads for macOS, Windows, and Linux, then erases itself and replaces its ownpackage.jsonwith a clean decoy. A developer who inspects theirnode_modulesfolder after the fact will find no indication anything went wrong.This was not opportunistic. It was precision. The malicious dependency was staged 18 hours in advance. Three payloads were pre-built for three operating systems. Both release branches were poisoned within 39 minutes of each other. Every artifact was designed to self-destruct. Within two seconds of
npm install, the malware was already calling home to the attacker’s server before npm had even finished resolving dependencies. This is among the most operationally sophisticated supply chain attacks ever documented against a top-10 npm package.
Could be my bigotry against JavaScript speaking, but I find it unsurprising that this happened to the same framework that this and this happened to.
