The other day, while casually browsing in the MalGIS community chat, a friend @Tiantian suddenly asked me, "Does ArcGIS Pro 3.6 not support Windows 10 anymore?" This sudden question gave me a fright. After all, many friends following MalGIS should still be on Windows 10, some even on Windows 7. If there were such an issue, it should have surfaced earlier. However, when the friend later showed me the evidence, I couldn't be sure for a moment.
In the field of GIS development, on-premises deployment is an extremely common requirement, and MinIO is almost synonymous with private object storage. Whether storing hundreds of terabytes of remote sensing imagery or billions of loose map tiles, MinIO has consistently been the "cornerstone" of WebGIS architecture due to its simple deployment, excellent S3 compatibility, and the high performance of the Go language. However, just last week, the official MinIO GitHub repository announced an update to the project's status, moving it to maintenance mode and ceasing to accept new feature requests. The main changes are as follows:
To summarize the key point: if you wish to use a continually updated version of MinIO in the future, you must pay for the commercial version, MinIO AIStor. According to my research, the price is quite steep, requiring a subscription service. The annual fee is $96,000 to manage 400TB of data (a price point that is essentially unfeasible within the domestic GIS community in China).
In the previous article QGIS 4.0 Delayed: New Release Scheduled for February 2026, the editor introduced the latest progress on QGIS 4.0 development, noting that the originally planned QGIS 4.0 version has been postponed to February 2026. This is very disappointing news for many macOS users, especially those with M-series chips, as everyone has been waiting for the official native QGIS application for Mac M chips. Consequently, users will have to continue using the translated version of QGIS (which still works). However, there is good news: the official team has ported the Mac packaging method originally intended for QGIS 4.0 to the QGIS 3.x series. This means that an official native QGIS 3.x version for Mac M chips is now available. The editor checked today and confirmed that the official website has been updated. Users still on the Intel-translated version are highly recommended to upgrade immediately!
It's Friday, are you starting to slack off and prepare for the weekend? Hold on, just yesterday (December 3, 2025), React official and the Next.js team jointly disclosed a Critical-level security vulnerability. This is not just an ordinary bug, but a 'nuclear-level' vulnerability that allows unauthorized remote code execution (RCE). If your WebGIS project uses Next.js or React 19, please investigate promptly. This vulnerability is extremely dangerous and could lead to further data leakage risks.
Vulnerability ID: CVE-2025-55182 (React) / CVE-2025-66478 (Next.js)
Affected Scope: As long as your project has React Server Components (RSC) enabled, even if you think you haven't written any backend logic, you could be affected.
Severity Level: CVSS 10.0 (maximum score) — This means attackers can execute arbitrary code on your Node.js server without logging in or performing complex operations, just by sending a carefully crafted HTTP request.
Affected Versions:
This afternoon, while I was browsing the Mala GIS group, a user named @zheer discovered a pop-up demanding unpaid wages in an open-source Cesium examples project. This immediately piqued my interest, so I opened it to explore. The project summarizes common effects in Cesium development with over 200 demos, and also includes over 100 demos developed with ThreeJS. It's lamentable that such a talented developer had to resort to using an open-source project to plead for their wages, which is quite disheartening.
Open-source project address: https://jiawanlong.github.io/
In today's rapidly evolving AI technology, we are constantly exploring ways to make AI process various types of data more efficiently. Currently, JSON is the most mainstream data format, but its redundancy leads to high token consumption when interacting with AI. To address this issue, a new data format called TOON has been designed to replace JSON in interactions with LLMs, reducing token consumption.
TOON GitHub: https://github.com/toon-format/toon
Demo Website: https://toonformat.dev/
Recently, a hot topic in the news is the accusation by China's National Security Agency that the United States breached China's National Time Service Center. I have read several news articles that generally introduce this event, but none mention the detailed process. Later, I found a detailed analysis in an official tweet by the National Computer Network Emergency Response Technical Team/Coordination Center (CNCERT), titled "Technical Analysis Report on the Cyber Attack by the U.S. National Security Agency on the National Time Service Center". The content is very professional and provides detailed data, so experts can refer to this article.
I skimmed through it and found that although the introduction is detailed, the initial step of obtaining login credentials for the computer terminals is only briefly mentioned. How did the NSA obtain the login permissions for the computers at the Time Service Center? How was the first breach in the security defense opened?
According to the disclosure by CNCERT, the initial breach occurred between March 24, 2022, and April 11, 2023, when the NSA attacked and stole secrets from more than 10 devices at the Time Service Center through "Triangulation". In September 2022, the attacker obtained the login credentials for an office computer through a foreign-brand mobile phone used by a network administrator at the Time Service Center, and used these credentials to gain remote control of the office computer.
No further information was provided, so I searched for this Triangulation. This is not the triangulation in surveying, but rather a term first disclosed by the renowned Russian security firm Kaspersky. The original article is Operation Triangulation: The last (hardware) mystery. The core attack chain is shown in the figure below:
Another major GIS company appears to have encountered security issues. The incident occurred on July 25th. While casually browsing the Spicy GIS group chat, our editor noticed a member sharing a link with the caption "XX got hacked." Initially, the editor didn't pay much attention, assuming it was just another prank like the "Crazy Thursday send me 50" meme. About a week later, on August 2nd, the editor accidentally clicked that link and was surprised to discover that the website genuinely seemed to have been compromised.
Admittedly, the initial discovery was shocking—this is one of China's top-tier GIS companies after all. It highlights that security concerns should be a priority for organizations regardless of size; even the largest companies can have critical oversights.
As professionals in the GIS (Geographic Information System) field, we engage with geographical data, spatial analysis, and visualization technologies daily. Recently, I discovered an impressive website called "No Days Off" on HackerNews. Developed by friggeri using 10 years of daily running GPX files, this site functions as a sophisticated "personal running GIS system," showcasing remarkable professionalism and engagement. I'm fascinated by such innovative projects and would like to share its details.
QGIS 3.44 has now been officially released. I downloaded and tried it out immediately. For Windows users, QGIS 3.44 offers both a test version with Qt6 support ("Latest Version for Windows (3.44) with Qt6 (experimental)") and the standard 3.44 version ("Latest Version for Windows (3.44)").
Copyright © 2020-2026 MalaGIS Drive by Typecho & Lingonberry Sitemap
