MalaGIS

Sharing GIS Technologies, Resources and News.

In the field of GIS development, on-premises deployment is an extremely common requirement, and MinIO is almost synonymous with private object storage. Whether storing hundreds of terabytes of remote sensing imagery or billions of loose map tiles, MinIO has consistently been the "cornerstone" of WebGIS architecture due to its simple deployment, excellent S3 compatibility, and the high performance of the Go language. However, just last week, the official MinIO GitHub repository announced an update to the project's status, moving it to maintenance mode and ceasing to accept new feature requests. The main changes are as follows:

• The codebase is now in a maintenance-only state.
• No new features, enhancements, or pull requests will be accepted.
• Critical security fixes may be evaluated on a case-by-case basis.
• Existing issues and pull requests will not be actively reviewed.
• Community support will continue on a best-effort basis via Slack.
• For enterprise support and actively maintained versions, please refer to MinIO AIStor.

To summarize the key point: if you wish to use a continually updated version of MinIO in the future, you must pay for the commercial version, MinIO AIStor. According to my research, the price is quite steep, requiring a subscription service. The annual fee is $96,000 to manage 400TB of data (a price point that is essentially unfeasible within the domestic GIS community in China).

more >>

It's Friday, are you starting to slack off and prepare for the weekend? Hold on, just yesterday (December 3, 2025), React official and the Next.js team jointly disclosed a Critical-level security vulnerability. This is not just an ordinary bug, but a 'nuclear-level' vulnerability that allows unauthorized remote code execution (RCE). If your WebGIS project uses Next.js or React 19, please investigate promptly. This vulnerability is extremely dangerous and could lead to further data leakage risks.

Vulnerability Details

Vulnerability ID: CVE-2025-55182 (React) / CVE-2025-66478 (Next.js)

Affected Scope: As long as your project has React Server Components (RSC) enabled, even if you think you haven't written any backend logic, you could be affected.

Severity Level: CVSS 10.0 (maximum score) — This means attackers can execute arbitrary code on your Node.js server without logging in or performing complex operations, just by sending a carefully crafted HTTP request.

Affected Versions:

• React: 19.0.0 to 19.2.0
• Next.js: 15.x, 16.x, and versions after 14.3.0-canary.77

more >>

In the previous article 'Apple's Source Code Leak Incident: Key Takeaways for GIS Frontend Development', the author mentioned the Apple front-end source code 'leak' incident and highlighted several serious security risks in current front-end development. So, besides improving developers' skills, is there a more perfect detection mechanism for these risks? If you are a team leader, how can you avoid these problems as much as possible? The author believes that in addition to proper build configuration and production environment security hardening, a mechanism for continuous detection of sensitive information submitted to the repository is needed, and Gitleaks is such a tool.

What is Gitleaks?

Gitleaks is an open-source tool that can scan Git repositories (including commit history) or directories/files to detect hardcoded sensitive information, such as passwords, API keys, tokens, credentials, etc. It supports multiple scanning modes (e.g., git mode, dir mode, stdin mode) as well as custom rules, ignore rules, baseline reports, etc. Its installation methods are flexible: it supports Homebrew (Mac), Docker images, Go source builds, etc. The community is active, with nearly 24k stars on GitHub, and it is widely adopted.

In short: if your project may have sensitive credentials, tokens, or keys (especially in front-end, back-end, DevOps, CI/CD processes) accidentally submitted or left in history, Gitleaks is a tool that significantly adds assurance.

more >>

Recently, a hot topic has been the Apple source code leak incident. Due to negligence by a developer, Apple failed to disable the sourcemap functionality in the production environment during the deployment of the App Store web version, leading to the exposure of the complete frontend code. This incident quickly sparked heated discussions within the tech community. Although only frontend logic code was leaked, containing no user data or security vulnerabilities, it served as a wake-up call for the frontend development field. The author takes this opportunity to discuss some lessons that can be learned for GIS frontend development.

more >>

Recently, a hot topic in the news is the accusation by China's National Security Agency that the United States breached China's National Time Service Center. I have read several news articles that generally introduce this event, but none mention the detailed process. Later, I found a detailed analysis in an official tweet by the National Computer Network Emergency Response Technical Team/Coordination Center (CNCERT), titled "Technical Analysis Report on the Cyber Attack by the U.S. National Security Agency on the National Time Service Center". The content is very professional and provides detailed data, so experts can refer to this article.

I skimmed through it and found that although the introduction is detailed, the initial step of obtaining login credentials for the computer terminals is only briefly mentioned. How did the NSA obtain the login permissions for the computers at the Time Service Center? How was the first breach in the security defense opened?

Triangulation

According to the disclosure by CNCERT, the initial breach occurred between March 24, 2022, and April 11, 2023, when the NSA attacked and stole secrets from more than 10 devices at the Time Service Center through "Triangulation". In September 2022, the attacker obtained the login credentials for an office computer through a foreign-brand mobile phone used by a network administrator at the Time Service Center, and used these credentials to gain remote control of the office computer.

No further information was provided, so I searched for this Triangulation. This is not the triangulation in surveying, but rather a term first disclosed by the renowned Russian security firm Kaspersky. The original article is Operation Triangulation: The last (hardware) mystery. The core attack chain is shown in the figure below:

more >>

Following recent announcements from the Ministry of State Security and the service suspension of ArcGIS Pro basemaps, many users have suggested switching to QGIS. However, does using QGIS truly ensure security and compliance? After several days of research, this article attempts to explore this issue and welcomes further discussion.

more >>

Another major GIS company appears to have encountered security issues. The incident occurred on July 25th. While casually browsing the Spicy GIS group chat, our editor noticed a member sharing a link with the caption "XX got hacked." Initially, the editor didn't pay much attention, assuming it was just another prank like the "Crazy Thursday send me 50" meme. About a week later, on August 2nd, the editor accidentally clicked that link and was surprised to discover that the website genuinely seemed to have been compromised.

Admittedly, the initial discovery was shocking—this is one of China's top-tier GIS companies after all. It highlights that security concerns should be a priority for organizations regardless of size; even the largest companies can have critical oversights.

more >>

A colleague recently asked me about a well-known domestic GIS company. Having no direct experience, I inquired in the MalaGIS discussion group. While initial conversations focused on company benefits and salaries, someone discovered an unexpected issue when visiting the company's official website: a certain link led to inappropriate content.

Note: Screenshots would normally be included but cannot be shown for compliance reasons.

As a technical writer, I believe such issues deserve deeper analysis beyond mere observation.

more >>