We are seeing an increased number of account signups on our #Mastodon instance. They are fake and very likely to be a part of the Russian LLM-backed campaign.

The reason for joining tends to be very broad and vague:

I'm looking to join a friendly Mastodon community and participate in discussions.

The email addresses used in these signups are valid (as they are able to verify it), but seem to be automatically generated.

The IP addresses they use either stem from a VPN, Tor exit node or a compromised webhosting thing (we do not log IP addresses - except during the registration, which is deleted once an account is approved or denied).

One positive consequence: this is really helpful to maintain our blocklist These bots end up being blocked by our pf(4) across the infrastructure.

#MastoAdmin

Hmm, the automated spambots are very, very active suddenly. #MastoAdmin

Alt...

List of account request with random usernames and templated responses

Mementomori.social is now on Mastodon v4.6.0-alpha.8+mementomods-2026-05-26 with Mastodon Bird UI nightly.

Two upstream regressions from the recent server reducer TypeScript refactor are fixed in this round:

- Translate button is back on foreign-language posts
- Polls and media upload limits respect server settings again

Plus a fresh accessibility pass from upstream (landmark regions across the Web UI, post focus order, screen-reader fixes for the new collections UI).

Small Bird UI tweak: Notifications now sits in the second slot of the side menu, right after Home, like before.

If anything else seems off, ping me or the admins. Because we run nightly, sometimes patches like these are necessary. We love to test in live.

As always, thank you @cadusilva for pinging me about bugs and UI updates; much appreciated.

#MementoMoriSocial #Mastodon #MastoAdmin

RE: https://infosec.exchange/@cyberseckyle/116641588574197964

It should be noted that this "Megalodon" has nothing to do with the Fediverse API project or the old pink Megalodon Fediverse App.

"On May 18, 2026, an automated campaign codenamed megalodon pushed 5,718 malicious commits to 5,561 GitHub repositories in a six-hour window. Using throwaway accounts and forged author identities (build-bot, auto-ci, ci-bot, pipeline-bot), the attacker injected GitHub Actions workflows containing base64-encoded bash payloads that exfiltrate CI secrets, cloud credentials, SSH keys, OIDC tokens, and source code secrets to a C2 server at 216.126.225.129:8443." #Mastodon #MastoAdmin #Megalodon #Github
https://www.stepsecurity.io/blog/megalodon-mass-github-actions-secret-exfiltration-across-5-500-public-repositories

toot.io relay service boosted

Kyle Reddoch (CybersecKyle) » 🌐 2026-05-26
@cyberseckyle@infosec.exchange

GitHub Actions abused by Megalodon attack to slip malicious commits into 5,500 repos https://www.csoonline.com/article/4177124/github-actions-abused-by-megalodon-attack-to-slip-malicious-commits-into-5500-repos.html

#cybersecurity #github

#mastoadmin #mastodon

Can data centers look into mastadon website and siphon information from it?

Should federated servers block AI scrapers?

#mastodon #mastoAdmin #fediverse

Does your instance have a federation policy related to AI?

#fediAdmin #mastoAdmin

Your server will be safer if your admin activates a feature called "Authorized Fetch" (also known as "Secure Mode"). It helps protect your server's members from abusive servers by making defederation more effective.

There's lots more info about it in this guide, including instructions on how your server admin can activate it:

➡️ https://fedi.tips/authorized-fetch

(The guide also links to technical details of Authorized Fetch for those who are interested.)

#FediTips #Mastodon #MastoAdmin

My wife just made her first contribution to our Mastodon fork. It's totally vibe-coded, but I'm still proud of her, because takes some understanding to give proper instructions for the issue, and it turned out to be an actual regression with a proper fix. @mustikkasoppa

https://github.com/mementomori-social/mastodon/issues/2
https://github.com/mementomori-social/mastodon/pull/3

#MementoMoriSocial #Mastodon #MastoAdmin

We currently have 913 users, 408 active users (with at least one request, login, post, or reaction within the last 24 hours), 385189 posts, and we federate with 43301 domains.

#MementoMoriSocial #MastoAdmin #Stats #Mastodon

We've successfully upgraded our Mastodon server to v4.6.0-alpha.8+mementomods-2026-05-24, along with Mastodon Bird UI 4.0.0-alpha.8.rc2.

This update includes today's latest daily build with 158 new commits from upstream since mementomods-2026-05-02.

What's new in Mastodon core - These are the changes Mastodon Team have introduced us in the latest nightly version we are running:

✨️ New features

- Collections keep maturing - add an account to a collection straight from its profile, choose how accounts are sorted in a collection, language added to the collection payload, partial accounts in the collections endpoint, plus batch actions and reporting for collections in the moderation tools
- Profile redesign polish - account header banners refactored, better link colors in bio, display name overflow handling, improved number fields layout and spacing
- Big accessibility pass - list semantics and landmark regions across the main navigation, footer, settings and login/sign-up pages, visible focus outlines on search and composer fields, and selected-state cues on the follows/followers filters
- Admin: manage email subscriptions from the admin UI, search email blocks by domain
- API: retrieve both resolved and unresolved reports, allow the HTML lang attribute on remote posts
- Search results page keeps the search field and tabs sticky

🔧 Fixes & improvements

- Custom emoji selection and the emoji picker rendering when there are no custom emojis
- Several collection bugs - crashes rendering remote posts with a collection card, notification URLs, item position updates, "New collection" link showing on other people's profiles
- Profile fields not showing links, bio line spacing with and without paragraph tags, account header banner grayscale
- Remote posts with large media descriptions no longer rejected
- Text overflow in the list item component
- Unblocking a domain now updates the blocked-domains list
- Role management can require 2FA for all users
- nan-tw added to supported locales

📦 Dependency updates

- Vite 8.0.13, TypeScript 6.0.3, Sidekiq 8.1.5, Devise 5.0.4 (security), axios 1.16.1, FFmpeg 8.1.1, aws-sdk bumps, and dozens of smaller updates

🐦‍⬛ Ours: Mastodon Bird UI 4.0.0-alpha.8.rc2 (nightly)

- Adapt profile styles to the new account_header module classes after upstream renamed (#38863) and removed (#38920) the old profile classes - avatar size and position, role badges, "Follows you" badge, tabs and buttons all restored
- Restore the navigation menu order after upstream wrapped the items in list elements (#39145): Lists and Followed tags at the bottom, More as the last item
- Hide the navigation separators that replaced the old hr elements
- Restore even profile tab distribution at all widths
- Fix familiar followers spacing when no role badges are present
- Video previews behind a content warning use object-fit cover so portrait videos no longer letterbox

🔧 Ours: Mementomori.social Mastodon fork fixes

- Merged the latest upstream into our fork and resolved the conflicts, keeping all our customizations
- Re-synced the vendored Mastodon Bird UI to 4.0.0-alpha.8.rc2

Source code: https://github.com/mementomori-social/mastodon
Mastodon Bird UI release: https://github.com/rollecode/mastodon-bird-ui/releases/tag/4.0.0-alpha.8.rc2

As always, if you notice anything unusual or buggy, please reach out to me or any of the admins. Enjoy your time here, and feel free to message me with any questions or thoughts.

If anything feels off, please let us know!

#MementoMoriSocial #Mastodon #MastoAdmin #BirdUI #MastodonBirdUI

Tonight's Mastodon upgrade took a bit longer, because they're making a lot of structural changes and needed to update the nightly theme. I eventually got it right.

#MastoAdmin #Mastodon

These Facebook and RIPE IP ranges are spamming all of my services and have been blocked at the firewall.

Almost exclusively hitting /auth/sign_up infinitely.

57.0.0.0/8
173.252.64.0/18
69.63.176.0/20
69.171.224.0/19

#mastoadmin

After 1,300 days (3 years 6 months give or take) running my own Mastodon server in my basement, the lesson is, you can run your own Mastodon server in your basement.

It basically just works. You learn how to do the maintenance and then it’s not so bad. No one has trouble finding you. Your posts can still go viral (but only if you’re cool, which I am not, but it has happened accidentally once as a PoC).

Federation works!

So yeah, continuing on in a boring fashion with my homegrown social media.

#mastodon #mastoadmin #SoloInstance #homelab #selfhosted

Been working in mobile support and light mode for #FediAlgo this week. Really enjoying using it on my phone now.

Hoping to get PRs accepted, but in the meantime you can check out a test version here:

https://fedialgo.thms.uk

What do you think?

#mastoadmin

Updated the burningboard.net Mastodon server to FreeBSD 15.0-RELEASE-p9. There were quite some vulnerabilities among the latest patches ... ptrace, file, fusefs, bsdinstall, cap_net, secretd...

#itsecurity #freebsd #mastoadmin

RE: https://masto.ai/@Nonilex/116612907554964438

#MastoAdmin #MastoMods community should be on the alert for hijacked accounts. We have observed some signals of dormant accounts suddenly being used in the past two or three weeks.

Nonilex » 🌐 2026-05-21
@Nonilex@masto.ai

Gee, ya don’t say …

#Bluesky Says #Kremlin Is Hacking Its Platform to Spread #Propaganda

The company said it was fighting Russian efforts to hijack real #users’ accounts to post fake #content, an apparently novel tactic.

#MediaLiteracy #disinformation #misinformation #Russia #RussianPropaganda #tech #SocialMedia
https://www.nytimes.com/2026/05/21/business/bluesky-russia-hacking-accounts.html?smid=nytcore-ios-share