This Week In Security: Linux Flaws, Python Ownage, And A Botnet Shutdown

March 20, 2026 by Mike Kershaw 13 Comments

The ides of security March are upon us — Qualys reports the discovery by their threat research unit of vulnerabilities in the Linux AppArmor system used by SUSE, Debian, Ubuntu, and Kubernetes as an additional security mechanism and application firewall.

AppArmor was added to Linux in 2010, and the vulnerabilities Qualys discovered have been present since 2017, and allow unprivileged (non-root) local users to elevate privileges by executing arbitrary code in the kernel, gaining root access, or perform a denial-of-service attack across the entire system by replacing all AppArmor behavior with “deny all” rules.

All Linux kernels since Linux 4.11 are vulnerable. If your Linux distribution enables AppArmor, and quite a few do, you’ll want to be updating as soon as fixes are available from your distribution maintainers. On systems with untrusted users, such as shared environments, VPS server environments, and the like, this is even more critical and urgent. Even on single-user systems, vulnerabilities like these allow other exploits, like the Python attack below, mechanisms to elevate their access and persistence.

At the time of writing, the full details of the AppArmor vulnerability are limited until the Linux Kernel team releases a stable version with the fixes for distribution maintainers. Qualys has published the technical write-up with the currently public information.

Python Projects Compromised

StepSecurity reports on a new campaign to infect Python projects on GitHub with a complex malware that, once deployed, appears to be yet another crypto and login stealer.

The attacker first gains access to the GitHub credentials via another info stealing worm – the Glassworm stealer infects VSCode extensions with over 35,000 downloads of infected extensions in October of 2025. Glassworm harvests NPM, GitHub, and OpenVSX credentials and sends them to a remote command and control (C2) server. It also harvests a wide range of crypto currency wallet extensions to steal crypto directly. Continue reading “This Week In Security: Linux Flaws, Python Ownage, And A Botnet Shutdown” →

Google Unveils New Process For Installing Unverified Android Apps

March 20, 2026 by Maya Posch 92 Comments

It’s no secret that Google really doesn’t like it that people are installing Android applications from any other source than the Play Store. Last year they proposed locking everyone into their official software repository by requiring all apps to be signed by verified developers, an identity which would be checked against a Google-maintained list. After a lot of pushback a so-called ‘advanced flow’ for installing even unsigned APKs would be implemented, and we now know how this process is supposed to work.

Instead of the old ‘allow installing from unknown sources’ toggle, you are now going to have to dig deep into the Developer Options, to tap the Allow Unverified Packages setting and confirm that nobody is forcing you to do this. This starts a ‘security delay’ of twenty-four hours after you restart the device, following which you can finally enable the setting either temporarily or permanently. It would seem these measures are in place to make it more difficult for a scammer to coerce a user into installing a malicious app — whether or not that’s a realistic concern or not, we’re not sure.

When we last covered this issue this ‘advanced flow’ had just been introduced as an appeasement option. In addition to this a limited free developer account was also pitched, which now turns out to allow for up to only 20 device installations. If you want more than this, you have to pay the $25 fee and provide your government ID.

Although Google’s public pitch is still that this is ‘for user security’, it will also mean that third-party app stores are swept up in these changes, with developers who publish on these stores subject to the same verification rules. This means that Android users will have to learn quickly how to enable this new option as it will be rolled out to more countries over the coming months.

The reality is that scammers will simply work around this issue by buying up already verified developer accounts. At the same time, it’ll cripple third-party app stores and indie developers who had intended to distribute their Android app by simply providing an APK download.

A Candle-Powered Game Boy For Post-Apocalyptic Tetris

March 20, 2026 by Tyler August 9 Comments

We’re not exactly worried about Armageddon here at Hackaday, but should we end up facing the end of the world as we know it, having something to pass the time would be nice. That’s why we were intrigued by [Janus Cycle]’s latest video where he both plays and powers a Game Boy by candlelight.

You’ve probably figured out the trick already: he’s using a Peltier module as a thermoelectric generator. Candles, after all, release a lot more energy as heat than light, and all that high-quality heat is just begging to be put to use somehow. It’s hardly a new idea; [Janus] references space-age radioisotope thermoelectric generators (RTGs) in the video, but back in the day the Soviets had a thermoelectric collar that fit around a kerosene lantern to power their tube radios.

In [Janus]’s case, he’s using a commercial module sandwiched between two heatsinks with the rather-questionable choice of a cardboard box reinforced with wooden skewers to hold it over the candle. Sure, as long as the flame doesn’t touch the cardboard, it should be fine, but you will not be at all surprised to see the contraption catch fire in the video’s intro. For all that, he doesn’t get enough power for the Game Boy — one module gets him only 2 V with tea light, but he has a second module and a second candle.

Doubling the energy more than doubles the fun, since a working Game Boy is way more than twice as fun as an un-powered one. But one candle should be more than enough power, so [Janus] goes back and optimizes his single-Peltier setup with a tall candle and actual thermal grease, and gets the Game Boy going again. Any fire marshals in the audience should look away, though, as he never gives up on keeping a candle in a cardboard box.

The “power something with a Peltier module” project is probably a right of passage for electronics enthusiasts, but most are more likely to play with the irony of candle-powered LEDs, or fans to cool the cold-side heatsink. We did see a phone charger one time, and that didn’t even involve open flames, which seems much safer than this. Remember — no matter how much you want to game after the end of the world, it’s not worth burning down your fallout shelter.

Continue reading “A Candle-Powered Game Boy For Post-Apocalyptic Tetris“ →