This Week In Security: Arch AUR, Steam Marketplace, WordPress All Face Issues, Taco-Themed Coding, And Mythos Makes National News

June 19, 2026 by 4 Comments

Starting on June 11, 2026, the Arch User Repository (AUR) was targeted by malware which rapidly compromised over 1,500 packages. The AUR repository allows for abandoned community packages to be taken over by a new maintainer, which was exploited by the attackers to claim ownership.

Once the packages were adopted by the malicious maintainers, the next part should sound familiar: The package build scripts, which are executed by the Arch yay and paru package managers, were modified to install malicious NPM packages (atomic-lockfile and js-digest) each containing the now-usual suite of infostealer malware targeting browser credentials and tokens, SSH private keys, package repository tokens, cloud compute, AI tokens, and crypto wallets.

The malware once installed uses several tricks to cloak itself by renaming processes, and to install systemd services to restart itself, and leveraging eBPF filtering in the kernel to hide the sockets and processes further. It specifically targets browsers and Electron-based applications, which are basically a light-weight Chromium browser disguised as an application anyway. Slack, Discord, Signal, and many more use the Electron wrapper.

A preliminary analysis of the malware is available, which breaks down the exact behavior in more detail and lists the known targets of the malware.

Initially believed to be “only” a few hundred packages, the compromised list eventually grew to over 1500, and additional packages may still be discovered. On June 14, Phoronix reported that a second wave of compromised packages has been found in the AUR repositories, including NeoVim plugins and multiple browsers. The second set of infected packages were compromised in a similar fashion, but with more heavily obfuscated scripts.

Steam Wallpaper Malware

Kaspersky Labs finds that Steam users have been targeted by malware uploaded via a popular animated wallpaper application, “Wallpaper Engine”.

While Valve normally does an admirable job filtering the Steam store, it looks like an exploit has slipped through in “Wallpaper Engine”. Animated wallpapers can be videos, web pages, or full executables themselves. Obviously, being able to run any program masquerading as wallpaper directly is an excellent vector to install malware, so of course this is what happened.

Using the integrated Steam Workshop, which allows users to share game mods and other game content directly, malicious wallpapers install a wide variety of malware including the usual gamut of infostealers, remote access, residential proxy, key logging, and crypto miners. This makes it one of the rare times installing crypto miners almost makes sense, considering most Steam users likely have better than average video cards.

Once a user is infected, the malware also steals the current Steam login credentials, and several instances attempt to then upload additional infected wallpapers to the Steam Workshop under the compromised users identity, completing the supply chain circle of life.

Continue reading “This Week In Security: Arch AUR, Steam Marketplace, WordPress All Face Issues, Taco-Themed Coding, And Mythos Makes National News”

Come With Me If You Want To Weed: Autonomous Weedinator Robot Back For 2026

June 19, 2026 by 10 Comments

The WEEDINATOR agricultural robot is one of the longer-running projects we’ve featured here on Hackaday. We first featured it way back in 2017 for that year’s Hackaday prize, and after a nearly a decade of work on-and-off it has hit a very important milestone: it is now an effective horticultural instrument, as you can see in the latest demo video below.

There have been some big changes over the years. For one, the scope of the project narrowed considerably with the adoption of a commercial tractor as the base, specifically an Iseki 321 . They picked the Iseki after examining several competitors, and it won out because its hydrostatic drive was best able to handle the very low speeds desired. It looks like they’re now focused on cultivation — that is, tearing out weeds mechanically — rather than the flame weeder they started with. The cultivators are of the claw type, and has three claws powered via the tractor’s hydraulics for control in all three axis: X, Y and Z. Of course the project now leverages modern computer vision toolsets, using a combination of OpenCV and YOLO26n running on a Jetson Nano board. The robotics half of the equation is handled on an STM32 Nucleo.

Aside from being one of our longer-running submissions, we have to call out the team for being one of the very few — perhaps the only — to go to the effort of creating a theme song for their project. If you’ve only got a minute to see the robot run, you might as well look at the second video embedded below and give a listen.

While WEEDINATOR has got the most persistence, they’re not the only ones in the garden robot game. We’ve seen projects using everything from concentrated sunlight to precision-applied herbicides to clear unwanted plants over the years.

Continue reading “Come With Me If You Want To Weed: Autonomous Weedinator Robot Back For 2026”

Running Modern Linux On A 68008

June 19, 2026 by 12 Comments

Linux developers have been trimming the fluff in recent years, removing support for older processors that hardly anyone uses with a modern kernel anymore. With that said, it’s possible to run the latest kernel on some truly old metal. As a case in point, [Colin Maykish] just got it going on a Motorola 68008!

The rig in question is a Mackerel-68k—a homebrew single-board computer built around Motorola’s famous 68000 CPU line. This version in particular is running a 68008 rated at 8 MHz, though it’s overclocked to 14 MHz for a little more pep, and has just 3.5 MB of RAM. Despite these limitations, the board can run the mainline v7.1-rc6 kernel, booting into userspace and providing a very minimalistic BusyBox shell. Booting is slow, and doing much more than that is impossible without running out of RAM, but it’s an impressive feat nonetheless. [Colin] has also had the 68010 and 68030 chips running the kernel, too.

We’ve previously discussed efforts to bring Linux into the future while leaving old chips behind. Video after the break.

Continue reading “Running Modern Linux On A 68008”

Running Windows NT On The Nintendo Gamecube

June 18, 2026 by 13 Comments

The Nintendo GameCube is known for playing the best version of Smash Bros. and its vaguely rectangular aesthetic. It’s not particularly known for running a workstation OS from the mid-1990s. However, with a little work, your diminutive purple console could also boot up Windows NT if you really wanted it to.

You’ll want a controller that looks *like* this, but not this exact model—because [Jiga Tech] couldn’t get this keyboard controller to work with the ported version of Windows NT.
This is fundamentally possible because, once upon a time, Microsoft built a PowerPC version of Windows NT. The work to make it compatible with the GameCube was performed by a group of contributors—[Rairii], [NTx86], and [stonedDiscord]—with the resulting port made available on Github. It won’t just run on the GameCube, either. You can also boot it on the Wii, and within the Wii-U’s vWii mode, as well.

If you’re interested in seeing what this looks like, there’s a great video from [Jiga Tech] on YouTube that outlines the install process. Just note that the GameCube never really came with a proper keyboard. If you want textual input, you’ll have to fuss with a range of controller-entry methods, or get one of the rare GameCube controllers that had an entire keyboard in the middle. We’re not even kidding, they did exist.

If you’re still obsessed with this generation of consoles, consider trying to order pizza from your Sega Dreamcast. Video after the break.

Continue reading “Running Windows NT On The Nintendo Gamecube”

Easily Reuse 3D Printing Photopolymers With Depolymerizable Resin

June 18, 2026 by 18 Comments

Generally the idea with photopolymers as used with resin 3D printing is that the process only works in a single direction as with all thermosets: after polymerization under influence of UV light they become an inert lump of plastic. Being able to turn these lumps back into resin would of course be ideal, as it would make recycling incredibly easy. Here depolymerizable resin turns out to be a thing, with 3Dresyn being one company that sells additives and resin which enable this (found via Fabbaloo).

Irreversible (thermoset), partial and full depolymerization. (Credit: Machado et al., Nature, 2024)
Irreversible (thermoset), partial and full depolymerization. (Credit: Machado et al., Nature, 2024)

These additives and resins come in essentially two flavors based on which temperature they depolymerize at, which can be at either 80°C or 150°C. This comes at a cost, of course, with the ready-to-use resin coming in at an eyewatering €833.00 for a 1 kg bottle, a factor only slightly helped by the reusability aspect.

From a more technical perspective this depolymerization feature is fascinating, as it addresses the one aspect of thermosets (like SLA and epoxy resins) that thermoplastics have as advantage, especially from a recycling view. This type of circular photopolymer appears to be quite novel, with an article by [Machado] et al. from 2024 claiming to have demonstrated the first resin that can be photopolymerized, depolymerized and subsequently again photopolymerized in a closed loop.

In the demonstration by [Machado] et al. the depolymerization is achieved using dynamic disulfide bonds, with the pulverized printed samples put into a 2-methyl-tetrahydrofuran (MeTHF) solvent. After heating at 80°C for 3 hours with an inert atmosphere, most of the photopolymerized material had returned to its original, pre-printing state. In a more recent 2025 study by [Bo Yang] et al. an approach using catalytic thermal dissociation of dithioacetal bonds was explored.

Based on the available information by 3Dresyns it would seem that their product is closer to this latter approach, with depolymerization requiring putting the part into an oven at the target temperature for up to an hour, presumably in some kind of suitable container. This is said to target elements like sacrificial molds, reusable tooling and jigs that would otherwise be discarded, or need to melt like a thermoplastic instead of acting like a thermoset. Whether a solvent like MeTHF is required as in the two cited studies is sadly unclear based on a quick scan of the site.

Thanks to [SpillsDirt] for the tip.

Building A Panel Mount OLED Display

June 18, 2026 by 3 Comments

There are a million and one cheap OLED display modules out there. The only problem is, they’re all assembled on bare PCBs with slight differences, and that frustrates efforts to mount them in a clean and tidy manner. [Galopago] decided to build a small OLED module that solved this frustrating problem.

The idea to pursue this came from off-the-shelf panel displays commonly used for power supply builds and other such equipment. These come in relatively standard sizes and are designed from the outset to slot neatly into a panel with a bezel that covers any ugly edges or awkward gaps.

The build began with a 48 x 29 mm enclosure grabbed from an off-the-shelf power panel meter. There are two PCBs—one holding the regulator and other equipment to run the display, the other carrying a set of screw terminals that make it easy to wire up the display to a piece of equipment. The SSD1306-compatible OLED screen itself connects to the first board with a flat flex cable, as is the norm.

If you find yourself often wanting to pop a small display into a piece of custom test equipment, this might be relevant to your interests. Files are on GitHub for the curious.

We’ve featured some other fun OLED hacks over the years, like this interesting effort to whip up displays from scratch in a home lab. If you’ve got nifty usability hacks of your own in the works, don’t hesitate to let us know.

Battery Tester Gets An App Upgrade

June 18, 2026 by 2 Comments

Do you have a ZKETECH EBC-A20 battery tester? Perhaps you don’t like the default software used to control the device. In that case, you might like the alternative whipped up by [Kazhuu.]

A reverse-engineering effort targeted at the EBC-A20 served as the basis for the work. The battery tester is ultimately controlled by a simple serial interface, running at 9600 bps, 8 bits, with odd parity. Armed with a relatively complete understanding of the commands used to control the device, [Kazhuu] was able to whip up a simple web app to control the device instead, using WebUSB to access the device over a USB-to-serial converter, though a desktop version for Linux and Windows is also available. If you’ve got one of these battery testers sitting on your bench, using the app is as simple as pointing your browser here with the device plugged in via USB. Then you can run basic load tests on battery cells and graph the results right on your computer without having to deal with the proprietary software.

Of course, if you don’t like the EBC-A20 battery tester, you could always build your own. If you’re whipping up your own test hardware on the lab bench, don’t hesitate to notify us on the tipsline.