This Week In Security: The Shai-Hulud Worm, ShadowLeak, And Inside The Great Firewall

September 19, 2025 by 7 Comments

Hardly a week goes by that there isn’t a story to cover about malware getting published to a repository. Last week it was millions of downloads on NPM, but this week it’s something much more concerning. Malware published on NPM is now looking for NPM tokens, and propagating to other NPM packages when found. Yes, it’s a worm, jumping from one NPM package to another, via installs on developer machines.

It does other things too, like grabbing all the secrets it can find when installed on a machine. If the compromised machine has access to a Github account, a new repo is created named Shai-Hulud, borrowed from the name of the sandworms from Dune. The collected secrets and machine info gets uploaded here, and a workflow also uploads any available GitHub secrets to the webhook.site domain.

How many packages are we talking about? At least 187, with some reports of over 500 packages compromised. The immediate attack has been contained, as NPM has worked to remove the compromised packages, and apparently has added filtering code that blocks the upload of compromised packages.

So far there hasn’t been an official statement on the worm from NPM or its parent companies, GitHub or Microsoft. Malicious packages uploaded to NPM is definitely nothing new. But this is the first time we’ve seen a worm that specializes in NPM packages. It’s not a good step for the trustworthiness of NPM or the direct package distribution model.

Continue reading “This Week In Security: The Shai-Hulud Worm, ShadowLeak, And Inside The Great Firewall”

The Inside Story Of The UK’s Great CB Petrol Scam

September 19, 2025 by 28 Comments

Looking at gasoline prices today, it’s hard to believe that there was a time when 75 cents a gallon seemed outrageous. But that’s the way it was in the 70s, and when it tripped over a dollar, things got pretty dicey. Fuel theft was rampant, both from car fuel tanks — remember lockable gas caps? — and even from gas stations, where drive-offs became common, and unscrupulous employees found ways to trick the system into dispensing free gas.

But one method of fuel theft that escaped our attention was the use of CB radios to spoof petrol pumps, which [Ringway Manchester] details in his new video. The scam happened in the early 80s, only a few years after CB became legal in the UK but quite a while since illegal use had exploded. The trick involved a CB transceiver equipped with a so-called “burner,” a high-power and highly illegal linear amplifier used to boost the radiated power of the signal. When keyed up in the vicinity of dispensers with digital controls, the dispensing rate on the display would appear to slow down markedly, while the pump itself stayed at the same speed. The result was more fuel dispensed than the amount reported to the cashier.

If this sounds apocryphal, [Ringway] assures us that it wasn’t. When the spoofing was reported, authorities up to and including Scotland Yard investigated and found that it was indeed plausible. The problem appeared to be the powerful RF signal interfering with the pulses from the flowmeter on the dispenser. The UK had both 27 MHz and 934 MHz CB at the time; [Ringway] isn’t clear which CB band was used for the exploit, but we’d guess it was the former, in which case we can see how the signals would interfere. Another thing to keep in mind is that CB radios in the UK were FM, as opposed to AM and SSB in the United States. So we wonder if the same trick would have worked here.

At the end of the day, no matter how clever you are about it, theft is theft, and things probably aren’t going to go well for you if you try to pull this off today. Besides, it’s not likely that pumps haven’t been hardened against these sorts of attacks. Still, if you want a look inside a modern pump to see if you can find any weaknesses, have at it. Just don’t tell them where you heard about it.

Continue reading “The Inside Story Of The UK’s Great CB Petrol Scam”

Dirty Pots, Meet Power Tools!

September 19, 2025 by 26 Comments

Let’s face it, nobody likes scrubbing, but what option do you have? You can’t exactly break out the grinder to clean off the remains of last nights dinner… right? Well, maybe not a grinder, but thanks to this hack by [Markus Opitz], you can use an oscillating tool.

It’s a simple enough hack: [Markus] modeled the attachment for his Bosch oscillating tool in Tinkercad, and created a bracket to hold a large metal binder clip. The clip attaches with a screw, and can hold whatever scrubbing pad your carpel-tunnel afflicted hands can’t bear to hold on to. He’s using a self-cleaning stainless-steel sponge.

One nice touch is a pair of protective lips on the jaws of the metal clip, to keep it from accidentally scratching the delicate surface under care. Of course if you have a drill or a Dremel handy you can buy attachments for polishing disks of various grits, but what’s the fun in that? Doing the dishes with a hacked-together oscillating tool just somehow seems more fun. Plus this way you can’t accidentally produce an engine-turning pattern.

We don’t seem to have featured many hacks for these fun, buzzing, multi-purpose tools, so if you’ve got one send us a tip. We did feature an oscillating cutter for CNC once, but that was fully DIY.

A GEM Of A Desktop Environment

September 18, 2025 by 25 Comments

Desktop environments are the norm as computer interfaces these days, but there was once a time when they were a futuristic novelty whose mere presence on a computer marked it out as something special. In the early 1980s you could buy an expensive but very fancy Mac from Apple, while on the PC there were early Windows versions, and GEM from Digital Research. It’s something of a footnote here in 2025, and some insight as to why comes from [Programming at the right level] with a retrospective on the software.

Coming from the perspective of an Atari user whose ST shipped with a version of GEM, it tracks the projects from its earliest roots with a Xerox employee, through development to launch on the PC and Atari ST. We learn about an Apple legal threat that resulted in the hobbled interface many of us remember from later GEM versions, and about the twists and turns in its path before the final dissolution of DR in the early 1990s.

From 2025 it’s clear that Windows won the PC desktop battle not by being special but by being the default; when GEM was an add-on extra it would have been a tough sell. The software was eventually made open-source by the eventual owner of the DR assets, Caldera (when they weren’t trying to torpedo Linux, presumably), and can be run today on FreeDOS.

GEM header image: Rolf Hartmann, CC BY-SA 3.0.

Think You Need A New PC For Windows 11? Think Again

September 18, 2025 by 25 Comments

As the sun sets on Windows 10 support, many venues online decry the tsunami of e-waste Windows 11’s nonsensical hardware requirements are expected to create. Still more will offer advice: which Linux distribution is best for your aging PC? [Sean] from Action Retro has an alternate solution: get a 20 year old Sun Workstation, and run Windows 11 on that. 

The Workstation in question from 2005 is apparently among the first Sun made using AMD’s shiny new 64-bit Opteron processor. Since Windows has no legacy 32-bit support– something it shares with certain Linux distributions– this is amongst the oldest hardware that could conceivably install and run Redmond’s latest.

And it can! Not in unaltered form, of course– the real hack here is courtesy of [ntdevlabs], whose “Tiny11” project strips all the cruft from Windows 11, including its hardware compatibility checker. [ntdevlabs] has produced a Tiny11Builder script that is available on GitHub, but the specific version [Sean] used is available on Archive.org.

[Sean] needed the archived version of Tiny11 because Windows 11 builds newer than 22H2 use the POPCNT operation, which was not present in AMD’s first revision of the x86_64 instruction set. POPCNT is part of Intel’s SSE4 extension from 2007, a couple years after this workstation shipped.

If you’re sick of being told to switch to Linux, but can’t stomach staying with Windows either, maybe check out Haiku, which we reported as ready for daily driving early last year.

Continue reading “Think You Need A New PC For Windows 11? Think Again”

A man holds a license plate in front of a black pickup (F-150 Lightning) tailgate. It is a novelty Georgia plate with the designation P00-5000. There are specks of black superimposed over the plate with a transparent sticker, giving it the appearance of digital mud in black.

A Deep Dive On Creepy Cameras

September 18, 2025 by 33 Comments

George Orwell might’ve predicted the surveillance state, but it’s still surprising how many entities took 1984 as a how-to manual instead of a cautionary tale. [Benn Jordan] decided to take a closer look at the creepy cameras invading our public spaces and how to circumvent them.

[Jordan] starts us off with an overview of how machine learning “AI” is used Automated License Plate Reader (ALPR) cameras and some of the history behind their usage in the United States. Basically, when you drive by one of these cameras, an ” image segmentation model or something similar” detects the license plate and then runs optical character recognition (OCR) on the plate contents. It will also catalog any bumper stickers with the make and model of the car for a pretty good guess of it being your vehicle, even if the OCR isn’t 100% on the exact plate sequence.

Where the video gets really interesting is when [Jordan] starts disassembling, building, and designing countermeasures to these systems. We get a teardown of a Motorola ALPR for in-vehicle use that is better at being closed hardware than it is at reading license plates, and [Jordan] uses a Raspberry Pi 5, a Halo AI board, and You Only Look Once (YOLO) recognition software to build a “computer vision system that’s much more accurate than anything on the market for law enforcement” for $250.

[Jordan] was able to develop a transparent sticker that renders a license plate unreadable to the ALPR but still plainly visible to a human observer. What’s interesting is that depending on the pattern, the system could read it as either an incorrect alphanumeric sequence or miss detecting the license plate entirely. It turns out, filtering all the rectangles in the world to find just license plates is a tricky problem if you’re a computer. You can find the code on his Github, if you want to take a gander.

You’ve probably heard about using IR LEDs to confuse security cameras, but what about yarn? If you’re looking for more artistic uses for AI image processing, how about this camera that only takes nudes or this one that generates a picture based on geographic data?

Continue reading “A Deep Dive On Creepy Cameras”

Enhanced Definition TV: “A Poor Man’s High-Def”

September 18, 2025 by 14 Comments

Although to many of us the progression from ‘standard definition’ TV and various levels of high-definition at 720p or better seemed to happen smoothly around the turn of the new century, there was a far messier technological battle that led up to this. One of these contenders was Enhanced Definition TV (EDTV), which was 480p in either 4:3 or 16:9, as a step up from Standard Definition TV (SDTV) traditional TV quality. The convoluted history of EDTV and the long transition to proper HDTV is the subject of a recent video by [VWestlife].

One reason why many people aren’t aware of EDTV is because of marketing. With HDTV being the hot new bullet point to slap on a product, a TV being widescreen was often enough to market an EDTV with 480p as ‘HD’, not to mention the ‘HD-compatible’ bullet point that you could see everywhere.

That said, the support for digital 480p and ‘simplified 1080i’ signals of EDTV makes these displays still quite usable today, more than SDTV CRTs and LCDs that are usually limited to analog signals-only at regular NTSC, PAL or SECAM. It may not be HD, but at least it’s enhanced.

Continue reading “Enhanced Definition TV: “A Poor Man’s High-Def””