This Week In Security: The Github Supply Chain Attack, Ransomware Decryption, And Paragon

Last Friday Github saw a supply chain attack hidden in a popular Github Action. To understand this, we have to quickly cover Continuous Integration (CI) and Github Actions. CI essentially means automatic builds of a project. Time to make a release? CI run. A commit was pushed? CI run. For some projects, even pull requests trigger a CI run. It’s particularly handy when the project has a test suite that can be run inside the CI process.

Doing automated builds may sound straightforward, but the process includes checking out code, installing build dependencies, doing a build, determining if the build succeeded, and then uploading the results somewhere useful. Sometimes this even includes making commits to the repo itself, to increment a version number for instance. For each step there are different approaches and interesting quirks for every project. Github handles this by maintaining a marketplace of “actions”, many of which are community maintained. Those are reusable code snippets that handle many CI processes with just a few options.

One other element to understand is “secrets”. If a project release process ends with uploading to an AWS store, the process needs an access key. Github stores those secrets securely, and makes them available in Github Actions. Between the ability to make changes to the project itself, and the potential for leaking secrets, it suddenly becomes clear why it’s very important not to let untrusted code run inside the context of a Github Action.

And this brings us to what happened last Friday. One of those community maintained actions, tj-actions/changed-files, was modified to pull an obfuscated Python script and run it. That code dumps the memory of the Github runner process, looks for anything there tagged with isSecret, and writes those values out to the log. The log, that coincidentally, is world readable for public repositories, so printing secrets to the log exposes them for anyone that knows where to look.

Researchers at StepSecurity have been covering this, and have a simple search string to use: org:changeme tj-actions/changed-files Action. That just looks for any mention of the compromised action. It’s unclear whether the compromised action was embedded in any other popular actions. The recommendation is to search recent Github Action logs for any mention of changed-files, and start rotating secrets if present. Continue reading “This Week In Security: The Github Supply Chain Attack, Ransomware Decryption, And Paragon”

Linux Fu: A Warp Speed Prompt

If you spend a lot of time at the command line, you probably have either a very basic prompt or a complex, information-dense prompt. If you are in the former camp, or you just want to improve your shell prompt, have a look at Starship. It works on the most common shells on most operating systems, so you can use it everywhere you go, within reason. It has the advantage of being fast and you can also customize it all that you want.

What Does It Look Like?

It is hard to explain exactly what the Starship prompt looks like. First, you can customize it almost infinitely, so there’s that. Second, it adapts depending on where you are. So, for example, in a git-controlled directory, you get info about the git status unless you’ve turned that off. If you are in an ssh session, you’ll see different info than if you are logged in locally.

However, here’s a little animation from their site that will give you an idea of what you might expect: Continue reading “Linux Fu: A Warp Speed Prompt”

From The Ashes: Coal Ash May Offer Rich Source Of Rare Earth Elements

For most of history, the world got along fine without the rare earth elements. We knew they existed, we knew they weren’t really all that rare, and we really didn’t have much use for them — until we discovered just how useful they are and made ourselves absolutely dependent on them, to the point where not having them would literally grind the world to a halt.

This dependency has spurred a search for caches of rare earth elements in the strangest of places, from muddy sediments on the sea floor to asteroids. But there’s one potential source that’s much closer to home: coal ash waste. According to a study from the University of Texas Austin, the 5 gigatonnes of coal ash produced in the United States between 1950 and 2021 might contain as much as $8.4 billion worth of REEYSc — that’s the 16 lanthanide rare earth elements plus yttrium and scandium, transition metals that aren’t strictly rare earths but are geologically associated with them and useful in many of the same ways. Continue reading “From The Ashes: Coal Ash May Offer Rich Source Of Rare Earth Elements”

Illustrated Kristina with an IBM Model M keyboard floating between her hands.

Keebin’ With Kristina: The One With The Cheesy Keyboard

Let’s just kick things off in style with the fabulously brutalist Bayleaf wireless split from [StunningBreadfruit30], shall we? Be sure to check out the wonderful build log/information site as well for the full details.

Bayleaf, a stunning low-profile split keyboard.
Image by [StunningBreadfruit30] via reddit
Here’s the gist: this sexy split grid of beautiful multi-jet fusion (MJF) keycaps sits on top of Kailh PG1316S switches. The CNC-machined aluminium enclosure hides nice!nano boards with a sweet little dip in each one that really pull the keyboard together.

For the first serious custom build, [StunningBreadfruit30] wanted a polished look and finish, and to that I say wow, yes; good job, and nod enthusiastically as I’m sure you are. Believe it or not, [StunningBreadfruit30] came into this with no CAD skills at all. But it was an amazing learning experience overall, and an even better version is in the works.

I didn’t read the things. Is it open-source? It’s not, at least not at this time. But before you get too-too excited, remember that it cost $400 to build, and that doesn’t even count shipping or the tools that this project necessitated purchasing. However, [StunningBreadfruit30] says that it may be for sale in the future, although the design will have an improved sound profile and ergonomics. There’s actually a laundry list of ideas for the next iteration. Continue reading “Keebin’ With Kristina: The One With The Cheesy Keyboard”

Ask Hackaday: What Would You Do With The World’s Smallest Microcontroller?

It’s generally pretty easy to spot a microcontroller on a PCB. There are clues aplenty: the more-or-less central location, the nearby crystal oscillator, the maze of supporting passives, and perhaps even an obvious flash chip lurking about. The dead giveaway, though, is all those traces leading to the chip, betraying its primacy in the circuit. As all roads lead to Rome, so it often is with microcontrollers.

It looks like that may be about to change, though, based on Texas Instruments’ recent announcement of a line of incredibly small Arm-based microcontrollers. The video below shows off just how small the MSPM0 line can be, ranging from a relatively gigantic TSSOP-20 case down to an eight-pin BGA package that measures only 1.6 mm by 0.86 mm. That’s essentially the size of an 0603 SMD resistor, a tiny footprint for a 24-MHz Cortex M0+ MCU with 16-kB of flash, 1-kB of SRAM, and a 12-bit ADC. The larger packages obviously have more GPIO brought out to pins, but even the eight-pin versions support six IO lines.

Of course, it’s hard not to write about a specific product without sounding like you’re shilling for the company, but being first to market with an MCU in this size range is certainly newsworthy. We’re sure other manufacturers will follow suit soon enough, but for now, we want to know how you would go about using a microcontroller the size of a resistor. The promo video hints at TI’s target market for these or compact wearables by showing them used in earbuds, but we suspect the Hackaday community will come up with all sorts of creative and fun ways to put these to use — shoutout to [mitxela], whose habit of building impossibly small electronic jewelry might be a good use case for something like this.

There may even be some nefarious use cases for a microcontroller this small. We were skeptical of the story about “spy chips” on PC motherboards, but a microcontroller that can pass for an SMD resistor might change that equation a bit. There’s also the concept of “Oreo construction” that these chips might make a lot easier. A board with a microcontroller embedded within it could be a real security risk, but on the other hand, it could make for some very interesting applications.

What’s your take on this? Can you think of applications where something this small is enabling? Or are microcontrollers that are likely to join the dust motes at the back of your bench after a poorly timed sneeze a bridge too far? Sound off in the comments below.

Continue reading “Ask Hackaday: What Would You Do With The World’s Smallest Microcontroller?”

Hackaday Links Column Banner

Hackaday Links: March 16, 2025

“The brickings will continue until the printer sales improve!” This whole printer-bricking thing seems to be getting out of hand with the news this week that a firmware update caused certain HP printers to go into permanent paper-saver mode. The update was sent to LaserJet MFP M232-M237 models (opens printer menu; checks print queue name; “Phew!) on March 4, and was listed as covering a few “general improvements and bug fixes,” none of which seem very critical. Still, some users reported not being able to print at all after the update, with an error message suggesting printing was being blocked thanks to non-OEM toner. This sounds somewhat similar to the bricked Brother printers we reported on last week (third paragraph).

Continue reading “Hackaday Links: March 16, 2025”