security

475 Articles

This Week In Security: Docker Auth, Windows Tools, And A Very Full Patch Tuesday

April 17, 2026 by 5 Comments

CVE-2026-34040 lets attackers bypass some Docker authentication plugins by allowing an empty request body. Present since 2024, this bug was caused by a previous fix to the auth workflow. In the 2024 bug, the authentication system could be tricked into passing a zero-length request to the authentication handler. In the modern vulnerability, the system can be tricked into removing a too-large authentication request and passing a zero-length request to the authentication handler.

In both cases, the authentication system may not properly handle the malformed request and allow creation of docker images with access to stored credentials and secrets.

Bugs like these are increasing in visibility because AI agents running in Docker, like OpenClaw, may be tricked via prompt injection into leveraging the vulnerability.

Windows CPU Tools Compromised

videocardz.com notes that the popular Windows monitoring software Cpu-Z and HWMonitor appear to have been compromised. Reports indicate that the download site was compromised, not the actual packages, but that it was redirecting update requests to packages including malware. While the site has been repaired, unfortunately it looks like there is no warning to users that the downloads were compromised for a period of time.

Anecdotally, there has been a rash of Discord account takeovers in the past week, where long-standing accounts in multiple servers have been compromised and turned into spambots. While there is no evidence these events are linked, clearly a new credential or authentication stealing malware is in play, which involves stealing credentials from Discord.

X.Org and XWayland Updated

The X.Org and XWayland servers saw security updates this week, fixing a handful of vulnerabilities involving uninitialized memory use, use-after-free, and reading beyond the end of a buffer.

The vulnerabilities are generally classified as “moderate”, but of course, don’t leave known vulnerabilities when you can avoid it! Fixed releases should find their way into distributions soon.

Continue reading “This Week In Security: Docker Auth, Windows Tools, And A Very Full Patch Tuesday”

This Week In Security: Flatpak Fixes, Android Malware, And SCADA Was IOT Before IOT Was Cool

April 10, 2026 by 10 Comments

Rowhammer attacks have been around since 2014, and mitigations are in place in most modern systems, but the team at gddr6.fail has found ways to apply the attack to current-generation GPUs.

Rowhammer attacks attach the electrical characteristics of RAM, using manipulation of the contents of RAM to cause changes in the contents of adjacent memory cells. Bit values are just voltage levels, after all, and if a little charge leaks across from one row to the next, you can potentially pull a bit high by writing repeatedly to its physical neighbors.

The attack was used to allow privilege escalation by manipulating the RAM defining the user data, and later, to allow reading and manipulation of any page in ram by modifying the system page table that maps memory and memory permissions. By 2015 researchers refined the attack to run in pure JavaScript against browsers, and in 2016 mobile devices were shown to be vulnerable. Mitigations have been put in place in physical memory design, CPU design, and in software. However, new attack vectors are still discovered regularly, with DDR4 and DDR5 RAM as well as AMD and RISC-V CPUs being vulnerable.

The GDDR6-Fail attack targets the video ram of modern graphics cards, and is able to trigger similar vulnerabilities in the graphics card itself, culminating in accessing and changing the memory of the PC via the PCI bus and bypassing protections.

For users who fear they are at risk — most likely larger AI customers or shared hosting environments where the code running on the GPU may belong to untrusted users — enabling error correcting (ECC) mode in the GPU reduces the amount of available RAM, but adds protection by performing checksums on the memory to detect corruption or bit flipping. For the average home user, your mileage may vary – there’s certainly easier ways to execute arbitrary code on your PC – like whatever application is running graphics in the first place!

Continue reading “This Week In Security: Flatpak Fixes, Android Malware, And SCADA Was IOT Before IOT Was Cool”

This Week In Security: The Supply Chain Has Problems

April 3, 2026 by 7 Comments

The biggest story of the week is a new massive supply chain breach, which appears to be unrelated to the previous massive supply chain breaches, this time of the Axios HTTP project.

Axios was created as a more developer-friendly Javascript HTTP interface for node.js, giving a promise-based API instead of the basic callback API. (Promise-based programming allows for simpler coding workflows, where a program can wait for a promise to be fulfilled, instead of the developer having to manage the state of every request manually.) Javascript has since provided a modern Fetch API that provides similar functionality, but Axios remains one of the most popular packages on the node.js NPM repository, with 100 million weekly downloads.

The lead developer of Axios believes he was compromised by a collaboration request – a common tactic for phishing specific targets: a project for an IDE like VS Code can include code that executes on the developers system when the project is run. Even outside a traditional IDE, common development tools like configure scripts and makefiles can easily run commands.

Socket.dev breaks down the attack in detail. Once the attackers had credentials to publish to the Axios NPM, they inserted malware as a new dependency to Axios, instead of modifying Axios itself. This likely helped the attack bypass other security checkers. The dependency – plain-crypto-js – is itself simply a copy of a popular encryption utility library, but one which executes additional code during the post-installation process available to all NPM packages. Continue reading “This Week In Security: The Supply Chain Has Problems”

Secure Communication, Buried In A News App

March 9, 2026 by 29 Comments

Cryptography is a funny thing. Supposedly, if you do the right kind of maths to a message, you can send it off to somebody else, and as long as they’re the only one that knows a secret little thing, nobody else will be able to read it. We have all sorts of apps for this, too, that are specifically built for privately messaging other people.

Only… sometimes just having such an app is enough to get you in trouble. Even just the garbled message itself could be proof against you, even if your adversary can’t read it. Enter The Guardian. The UK-based media outlet has deployed a rather creative and secure way of accepting private tips and information, one which seeks to provide heavy cover for those writing in with the hottest scoops.

Continue reading “Secure Communication, Buried In A News App”

Simple Device Can Freeze Wi-Fi Camera Feeds

November 1, 2025 by 150 Comments

Wi-Fi cameras are everywhere these days, with wireless networking making surveillance systems easier to deploy than ever. [CiferTech] has been recently developing the RF Clown—a tool that can block transmissions from these cameras at some range.

The build is based around an ESP32, with three tactile switches and an OLED display for the user interface. The microcontroller is hooked up to a trio of GT—24 Mini radio modules, which feed a bank of antennas on top of the device. Depending on the mode the device is set to, it will command these modules to jam Bluetooth, BLE, or Wi-Fi traffic in the area with relatively crude transmissions.

The use of multiple radio modules isn’t particularly sophisticated—it just makes it easier to put out more signal on more bands at the same time, flooding the zone and making it less likely legitimate transmissions will get through. Specifically, [CiferTech] demonstrates the use case of taking out a Wi-Fi camera—with the device switched on, the video feed freezes because packets from the camera simply stop making it through.

It’s perhaps impolite to interfere with the operation of somebody else’s cameras, so keep that in mind before you pursue a project like this one. Files are on GitHub for the curious. Video after the break.

Continue reading “Simple Device Can Freeze Wi-Fi Camera Feeds”

Attack Turns Mouse Into Microphone

October 15, 2025 by 14 Comments

As computer hardware gets better and better, most of the benefits are readily apparent to users. Faster processors, less power consumption, and lower cost are the general themes here. But sometimes increased performance comes with some unusual downsides. A research group at the University of California, Irvine found that high-performance mice have such good resolution that they can be used to spy on a user’s speech or other sounds around them.

The mice involved in this theoretical attack need to be in the neighborhood of 20,000 dpi, as well as having a relatively high sampling rate. With this combination it’s possible to sense detail fine enough to resolve speech from the vibrations of the mouse pad. Not only that, but the researchers noted that this also enables motion tracking of people in the immediate vicinity as the vibrations caused by walking can also be decoded. The attack does require a piece of malware to be installed somewhere on the computer, but the group also theorize that this could easily be done since most security suites don’t think of mouse input data as particularly valuable or vulnerable.

Even with the data from the mouse, an attacker needs a sophisticated software suite to be able to decode and filter the data to extract sounds, and the research team could only extract around 60% of the audio under the best conditions. The full paper is available here as well. That being said, mice will only get better from here so this is certainly something to keep an eye on. Mice aren’t the only peripherials that have roundabout attacks like this, either.

Thanks to [Stephen] for the tip!

Continue reading “Attack Turns Mouse Into Microphone”

Hackaday Links Column Banner

Hackaday Links: September 21, 2025

September 21, 2025 by 7 Comments

Remember AOL? For a lot of folks, America Online was their first ISP, the place where they got their first exposure to the Internet, or at least a highly curated version of it. Remembered by the cool kids mainly as the place that the normies used as their ISP and for the mark of shame an “@aol.com” email address bore, the company nevertheless became a media juggernaut, to the point that “AOL Time Warner” was a thing in the early 2000s. We’d have thought the company was long gone by now, but it turns out it’s still around and powerful enough of a brand that it’s being shopped around for $1.5 billion. We’d imagine a large part of that value comes from Yahoo!, which previous owner Verizon merged with AOL before selling most of the combined entity off in 2021, but either way, it’s not chump change.

For our part, the most memorable aspect of AOL was the endless number of CDs they stuffed into mailboxes in the 90s. There was barely a day that went by that one of those things didn’t cross your path, either through the mail or in free bins at store checkouts, or even inside magazines. They were everywhere, and unless you were tempted by the whole “You’ve got mail!” kitsch, they were utterly useless; they didn’t even make good coasters thanks to the hole in the middle. So most of the estimated 2 billion CDs just ended up in the trash, which got us thinking: How much plastic was that? A bit of poking around indicates that a CD contains about 15 grams of polycarbonate, so that’s something like 30,000 metric tonnes! To put that into perspective, the Great Pacific Garbage Patch is said to contain “only” around 80,000 metric tonnes of plastic. Clearly the patch isn’t 37% AOL CDs, but it still gives one pause to consider how many resources AOL put into marketing.

Continue reading “Hackaday Links: September 21, 2025”