惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

博客园 - 三生石上(FineUI控件)
Martin Fowler
Martin Fowler
月光博客
月光博客
AI
AI
B
Blog
钛媒体:引领未来商业与生活新知
钛媒体:引领未来商业与生活新知
C
CXSECURITY Database RSS Feed - CXSecurity.com
WordPress大学
WordPress大学
GbyAI
GbyAI
L
Lohrmann on Cybersecurity
O
OpenAI News
Schneier on Security
Schneier on Security
P
Palo Alto Networks Blog
Cyber Security Advisories - MS-ISAC
Cyber Security Advisories - MS-ISAC
T
Troy Hunt's Blog
V2EX - 技术
V2EX - 技术
W
WeLiveSecurity
L
LINUX DO - 最新话题
人人都是产品经理
人人都是产品经理
S
Security Affairs
OSCHINA 社区最新新闻
OSCHINA 社区最新新闻
A
Arctic Wolf
Recorded Future
Recorded Future
Microsoft Security Blog
Microsoft Security Blog
Threat Intelligence Blog | Flashpoint
Threat Intelligence Blog | Flashpoint
G
GRAHAM CLULEY
N
Netflix TechBlog - Medium
TaoSecurity Blog
TaoSecurity Blog
C
Check Point Blog
Scott Helme
Scott Helme
cs.CV updates on arXiv.org
cs.CV updates on arXiv.org
Apple Machine Learning Research
Apple Machine Learning Research
PCI Perspectives
PCI Perspectives
www.infosecurity-magazine.com
www.infosecurity-magazine.com
Vercel News
Vercel News
The Hacker News
The Hacker News
Y
Y Combinator Blog
Latest news
Latest news
SecWiki News
SecWiki News
Hugging Face - Blog
Hugging Face - Blog
cs.AI updates on arXiv.org
cs.AI updates on arXiv.org
Google Online Security Blog
Google Online Security Blog
Webroot Blog
Webroot Blog
Google DeepMind News
Google DeepMind News
Recent Commits to openclaw:main
Recent Commits to openclaw:main
C
Cisco Blogs
博客园_首页
H
Hackread – Cybersecurity News, Data Breaches, AI and More
宝玉的分享
宝玉的分享
L
LINUX DO - 热门话题

Blog – Hackaday

Why Not Yserver? It’s Xserver, But Rust-y. OpenCAL: Computed Axial Lithographic 3D Printing For Everyone Is A CS Degree DOA Thanks To LLMs? IEEE Says TBD. Double The VRAM Of An RTX 3070 The Pacemaker Patch Robot Chess But Each Piece Is A Small Robot Bambuddy Says Bye To Bambu Lab Cloud Services Converting A Scanning Electron Microscope Into A TEM Is Surprisingly Easy Custom Watch Is On The Case Patterns Everywhere Behold A 60 Hz Refresh Rate E-ink Monitor GentleOS, A Simple OS For Your Old PC Deeply Optimized MSX Emulation On ESP32-S3 With VGA Output Homebrew Macropad Looks Good The Air Position Indicator For The B-29 Building A 1:150 Scale Toyota ProBox Micro Remote Control Car Adding Weight To A 3D Print With Plaster Of Paris, Cleanly Hackaday Podcast Ep 373: GPS, Danger In Space, And Robby The Robot A Peek Inside The Secret Lagercrantz Suitcase Radio This Week In Security: Microsoft On Microsoft, Register Your Domains, Linux On ARM, And FreeBSD Joins The File Cache Club Glue-in Hinge Design Tries Something Different The Hackaday Communicator Badge, Re-Imagined With New Firmware Amiga 1232 Storm CD Packs Every Upgrade Into One Wedge So Many Analog To Digital Converters Repairing A Pair Of Voodoo 2 GPUs For Some SLI Action AI The Truly Environmentally Friendly Way Evidence For Water Vapor Plumes On Europa Vanishes In Re-Analysis Mechanical Stability For Your Coils 3D Printed Hose Sprayer Sets Phasers To Suds The Merits Of Comment-Driven Development As Counterweight To TDD Building A Desktop Catalytic Cracker Process 4 Billion Pixels Per Second From 16 DIY Cameras For The Best V-Tubing Rig Ever 3D Printing A Miniature CoreXY Printer An Unlikely Host For An 8080 Emulator Using Brand New NiMH Cells After Sitting 12 Years Unused Investigating The S3 Virge’s Reputation As A 3D Decelerator Card Over-Engineering An FDM Spool Holder From Prusa Mk4S Remains As It Turns Out, There’s More Than One Cassette Mechanism Being Made After All Using Windows 11 On An LGA 775 PC With AGP Videocard Hackaday Podcast Episode 372: PopTubers, Shifty Semiconductors, And Shelving Shelf Labels An Ethernet WiFi Router on a Pi Pico 2W This Week In Security: Messing With AI, 7Zip And Notepad++ Vulnerabilities, HTTP2 Bomb, And More Using Electrolysis For More Than Just Generating Hydrogen Vintage Turntable Gets Brain Transplant And Home Assistant Integration Connecting Your Car To Home Assistant Microsoft Claims 20 Second Qubits If You Want To Hack Me, Come In Through The Speaker Ways To Embed Magnets In 3D Prints And Not Ruin Printers An RGB Keyboard For Your Hackaday Communicator Badge The World’s First GPIB Speech Synthesizer, And It’s For A GRiD Compass Ask Hackaday: How Do You Feel About Electronic Shelf Labels? Make Your Ceiling Disappear With ADS-B And Short-Throw Projector Fixing A Nintendo Game Boy Clone That Runs Too Fast Web-Based Control For A CB Radio Distilling Stale Gasoline To Make It Usable Again DIY Ceramic Circuit Boards Surely Count As Solarpunk Texas Instruments Changes The NE5532 And Others Into Incompatible Versions Deltarune’s Tenna Brought To Life Linux Fu: Fake Webcams, GUI Edition Hydraulic Drive For Your Lawn Tractor But Just What Is This ‘Artificial Intelligence’? Game Dodecahedron Runs AArch64 Assembly A Diffraction Grating Makes This Clock Readable Turning An Old 3D Printer Into A Vinyl Cutter For Cheap A High-Vacuum Controller For An Eventual Electron Microscope Does Your Terminal Speak Morse? This One Does From Scrappy Pallet Wood To Fancy Tea Tray The 2026 EMF Badge Arrives, With An Add-On. As Expected, It’s Familiar Linux Fu: Taming Strace STM32 Handheld Has OpenGL And All The Classics Jenny’s Daily Drivers: Microsoft Windows 11 Using A Mirror To 3D Scan Both Sides Of An Object At Once Cookies, Baked The 3D Printer Way Restoring Apple’s Terrible But Awesome IBook Laptop After The Dust Settles: Building Pebble Apps Bilingual E-paper News Feed Helps Brush Up Language Skills On The Wisdom Of Replacing A NiMH Module In A Prius Battery Pack Know Your Food: Cheesemaking Like A Wire Bender, But For Pop Tubes Revisiting Making Your Own Internet Router In 2026 Reverse Engineering A Rock Bottom NES Clone Classically-named Argus Robot Is Terminator Meets Tumbleweed Making a Zippy FDM Printer out of Wood Off-Grid OCR Server Powered By IPhone Hackaday Links: May 31, 2026 A Camera Viewfinder Makes A Great TV 4-bit Relay Logic Counter Begs To Have Its Buttons Pushed Loading Sega Genesis Games Off A Vinyl Record Ebike Display Uses Reflective LCD Modern Graphics Via DisplayLink For Your ISA-Era PC The Final Steps To A Sub-Minute Benchy Poking Around With JTAG On A Guitar Amp Keychain GameCube Controller Made Functional Breaking Enigma With An FPGA, Just Like At Bletchley Park The Uncooperative Mirror Will Not Help You Testing Various Ways To Waterproof FDM Printed Parts Cheap Yellow Display With Boosted PSRAM Turned Snazzy Emulator Station It’s Another Pi Handheld. But It’s A Really Good One Take The Reins Of This Unique Controller Be Your Own Oil Company With Desktop Fischer-Tropsch Process
This Week In Security: Arch AUR, Steam Marketplace, WordPress All Face Issues, Taco-Themed Coding, And Mythos Makes National News
Mike Kershaw · 2026-06-19 · via Blog – Hackaday

Starting on June 11, 2026, the Arch User Repository (AUR) was targeted by malware which rapidly compromised over 1,500 packages. The AUR repository allows for abandoned community packages to be taken over by a new maintainer, which was exploited by the attackers to claim ownership.

Once the packages were adopted by the malicious maintainers, the next part should sound familiar: The package build scripts, which are executed by the Arch yay and paru package managers, were modified to install malicious NPM packages (atomic-lockfile and js-digest) each containing the now-usual suite of infostealer malware targeting browser credentials and tokens, SSH private keys, package repository tokens, cloud compute, AI tokens, and crypto wallets.

The malware once installed uses several tricks to cloak itself by renaming processes, and to install systemd services to restart itself, and leveraging eBPF filtering in the kernel to hide the sockets and processes further. It specifically targets browsers and Electron-based applications, which are basically a light-weight Chromium browser disguised as an application anyway. Slack, Discord, Signal, and many more use the Electron wrapper.

A preliminary analysis of the malware is available, which breaks down the exact behavior in more detail and lists the known targets of the malware.

Initially believed to be “only” a few hundred packages, the compromised list eventually grew to over 1500, and additional packages may still be discovered. On June 14, Phoronix reported that a second wave of compromised packages has been found in the AUR repositories, including NeoVim plugins and multiple browsers. The second set of infected packages were compromised in a similar fashion, but with more heavily obfuscated scripts.

Steam Wallpaper Malware

Kaspersky Labs finds that Steam users have been targeted by malware uploaded via a popular animated wallpaper application, “Wallpaper Engine”.

While Valve normally does an admirable job filtering the Steam store, it looks like an exploit has slipped through in “Wallpaper Engine”. Animated wallpapers can be videos, web pages, or full executables themselves. Obviously, being able to run any program masquerading as wallpaper directly is an excellent vector to install malware, so of course this is what happened.

Using the integrated Steam Workshop, which allows users to share game mods and other game content directly, malicious wallpapers install a wide variety of malware including the usual gamut of infostealers, remote access, residential proxy, key logging, and crypto miners. This makes it one of the rare times installing crypto miners almost makes sense, considering most Steam users likely have better than average video cards.

Once a user is infected, the malware also steals the current Steam login credentials, and several instances attempt to then upload additional infected wallpapers to the Steam Workshop under the compromised users identity, completing the supply chain circle of life.

WordPress Supply Chain

Sansec discovered a widespread WordPress attack which they estimate impacts 1.2 million sites using the OptinMonster, TrustPulse, and PushEngage plugins. All three plugins come from the same company, Awesome Motive, who also own other popular plugins which Sansec estimates are used in tens of millions of WP sites.

The malware is pushed directly from the Awesome Motive CDN (content delivery network) in the plugin JavaScript, and waits for an administrator to log in. Using the administrator credentials, it then creates a hidden administrator account and ships the credentials to a remote server, giving the attackers full admin access to the WordPress site. The malware attempts to evade detection by detecting headless browsers or browsers with zero-sized windows, and hides itself from the plugin list, user list, updates list, and recent activity lists.

Awesome Motive reports that they, in turn, were exploited by a vulnerability in the WordPress UpdraftPlus plugin which was then used to steal the CDN authentication and upload the compromised plugins.

This shouldn’t be confused with April 2026’s wide-spread WP attack of course, where an attacker purchased the Essential Plugins bundle from the original developers and converted all 30 plugins to Trojan versions immediately, with the first commit being a backdoor mechanism injected into the plugin. The attacker then waited eight months before triggering the backdoor payloads and began exploiting hundreds of thousands of sites.

Purchasing popular plugins has been a security problem for many years already; the browser plugin ecosystem has been victim many times to plugins being purchased by bad actors and replaced with malware via normal update mechanisms. The trick has expanded to phone and desktop applications, PyPi and NPM modules, and feels in many ways similar to the attack against the Arch AUR repository, converting trusted plugins and applications into malware vectors.

Unless marketplaces and package repositories mandate that authors provide notification, and automatically revoke updates until users manually confirm updates, purchasing a popular tool to infect it will certainly remain a successful tactic. Unfortunately, even with those safeguards, it’s likely to continue, too.

Nor should these compromised plugins be confused with the ShapedPlugin compromise impacting an additional 400,000 WordPress sites, which appears to originate from a compromise of the developing companies build and distribution process, resulting in a compromised plugin again being served directly from the official sites.

Prompt Injection as Coding Assistant

The Chipotlai-max project twists prompt injection into free coding advice. In March of 2026, Chipotle introduced a new AI chatbot service for customers who are, for some reason, interested in having a conversation with an LLM about burritos, using the Amelia LLM framework. Customers soon discovered the AI could easily be convinced to discuss more than Mexican-ish food, however, with access to the complete LLM framework including coding assistance.

This fork of the OpenCode tool plugs directly into the Chipotle API for all your taco salad coding needs. A joyfully meme-filled reminder that all that lies between a chatbot and everything the model has access to is some careful convincing.

OpenBSD PPP Vulnerable for 27 Years

The OpenBSD project has (rightly) built a long standing reputation as being a very security-oriented BSD, making almost any security flaw noteworthy. Argus Systems highlights a 27 year old flaw in the OpenBSD PPP. Yes, the dial-up IP protocol implementation present since 1999. (In other terrible news, 1999 was 27 years ago.)

The bug is only present when OpenBSD is the the authentication service for a PPP login, but allows a PPP login with no credentials. As is the case with many protocol handling bugs, the OpenBSD code makes the mistake of trusting the lengths provided by the remote device during the login; if a login request specifies an account and password length of 0, the login is successful.

The chances of this being relevant today are slim, though the code is also used in the more modern PPP over Ethernet (PPPoE) protocol found on some DSL connections.

Anthropic Mythos Inaccessible

In a monumental “why are you hitting yourself” moment that made national news, after hyping the claims of the incredible auto-hacking abilities of the Mythos model, Anthropic has been ordered by the US government to restrict access to it because of national security concerns. In what will likely be framed as “an abundance of caution”, Anthropic has removed public access entirely.

The root cause appears to be — and let us all act surprised, here — essentially prompt injection, combined of course with politics. It appears that Amazon engineers were able to convince the model to disclose “cyberattack information”, which reads like a glamorous way to say “it discussed security”. If Anthropic hadn’t been bombarding the news cycle with how dangerous Mythos was, it’s likely this would not have made national news, as most publicly available LLM models can be coaxed to assist with security research and exploit development.

It is currently unclear when the Mythos and Fable LLM models will be publicly available again, what attempts at guardrails will be required before that can happen, and if limited access will continue for partnered companies to continue the much-hyped vulnerability finding process which has made the news cycles for the past weeks.