惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

WordPress大学
WordPress大学
D
Darknet – Hacking Tools, Hacker News & Cyber Security
Hacker News: Ask HN
Hacker News: Ask HN
N
News and Events Feed by Topic
Forbes - Security
Forbes - Security
The Last Watchdog
The Last Watchdog
TaoSecurity Blog
TaoSecurity Blog
Schneier on Security
Schneier on Security
SecWiki News
SecWiki News
V
Vulnerabilities – Threatpost
Project Zero
Project Zero
O
OpenAI News
W
WeLiveSecurity
Security Archives - TechRepublic
Security Archives - TechRepublic
Exploit-DB.com RSS Feed
Exploit-DB.com RSS Feed
H
Hacker News: Front Page
Cisco Talos Blog
Cisco Talos Blog
Spread Privacy
Spread Privacy
Help Net Security
Help Net Security
P
Privacy & Cybersecurity Law Blog
K
Kaspersky official blog
S
Security @ Cisco Blogs
Latest news
Latest news
AWS News Blog
AWS News Blog
U
Unit 42
Martin Fowler
Martin Fowler
阮一峰的网络日志
阮一峰的网络日志
S
Secure Thoughts
CTFtime.org: upcoming CTF events
CTFtime.org: upcoming CTF events
Application and Cybersecurity Blog
Application and Cybersecurity Blog
Know Your Adversary
Know Your Adversary
Scott Helme
Scott Helme
博客园 - 司徒正美
B
Blog RSS Feed
C
Check Point Blog
Hacker News - Newest:
Hacker News - Newest: "LLM"
D
Docker
Google Online Security Blog
Google Online Security Blog
Jina AI
Jina AI
aimingoo的专栏
aimingoo的专栏
Recent Commits to openclaw:main
Recent Commits to openclaw:main
Last Week in AI
Last Week in AI
月光博客
月光博客
C
CXSECURITY Database RSS Feed - CXSecurity.com
S
SegmentFault 最新的问题
NISL@THU
NISL@THU
T
The Blog of Author Tim Ferriss
C
Cisco Blogs
Attack and Defense Labs
Attack and Defense Labs
小众软件
小众软件

Comments for Hackaday

AI The Truly Environmentally Friendly Way News Sites Are Blocking Internet Archive Over AI Scraping Fears How The 2020s Chip Crisis Led To A Buggy Saleae Analyzer In 2026 Evidence For Water Vapor Plumes On Europa Vanishes In Re-Analysis Mechanical Stability For Your Coils 3D Printed Hose Sprayer Sets Phasers To Suds The Merits Of Comment-Driven Development As Counterweight To TDD Building A Desktop Catalytic Cracker Process 4 Billion Pixels Per Second From 16 DIY Cameras For The Best V-Tubing Rig Ever An Unlikely Host For An 8080 Emulator Using Brand New NiMH Cells After Sitting 12 Years Unused Investigating The S3 Virge’s Reputation As A 3D Decelerator Card As It Turns Out, There’s More Than One Cassette Mechanism Being Made After All Using Windows 11 On An LGA 775 PC With AGP Videocard An Ethernet WiFi Router on a Pi Pico 2W This Week In Security: Messing With AI, 7Zip And Notepad++ Vulnerabilities, HTTP2 Bomb, And More Using Electrolysis For More Than Just Generating Hydrogen Vintage Turntable Gets Brain Transplant And Home Assistant Integration Connecting Your Car To Home Assistant Microsoft Claims 20 Second Qubits If You Want To Hack Me, Come In Through The Speaker Ways To Embed Magnets In 3D Prints And Not Ruin Printers An RGB Keyboard For Your Hackaday Communicator Badge Ask Hackaday: How Do You Feel About Electronic Shelf Labels? Make Your Ceiling Disappear With ADS-B And Short-Throw Projector Fixing A Nintendo Game Boy Clone That Runs Too Fast Web-Based Control For A CB Radio Distilling Stale Gasoline To Make It Usable Again DIY Ceramic Circuit Boards Surely Count As Solarpunk Texas Instruments Changes The NE5532 And Others Into Incompatible Versions Deltarune’s Tenna Brought To Life Linux Fu: Fake Webcams, GUI Edition Hydraulic Drive For Your Lawn Tractor But Just What Is This ‘Artificial Intelligence’? A Diffraction Grating Makes This Clock Readable Turning An Old 3D Printer Into A Vinyl Cutter For Cheap A High-Vacuum Controller For An Eventual Electron Microscope Does Your Terminal Speak Morse? This One Does From Scrappy Pallet Wood To Fancy Tea Tray The 2026 EMF Badge Arrives, With An Add-On. As Expected, It’s Familiar Linux Fu: Taming Strace STM32 Handheld Has OpenGL And All The Classics Jenny’s Daily Drivers: Microsoft Windows 11 Using A Mirror To 3D Scan Both Sides Of An Object At Once Cookies, Baked The 3D Printer Way Restoring Apple’s Terrible But Awesome IBook Laptop After The Dust Settles: Building Pebble Apps Bilingual E-paper News Feed Helps Brush Up Language Skills On The Wisdom Of Replacing A NiMH Module In A Prius Battery Pack Know Your Food: Cheesemaking Like A Wire Bender, But For Pop Tubes Revisiting Making Your Own Internet Router In 2026 Classically-named Argus Robot Is Terminator Meets Tumbleweed Making a Zippy FDM Printer out of Wood Off-Grid OCR Server Powered By IPhone Hackaday Links: May 31, 2026 Comment on A Special Type of Mower For Rocky Fields by Chris Maple 4-bit Relay Logic Counter Begs To Have Its Buttons Pushed Loading Sega Genesis Games Off A Vinyl Record Ebike Display Uses Reflective LCD Modern Graphics Via DisplayLink For Your ISA-Era PC The Final Steps To A Sub-Minute Benchy Poking Around With JTAG On A Guitar Amp Keychain GameCube Controller Made Functional Breaking Enigma With An FPGA, Just Like At Bletchley Park The Uncooperative Mirror Will Not Help You Testing Various Ways To Waterproof FDM Printed Parts Cheap Yellow Display With Boosted PSRAM Turned Snazzy Emulator Station It’s Another Pi Handheld. But It’s A Really Good One Take The Reins Of This Unique Controller Be Your Own Oil Company With Desktop Fischer-Tropsch Process ESP-Osito Eschews Retrocomputing For Modern Code On Modern, Equivalent Hardware A Modern Web Browser For Classic Mac OS Hackaday Podcast Episode 371: Space Computers, Spy Phones, And So Long CHU This Week In Security: Ubiquiti Fixes, And FreeBSD Joins The Club You Don’t Want To Join When Is An Apple Laptop Not A Macbook? When It’s An Apple II Linux Distributions And Who Is Responsible For The Software Autopsy Of A Failed Vintage Carbon Resistor Hunting Submarines Via Gravity Is A Tough Errand So Long, CHU, And Thanks For All The Time Signals A Bicycle Built On An Italian Renaissance Tech Base Linux Fu: The Bluetooth Regression Remember When Flash Drives Were Going To Make Your PC Faster? Putting Version 7.1 Of The Direct Granules FDM Extruder Through Its Paces Tech In Plain Sight: The Mechanics Of String Trimmers Between-Device Sharing Still Sucks Salvaged VFDs In Nixie-Like Clock Mod This IKEA Lamp Into Smart Lighting For Not A Lot Building And Testing A Turbine Driven Hydro Generator Tearing Down Walmart’s $12 Keychain Camera Biohack Your Way To Lactose Tolerance (Through Suffering) Liberating AirPods With Bluetooth Spoofing It’s Hard To Make A (Good) Oscillator Rudolph’s Sleigh On A North Pole PCB This Typewriter Types Toast Beating Bitlocker In 43 Seconds Using An Old Smartphone In Place Of A Raspberry Pi Working Model Reveals Amazing Engineering Of Webb’s Mirror Actuators Electric Vehicle 1900’s Style: New Leases On Old Tech Forth: The Hacker’s Language
This Week In Security: Arch AUR, Steam Marketplace, WordPress All Face Issues, Taco-Themed Coding, And Mythos Makes National News
Mike Kershaw · 2026-06-19 · via Comments for Hackaday

Starting on June 11, 2026, the Arch User Repository (AUR) was targeted by malware which rapidly compromised over 1,500 packages. The AUR repository allows for abandoned community packages to be taken over by a new maintainer, which was exploited by the attackers to claim ownership.

Once the packages were adopted by the malicious maintainers, the next part should sound familiar: The package build scripts, which are executed by the Arch yay and paru package managers, were modified to install malicious NPM packages (atomic-lockfile and js-digest) each containing the now-usual suite of infostealer malware targeting browser credentials and tokens, SSH private keys, package repository tokens, cloud compute, AI tokens, and crypto wallets.

The malware once installed uses several tricks to cloak itself by renaming processes, and to install systemd services to restart itself, and leveraging eBPF filtering in the kernel to hide the sockets and processes further. It specifically targets browsers and Electron-based applications, which are basically a light-weight Chromium browser disguised as an application anyway. Slack, Discord, Signal, and many more use the Electron wrapper.

A preliminary analysis of the malware is available, which breaks down the exact behavior in more detail and lists the known targets of the malware.

Initially believed to be “only” a few hundred packages, the compromised list eventually grew to over 1500, and additional packages may still be discovered. On June 14, Phoronix reported that a second wave of compromised packages has been found in the AUR repositories, including NeoVim plugins and multiple browsers. The second set of infected packages were compromised in a similar fashion, but with more heavily obfuscated scripts.

Steam Wallpaper Malware

Kaspersky Labs finds that Steam users have been targeted by malware uploaded via a popular animated wallpaper application, “Wallpaper Engine”.

While Valve normally does an admirable job filtering the Steam store, it looks like an exploit has slipped through in “Wallpaper Engine”. Animated wallpapers can be videos, web pages, or full executables themselves. Obviously, being able to run any program masquerading as wallpaper directly is an excellent vector to install malware, so of course this is what happened.

Using the integrated Steam Workshop, which allows users to share game mods and other game content directly, malicious wallpapers install a wide variety of malware including the usual gamut of infostealers, remote access, residential proxy, key logging, and crypto miners. This makes it one of the rare times installing crypto miners almost makes sense, considering most Steam users likely have better than average video cards.

Once a user is infected, the malware also steals the current Steam login credentials, and several instances attempt to then upload additional infected wallpapers to the Steam Workshop under the compromised users identity, completing the supply chain circle of life.

WordPress Supply Chain

Sansec discovered a widespread WordPress attack which they estimate impacts 1.2 million sites using the OptinMonster, TrustPulse, and PushEngage plugins. All three plugins come from the same company, Awesome Motive, who also own other popular plugins which Sansec estimates are used in tens of millions of WP sites.

The malware is pushed directly from the Awesome Motive CDN (content delivery network) in the plugin JavaScript, and waits for an administrator to log in. Using the administrator credentials, it then creates a hidden administrator account and ships the credentials to a remote server, giving the attackers full admin access to the WordPress site. The malware attempts to evade detection by detecting headless browsers or browsers with zero-sized windows, and hides itself from the plugin list, user list, updates list, and recent activity lists.

Awesome Motive reports that they, in turn, were exploited by a vulnerability in the WordPress UpdraftPlus plugin which was then used to steal the CDN authentication and upload the compromised plugins.

This shouldn’t be confused with April 2026’s wide-spread WP attack of course, where an attacker purchased the Essential Plugins bundle from the original developers and converted all 30 plugins to Trojan versions immediately, with the first commit being a backdoor mechanism injected into the plugin. The attacker then waited eight months before triggering the backdoor payloads and began exploiting hundreds of thousands of sites.

Purchasing popular plugins has been a security problem for many years already; the browser plugin ecosystem has been victim many times to plugins being purchased by bad actors and replaced with malware via normal update mechanisms. The trick has expanded to phone and desktop applications, PyPi and NPM modules, and feels in many ways similar to the attack against the Arch AUR repository, converting trusted plugins and applications into malware vectors.

Unless marketplaces and package repositories mandate that authors provide notification, and automatically revoke updates until users manually confirm updates, purchasing a popular tool to infect it will certainly remain a successful tactic. Unfortunately, even with those safeguards, it’s likely to continue, too.

Nor should these compromised plugins be confused with the ShapedPlugin compromise impacting an additional 400,000 WordPress sites, which appears to originate from a compromise of the developing companies build and distribution process, resulting in a compromised plugin again being served directly from the official sites.

Prompt Injection as Coding Assistant

The Chipotlai-max project twists prompt injection into free coding advice. In March of 2026, Chipotle introduced a new AI chatbot service for customers who are, for some reason, interested in having a conversation with an LLM about burritos, using the Amelia LLM framework. Customers soon discovered the AI could easily be convinced to discuss more than Mexican-ish food, however, with access to the complete LLM framework including coding assistance.

This fork of the OpenCode tool plugs directly into the Chipotle API for all your taco salad coding needs. A joyfully meme-filled reminder that all that lies between a chatbot and everything the model has access to is some careful convincing.

OpenBSD PPP Vulnerable for 27 Years

The OpenBSD project has (rightly) built a long standing reputation as being a very security-oriented BSD, making almost any security flaw noteworthy. Argus Systems highlights a 27 year old flaw in the OpenBSD PPP. Yes, the dial-up IP protocol implementation present since 1999. (In other terrible news, 1999 was 27 years ago.)

The bug is only present when OpenBSD is the the authentication service for a PPP login, but allows a PPP login with no credentials. As is the case with many protocol handling bugs, the OpenBSD code makes the mistake of trusting the lengths provided by the remote device during the login; if a login request specifies an account and password length of 0, the login is successful.

The chances of this being relevant today are slim, though the code is also used in the more modern PPP over Ethernet (PPPoE) protocol found on some DSL connections.

Anthropic Mythos Inaccessible

In a monumental “why are you hitting yourself” moment that made national news, after hyping the claims of the incredible auto-hacking abilities of the Mythos model, Anthropic has been ordered by the US government to restrict access to it because of national security concerns. In what will likely be framed as “an abundance of caution”, Anthropic has removed public access entirely.

The root cause appears to be — and let us all act surprised, here — essentially prompt injection, combined of course with politics. It appears that Amazon engineers were able to convince the model to disclose “cyberattack information”, which reads like a glamorous way to say “it discussed security”. If Anthropic hadn’t been bombarding the news cycle with how dangerous Mythos was, it’s likely this would not have made national news, as most publicly available LLM models can be coaxed to assist with security research and exploit development.

It is currently unclear when the Mythos and Fable LLM models will be publicly available again, what attempts at guardrails will be required before that can happen, and if limited access will continue for partnered companies to continue the much-hyped vulnerability finding process which has made the news cycles for the past weeks.