security

473 Articles

Image

This Week In Security: The Supply Chain Has Problems

April 3, 2026 by 7 Comments

The biggest story of the week is a new massive supply chain breach, which appears to be unrelated to the previous massive supply chain breaches, this time of the Axios HTTP project.

Axios was created as a more developer-friendly Javascript HTTP interface for node.js, giving a promise-based API instead of the basic callback API. (Promise-based programming allows for simpler coding workflows, where a program can wait for a promise to be fulfilled, instead of the developer having to manage the state of every request manually.) Javascript has since provided a modern Fetch API that provides similar functionality, but Axios remains one of the most popular packages on the node.js NPM repository, with 100 million weekly downloads.

The lead developer of Axios believes he was compromised by a collaboration request – a common tactic for phishing specific targets: a project for an IDE like VS Code can include code that executes on the developers system when the project is run. Even outside a traditional IDE, common development tools like configure scripts and makefiles can easily run commands.

Socket.dev breaks down the attack in detail. Once the attackers had credentials to publish to the Axios NPM, they inserted malware as a new dependency to Axios, instead of modifying Axios itself. This likely helped the attack bypass other security checkers. The dependency – plain-crypto-js – is itself simply a copy of a popular encryption utility library, but one which executes additional code during the post-installation process available to all NPM packages. Continue reading “This Week In Security: The Supply Chain Has Problems”

Image

Secure Communication, Buried In A News App

March 9, 2026 by 28 Comments

Cryptography is a funny thing. Supposedly, if you do the right kind of maths to a message, you can send it off to somebody else, and as long as they’re the only one that knows a secret little thing, nobody else will be able to read it. We have all sorts of apps for this, too, that are specifically built for privately messaging other people.

Only… sometimes just having such an app is enough to get you in trouble. Even just the garbled message itself could be proof against you, even if your adversary can’t read it. Enter The Guardian. The UK-based media outlet has deployed a rather creative and secure way of accepting private tips and information, one which seeks to provide heavy cover for those writing in with the hottest scoops.

Continue reading “Secure Communication, Buried In A News App”

Image

Simple Device Can Freeze Wi-Fi Camera Feeds

November 1, 2025 by 150 Comments

Wi-Fi cameras are everywhere these days, with wireless networking making surveillance systems easier to deploy than ever. [CiferTech] has been recently developing the RF Clown—a tool that can block transmissions from these cameras at some range.

The build is based around an ESP32, with three tactile switches and an OLED display for the user interface. The microcontroller is hooked up to a trio of GT—24 Mini radio modules, which feed a bank of antennas on top of the device. Depending on the mode the device is set to, it will command these modules to jam Bluetooth, BLE, or Wi-Fi traffic in the area with relatively crude transmissions.

The use of multiple radio modules isn’t particularly sophisticated—it just makes it easier to put out more signal on more bands at the same time, flooding the zone and making it less likely legitimate transmissions will get through. Specifically, [CiferTech] demonstrates the use case of taking out a Wi-Fi camera—with the device switched on, the video feed freezes because packets from the camera simply stop making it through.

It’s perhaps impolite to interfere with the operation of somebody else’s cameras, so keep that in mind before you pursue a project like this one. Files are on GitHub for the curious. Video after the break.

Continue reading “Simple Device Can Freeze Wi-Fi Camera Feeds”

Image

Attack Turns Mouse Into Microphone

October 15, 2025 by 14 Comments

As computer hardware gets better and better, most of the benefits are readily apparent to users. Faster processors, less power consumption, and lower cost are the general themes here. But sometimes increased performance comes with some unusual downsides. A research group at the University of California, Irvine found that high-performance mice have such good resolution that they can be used to spy on a user’s speech or other sounds around them.

The mice involved in this theoretical attack need to be in the neighborhood of 20,000 dpi, as well as having a relatively high sampling rate. With this combination it’s possible to sense detail fine enough to resolve speech from the vibrations of the mouse pad. Not only that, but the researchers noted that this also enables motion tracking of people in the immediate vicinity as the vibrations caused by walking can also be decoded. The attack does require a piece of malware to be installed somewhere on the computer, but the group also theorize that this could easily be done since most security suites don’t think of mouse input data as particularly valuable or vulnerable.

Even with the data from the mouse, an attacker needs a sophisticated software suite to be able to decode and filter the data to extract sounds, and the research team could only extract around 60% of the audio under the best conditions. The full paper is available here as well. That being said, mice will only get better from here so this is certainly something to keep an eye on. Mice aren’t the only peripherials that have roundabout attacks like this, either.

Thanks to [Stephen] for the tip!

Continue reading “Attack Turns Mouse Into Microphone”

Hackaday Links Column Banner

Hackaday Links: September 21, 2025

September 21, 2025 by 7 Comments

Remember AOL? For a lot of folks, America Online was their first ISP, the place where they got their first exposure to the Internet, or at least a highly curated version of it. Remembered by the cool kids mainly as the place that the normies used as their ISP and for the mark of shame an “@aol.com” email address bore, the company nevertheless became a media juggernaut, to the point that “AOL Time Warner” was a thing in the early 2000s. We’d have thought the company was long gone by now, but it turns out it’s still around and powerful enough of a brand that it’s being shopped around for $1.5 billion. We’d imagine a large part of that value comes from Yahoo!, which previous owner Verizon merged with AOL before selling most of the combined entity off in 2021, but either way, it’s not chump change.

For our part, the most memorable aspect of AOL was the endless number of CDs they stuffed into mailboxes in the 90s. There was barely a day that went by that one of those things didn’t cross your path, either through the mail or in free bins at store checkouts, or even inside magazines. They were everywhere, and unless you were tempted by the whole “You’ve got mail!” kitsch, they were utterly useless; they didn’t even make good coasters thanks to the hole in the middle. So most of the estimated 2 billion CDs just ended up in the trash, which got us thinking: How much plastic was that? A bit of poking around indicates that a CD contains about 15 grams of polycarbonate, so that’s something like 30,000 metric tonnes! To put that into perspective, the Great Pacific Garbage Patch is said to contain “only” around 80,000 metric tonnes of plastic. Clearly the patch isn’t 37% AOL CDs, but it still gives one pause to consider how many resources AOL put into marketing.

Continue reading “Hackaday Links: September 21, 2025”

Image

Ask Hackaday: Now You Install Your Friends’ VPNs. But Which One?

September 3, 2025 by 77 Comments

Something which may well unite Hackaday readers is the experience of being “The computer person” among your family or friends. You’ll know how it goes, when you go home for Christmas, stay with the in-laws, or go to see some friend from way back, you end up fixing their printer connection or something. You know that they would bridle somewhat if you asked them to do whatever it is they do for a living as a free service for you, but hey, that’s the penalty for working in technology.

Bad Laws Just Make People Avoid Them

There’s a new one that’s happened to me and no doubt other technically-minded Brits over the last few weeks: I’m being asked to recommend, and sometimes install, a VPN service. The British government recently introduced the Online Safety Act, which is imposing ID-backed age verification for British internet users when they access a large range of popular websites. The intent is to regulate access to pornography, but the net has been spread so wide that many essential or confidential services are being caught up in it. To be a British Internet user is to have your government peering over your shoulder, and while nobody’s on the side of online abusers, understandably a lot of my compatriots want no part of it. We’re in the odd position of having 4Chan and the right-wing Reform Party alongside Wikipedia among those at the front line on the matter. What a time to be alive.

Continue reading “Ask Hackaday: Now You Install Your Friends’ VPNs. But Which One?”

Image

The Browser Wasn’t Enough, Google Wants To Control All Your Software

August 28, 2025 by 172 Comments

A few days ago we brought you word that Google was looking to crack down on “sideloaded” Android applications. That is, software packages installed from outside of the mobile operating system’s official repository. Unsurprisingly, a number of readers were outraged at the proposed changes. Android’s open nature, at least in comparison to other mobile operating systems, is what attracted many users to it in the first place. Seeing the platform slowly move towards its own walled garden approach is concerning, especially as it leaves the fate of popular services such as the F-Droid free and open source software (FOSS) repository in question.

But for those who’ve been keeping and eye out for such things, this latest move by Google to throw their weight around isn’t exactly unexpected. They had the goodwill of the community when they decided to develop an open source browser engine to keep the likes of Microsoft from taking over the Internet and dictating the rules, but now Google has arguably become exactly what they once set out to destroy.

Today they essentially control the Internet, at least as the average person sees it, they control 72% of the mobile phone OS market, and now they want to firm up their already outsized control which apps get installed on your phone. The only question is whether or not we let them get away with it.

Continue reading “The Browser Wasn’t Enough, Google Wants To Control All Your Software”