I ricercatori di sicurezza hanno scoperto la compromissione di oltre 180 pacchetti npm, infettati da un malware auto-propagante progettato per infettare altri pacchetti. La campagna, soprannominata Shai-Hulud, è probabilmente iniziata con l’hacking del pacchetto @ctrl/tinycolor, scaricato oltre 2 milioni di volte a settimana.

Il nome Shai-Hulud deriva dai file shai-hulud.yaml utilizzati dal malware. È un riferimento ai giganteschi vermi delle sabbie di Dune di Frank Herbert. Il problema è stato portato per la prima volta all’attenzione dello sviluppatore Daniel Pereira, che ha avvisato la comunità di un attacco su larga scala alla catena di fornitura.

“In questo momento, mentre leggete questo, è in corso la distribuzione di malware all’interno di npm”, ha affermato Pereira, esortando tutti a non installare le ultime versioni di @ctrl/tinycolor.

Lo sviluppatore ha tentato di avvisare il team di sicurezza di GitHub tramite canali privati, poiché gli aggressori avevano preso di mira “repository multipli” e divulgare pubblicamente l’attacco avrebbe potuto creare ulteriori rischi. Tuttavia, contattare GitHub si è rivelato troppo difficile, quindi Pereira ha segnalato pubblicamente il problema.

I ricercatori di Socket e Aikido stanno attualmente indagando sull’incidente e hanno scoperto che almeno 187 pacchetti sono stati compromessi. Tra i pacchetti interessati, diversi sono pubblicati dall’account npmjs dell’azienda di sicurezza informatica CrowdStrike.

“Dopo aver scoperto diversi pacchetti dannosi nel registro pubblico npm (un repository open source di terze parti), li abbiamo rimossi rapidamente e aggiornato preventivamente le nostre chiavi”, hanno riferito i rappresentanti di CrowdStrike. “Questi pacchetti non sono utilizzati da Falcon, la nostra piattaforma non è interessata e i clienti rimangono protetti. Stiamo collaborando con npm e conducendo un’indagine approfondita.”

ReversingLabs, a sua volta, descrive questo incidente come “il primo del suo genere, un worm autoreplicante che infetta i pacchetti npm e ruba i token cloud”. I ricercatori ritengono che l’attacco abbia avuto origine nel pacchetto rxnt-authentication, una versione dannosa del quale è stata pubblicata su npm il 14 settembre 2025.

Secondo ReversingLabs, il responsabile di techsupportrxnt può essere considerato il “paziente zero”. La chiave per scoprire la fonte dell’attacco risiede nel modo esatto in cui l’account techsupportrxnt è stato compromesso. È possibile che tutto sia iniziato con un’email di phishing o con lo sfruttamento di una GitHub Action vulnerabile.

Le versioni compromesse dei pacchetti sono dotate di un meccanismo di autopropagazione del malware, che prende di mira altri pacchetti dei gestori interessati. Secondo i ricercatori di Socket, il malware ha scaricato ogni pacchetto dal manutentore, ha modificato il suo package.json, ha iniettato lo script bundle.js, ha riconfezionato l’archivio e lo ha pubblicato di nuovo, “garantendo così la trojanizzazione automatica dei pacchetti downstream”.

Lo script bundle.js utilizza TruffleHog, uno scanner legittimo per la ricerca di segreti, progettato per sviluppatori e professionisti di sicurezza. TruffleHog consente di rilevare informazioni riservate trapelate accidentalmente, come chiavi API, password e token, da repository e altre fonti. Lo script dannoso ha abusato dello strumento per trovare token e credenziali cloud.

L'articolo Supply Chain Wormable? Arrivano i pacchetti NPM con malware auto-propagante proviene da il blog della sicurezza informatica.

When we see an extremely DIY project, you always get someone who jokes “well, you didn’t collect sand and grow your own silicon”. [Patrícia J. Reis] and [Stefanie Wuschitz] did the next best thing: they collected local soil, sieved it down, and fired their own clay PCB substrates over a campfire. They even built up a portable lab-in-a-backpack so they could go from dirt to blinky in the woods with just what they carried on their back.

This project is half art, half extreme DIY practice, and half environmental consciousness. (There’s overlap.) And the clay PCB is just part of the equation. In an effort to approach zero-impact electronics, they pulled ATmega328s out of broken Arduino boards, and otherwise “urban mined” everything else they could: desoldering components from the junk bin along the way.

The traces themselves turned out to be the tricky bit. They are embossed with a 3D print into the clay and then filled with silver before firing. The pair experimented with a variety of the obvious metals, and silver was the only candidate that was both conductive and could be soldered to after firing. Where did they get the silver dust? They bought silver paint from a local supplier who makes it out of waste dust from a jewelry factory. We suppose they could have sat around the campfire with some old silver spoons and a file, but you have to draw the line somewhere. These are clay PCBs, people!

Is this practical? Nope! It’s an experiment to see how far they can take the idea of the pre-industrial, or maybe post-apocalyptic, Arduino. [Patrícia] mentions that the firing is particularly unreliable, and variations in thickness and firing temperature lead to many cracks. It’s an art that takes experience to master.

We actually got to see the working demos in the flesh, and can confirm that they did indeed blink! Plus, they look super cool. The video from their talk is heavy on theory, but we love the practice.

DIY clay PCBs make our own toner transfer techniques look like something out of the Jetsons.

media.ccc.de/v/38c3-clay-pcb/o…

hackaday.com/2025/09/18/pcbs-t…

L’Alta Corte di Londra ha annullato la decisione di estradare il cittadino portoghese Diogo Santos Coelho negli Stati Uniti. Il giovane, noto con lo pseudonimo di Omnipotent, era l’amministratore di uno dei più grandi forum di hacker, RaidForums.

La storia inizia nel gennaio 2022, quando Coelho si reca nel Regno Unito per far visita alla madre. Lì viene arrestato. Da allora, è in un limbo da più di tre anni: due Paesi si contendono la sua estradizione.

Gli Stati Uniti chiedono l’estradizione di Coelho per crimini legati alla gestione di RaidForums. Il Portogallo ha inviato un proprio ordine, citando i danni arrecati alle sue organizzazioni e ai suoi cittadini.

Lo stesso Coelho voleva recarsi in Portogallo e ha ufficialmente accettato l’estradizione.

Le autorità britanniche si sono trovate in una situazione difficile. La legge prevede una procedura speciale nel caso in cui più paesi richiedano l’estradizione di una persona. Ma nel suo caso queste regole non sono state rispettate.

Il Ministro dell’Interno ordinò che Coelho fosse trasferito negli Stati Uniti, ma lo fece frettolosamente. Il tribunale stabilì che la decisione si basava su documenti inesatti e che era stata presa senza tenere conto della posizione della difesa.

Il problema principale era che a Coelho non fu data l’opportunità di presentare le sue argomentazioni per l’estradizione in Portogallo. Le sue argomentazioni non furono nemmeno prese in considerazione.

Il giudice Linden ha riscontrato diverse violazioni. Secondo l’ordinanza del tribunale, al ministro è stato detto che le accuse statunitensi e portoghesi erano “identiche”, sebbene l’ordinanza portoghese includesse ulteriori accuse di riciclaggio di denaro e frode fiscale.

Inoltre, la decisione si basava sul presupposto che tutte le vittime si trovassero negli Stati Uniti. Ma le prove dimostravano il contrario: le vittime erano sparse in tutto il mondo, compreso il Portogallo stesso.

La corte ha inoltre affermato che il ministro non ha tenuto conto della natura più grave delle accuse portoghesi e dei legami personali di Coelho con il Paese. Gli è stato diagnosticato l’autismo, è a rischio di suicidio e riceve assistenza familiare e terapeutica nel suo Paese d’origine.

Il Ministero dell’Interno è ora tenuto a riesaminare le richieste concorrenti. A Coelho è stato concesso il diritto di presentare le sue argomentazioni prima che venga presa una nuova decisione.

Come ha osservato lo stesso Coelho, questo non garantisce l’estradizione in Portogallo, ma dà ai suoi avvocati la possibilità di essere ascoltati. Tra le argomentazioni della difesa c’è il fatto che alcuni dei presunti crimini siano stati commessi quando era minorenne, nonché il suo status di vittima della tratta di esseri umani.

L'articolo Il RE di RaidForums resta in bilico. La battaglia tra USA e Portogallo per la sua estradizione proviene da il blog della sicurezza informatica.

While many in the industry were at first skeptical of NASA’s goal to put resupply flights to the International Space Station in the hands of commercial operators, the results speak for themselves. Since 2012, the SpaceX Dragon family of spacecraft has been transporting crew and cargo from American soil to the orbiting laboratory, a capability that the space agency had lost with the retirement of the Space Shuttle. Putting these relatively routine missions in the hands of a commercial provider like SpaceX takes some of the logistical and financial burden off of NASA, allowing them to focus on more forward-looking projects.
SpaceX Dragon arriving at the ISS for the first time in 2012.
But as the saying goes, you should never put all of your eggs in one basket. As successful as SpaceX has been, there’s always a chance that some issue could temporarily ground either the Falcon 9 or the Dragon.

While Russia’s Progress and Soyuz vehicles would still be available in an emergency situation, it’s in everyone’s best interest that there be multiple backup vehicles that can bring critical supplies to the Station.

Which is precisely why several new or upgraded spacecraft, designed specifically for performing resupply missions to the ISS and any potential commercial successor, are coming online over the next few years.

In fact, one of them is already flying its first mission, and will likely have arrived at the International Space Station by the time you read this article.

Cygnus XL

The Cygnus was the second commercial spacecraft to deliver cargo to the ISS back in 2013, and like the Dragon, has gone through several upgrades and revisions over the years. Rather than starting from a clean slate, the Orbital Sciences Corporation based the vehicle’s pressurized module on the Multi-Purpose Logistics Module which was originally designed to fly inside the Space Shuttle’s cargo bay to provide onboard laboratory space before the construction of the ISS. This was paired with a service module that was derived from their line of communication satellites.

Orbital Sciences Corporation was eventually acquired by Northrop Grumman, which now operates the latest version of the spacecraft, the Cygnus XL. This latest version of the cargo craft lifted off for the first time on September 14th, and is currently en route to the ISS.

It retains the same 3.07 m (10.1 ft) diameter of the original Cygnus, but the length of the vehicle has been increased from 5.14 m (16.9 ft) to 8 m (26 ft). This has nearly doubled the internal pressurized volume of the craft, and the payload capacity has been increased from 2,000 kg (4,400 lb) to 5,000 kg (11,000 lb).

While the Dragon can autonomously dock with the ISS, the Cygnus XL needs to be captured by an astronaut using the Station’s robotic arm, and manually moved into position where it’s eventually bolted into place — a process known as berthing. This is a more labor intensive method of connecting a visiting spacecraft, but it does have at least one advantage, as the diameter of the berthing ports is larger than that of the docking ports. At least in theory, this means Cygnus XL would be able to deliver bulkier objects to the Station than the Dragon or any other spacecraft that makes use of the standard docking ports.

Like the earlier versions of the craft, Cygnus XL is an expendable vehicle, and lacks the heat shield that would be necessary to reenter Earth’s atmosphere safely. Once the vehicle delivers its cargo and is detached from the Station, it’s commanded to perform a deorbit maneuver which will cause it to burn up in the atmosphere. But even this serves an important function, as the astronauts will load the vehicle with trash before it departs, ensuring that refuse from the Station is destroyed in a safe and predictable manner.

HTV-X

Like the Cygnus XL, the HTV-X is an upgraded version of a spacecraft which has already visited the ISS, namely the H-II Transfer Vehicle (HTV). Designed and built by the Japan Aerospace Exploration Agency (JAXA), the first flight of this upgraded cargo vehicle is tentatively scheduled for late October.

The HTV-X reuses the pressurized module from the HTV, though it has been slightly enlarged and is now located at the rear of the spacecraft instead of the front. The cargo module is in turn attached to a service module that’s responsible for power generation, communications, and propulsion. For all intents and purposes, this service module is its own independent spacecraft, and JAXA is currently investigating future applications which would see this module mated with other payloads for various low Earth orbit missions.

Attached to the opposite side of the service module is an unpressurized cargo module. This is similar to the “trunk” of the Dragon spacecraft, in that it’s essentially just a hollow cylinder with shelves and mounting points inside. This module could potentially be used to bring up components that are intended to be attached to the outside of the ISS, or it could hold experiments and modules that are designed to be exposed to the space environment.

Like the Cgynus XL, the HTV-X will berth to the ISS rather than dock, and it will also burn up after its mission is complete. However the HTV-X is designed to fly freely on its own for up to 18 months after it delivers its cargo to the Station, which JAXA calls the “Technology Demonstration Phase” of the mission. This will essentially allow the agency to perform a second mission after the vehicle has completed its supply run, greatly improving the overall cost effectiveness of the program.

Dream Chaser

Far and away the most ambitious of these new spacecraft is the Dream Chaser, developed by Sierra Space. Reminiscent of a miniature version of the Space Shuttle, this winged vehicle is designed to land like an airplane at the end of its mission. This not only means it can bring material back down to Earth at the end of its mission, but that it can do so in a much less jarring manner than a capsule that ends up splashing down into the ocean under parachutes. This is a huge benefit when dealing with fragile cargo or scientific experiments, and is a capability not offered by any other currently operational spacecraft.

The Dream Chaser has been in active development for over 20 years, but its origins date back even farther than that, as it’s based on HL-20 Personnel Launch System concept from the 1980s. While it was initially designed for crew transport, it lost out to SpaceX and Boeing during NASA’s Commercial Crew Program selection in 2014. It did however secure a contract from the space agency in 2016 for six cargo missions to the ISS. To qualify for these missions, several changes were made to the original design, such as the addition of an expendable module that will attach to the rear of the vehicle to increase its relatively limited internal cargo capacity of 910 kg (2,000 lb) by 4,500 kg (10,000 lb).

The first orbital test flight of the Dream Chaser is currently scheduled to take place before the end of the year, but that date has already slipped several times. Being a reusable vehicle like the Dragon, the first Dream Chaser spaceplane is expected to fly multiple operational missions while a second craft is being assembled.

After completing their contractually obligated missions to the ISS, there are currently plans for the Dream Chaser to fly at least one mission for the United Nations Office for Outer Space Affairs, which will carry an array of scientific experiments provided by member nations that do not have their own domestic space programs. The company also says they remain committed to bringing the crewed version of Dream Chaser to fruition, likely as part of their partnership with Blue Origin to develop the Orbital Reef — a “mixed-use business park” in space.

Time is Running Out

It might seem strange that three different spacecraft are scheduled to enter service before the end of the year, but of course, the clock is ticking. Although the date has been pushed out a number of times over the years, the current 2030 timeline for the decommissioning of the International Space Station seems to be holding so far. With as little as five years left to go before the ISS joins us Earthlings back here on the surface, it’s now or never for any vehicles designed for service missions. This is doubly true for companies such as Sierra Space, who have already agreed to perform a set number of missions.

At the same time, any of these vehicles could support a future commercial space station, should one actually materialize. We’ve covered some of the post-ISS plans previously, but given how volatile the aerospace world is, nothing is a given until it’s actually in orbit.

hackaday.com/2025/09/18/a-new-…

Fausto Amodei, l'autore, ci ha lasciato oggi.

youtube.com/watch?v=WmFYVEiXGy…

As you might expect, the University of Puerto Rico at Arecibo has a fascination with radio signals from space. While doing research into the legendary “Wow! Signal” detected back in 1977, they realized that the burst was so strong that a small DIY radio telescope would be able to pick it up using modern software-defined radio (SDR) technology.

This realization gave birth to the Wow@Home project, an effort to document both the hardware and software necessary to pick up a Wow! class signal from your own backyard. The University reasons that if they can get a bunch of volunteers to build and operate these radio telescopes, the resulting data could help identify the source of the Wow! Signal — which they believe could be the result of some rare astrophysical event and not the product of Little Green Men.

Ultimately, this isn’t much different from many of the SDR-based homebrew radio telescopes we’ve covered over the years — get a dish, hook your RTL-SDR up to it, add in the appropriate filters and amplifiers, and point it to the sky. Technically, you’re now a radio astronomer. Congratulations. In this case, you don’t even have to figure out how to motorize your dish, as they recommend just pointing the antenna at a fixed position and let the rotation of the Earth to the work — a similar trick to how the legendary Arecibo Observatory itself worked.

The tricky part is collecting and analyzing what’s coming out of the receiver, and that’s where the team at Arecibo hope to make the most headway with their Wow@Home software. It also sounds like that’s where the work still needs to be done. The goal is to have a finished product in Python that can be deployed on the Raspberry Pi, which as an added bonus will “generate a live preview of the data in the style of the original Ohio State SETI project printouts.” Sounds cool to us.

If you’re interested in lending a hand, the team says they’re open to contributions from the community — specifically from those with experience RFI shielding, software GUIs, and general software development. We love seeing citizen science, so hopefully this project finds the assistance and the community it needs to flourish.

Thanks to [Mark Stevens] for the tip.

hackaday.com/2025/09/18/listen…

What has the EDRi network been up to over the summer? Find out the latest digital rights news in our bi-weekly newsletter. In this edition: age verification gains traction, EU’s deregulation spree risks entire digital rulebook, & more!

The post EDRi-gram, 17 September 2025 appeared first on European Digital Rights (EDRi).