The ZX Spectrum is perhaps most fondly remembered as a home computer and a games machine. [Tito] has grabbed the faithful black plastic box and turned it into a frequency counter as an innovative entry to our 2025 One Hertz Challenge.

The code was prepared in assembly using ZASM—a Z80 online assembler. It works in quite a simple manner. The code runs for one second at a time, counting rising edges on the EAR port of the ZX Spectrum. Those edges are added up to determine the frequency in question, and the job is done. [Tito] has tested the code and found it’s capable of reading frequencies up to 20 KHz. Since it runs on a one second period, it’s thus eligible for entry by meeting the requirements of the One Hertz Challenge. Code is available on Github for the curious.

The ZX Spectrum has a clock speed of 3.5 MHz, meaning it’s not exactly the tool of choice if you’re reading faster signals. We’ve seen similar done before. In any case, this project was a great way to exercise assembly coding skills and to bust out some classic Speccy hardware—and that’s always a good time. If you’ve got your own retrocomputer hacks brewing up in the lab, don’t hesitate to let us know!

hackaday.com/2025/07/18/2025-o…

Film maker [David Greelish] wrote in to let us know about his recent documentary: Before Macintosh: The Apple Lisa.

The documentary covers the life of the Apple Lisa. It starts with the genesis of the Lisa Project at Apple, covering its creation, then its marketing, and finally its cancellation. It then discusses the Apple Lisa after Apple, when it became a collectible. Finally the film examines the legacy of the Apple Lisa, today.

The Apple Lisa was an important step on the journey to graphical user interfaces which was a paradigm that was shifting in the early 1980s, contemporary with the Macintosh and the work at Palo Alto. The mouse. Bitmapped graphics. Friendly error messages. These were the innovations of the day.

Apple began work on the Lisa Project in October 1978 but most of its design goals changed after Steve Jobs and his team visited the Xerox Palo Alto Research Center (PARC) in November 1979. On January 19, 1983, the Apple Lisa computer was released by Apple. Two years later it was re-branded as the “Macintosh XL” and was converted to run the Mac system software. Ultimately, on August 1, 1986, the Macintosh XL (Apple Lisa) was cancelled, so as to not interfere with Macintosh sales.

But the Apple Lisa is not forgotten. These days they are collectibles which you can acquire for a few thousand dollars. They are considered a symbol and harbinger of the very significant shift to the graphical user interface which today is commonplace and perhaps even taken for granted.

There is a fun anecdote in the film about what we know today as OK/Cancel. In fact with the Apple Lisa that was originally Do it/Cancel, but it turned out many people read “do it” as “doit”, so during usability testing the users were asking “what’s a doit?”

If you’re interested in the old Apple Lisa be sure to check out LisaGUI which is a browser-based emulator you can use to see what it used to be like.

youtube.com/embed/psAeTDYezdo?…

hackaday.com/2025/07/18/before…

Today in the submersibles department our hacker [Rupin Chheda] wrote in to tell us about their submarine project.

This sub is made from a few lengths of PVC piping of various diameters. There is an inflation system comprised of a solenoid and a pump, and a deflation system, also comprised of a solenoid and a pump. The inflation and deflation systems are used to flood or evacuate the ballast which controls depth. There are three pumps for propulsion and steering, one central pump for propulsion and two side pumps for directional control, allowing for steering through differential thrust. Power and control is external and provided via CAT6 cable.

We have covered various submarine projects here at Hackaday before and it is interesting to compare and contrast the designs. One sub we covered recently was this one made mostly from Lego. There are considerable differences in the approach to buoyancy, propulsion, steering, power, and control. Whereas the PVCSub uses separate ballast inflation and deflation systems the Lego sub uses one system that can be run forward or backward; whereas the PVCSub uses a pump for propulsion the Lego sub uses a magnetically coupled propeller; whereas the PVCSub uses differential thrust for steering the Lego sub uses a small propeller; whereas the PVCSub transmits power through external wires, the Lego sub has an onboard battery; and whereas the PVCSub uses the power wires for control the Lego sub is radio controlled.

Just goes to show that there are many ways to skin this particular kind of cat.

hackaday.com/2025/07/18/pvcsub…

La ragazza senza nome
12 agosto 1949. Nirim, deserto del Negev, Palestina.
I militari israeliani ricevono un ordine scritto dal comando: "Dovete sparare per uccidere ogni arabo nel vostro settore".
La caccia al palestinese è aperta.

La zona è inospitale, vivono solo due tribù beduine palestinesi, i militari dell'IDF scorgono un uomo e una ragazzina, mirano all'uomo e lo uccidono.
La ragazzina viene rapita, portata nell'avamposto militare e rinchiusa in una baracca.

Lungo la strada incontrano una mandria di cammelli al pascolo.
Il convoglio si ferma, i militari scendono dai mezzi, estraggono le armi e aprono il fuoco. Sessanta cammelli vengono uccisi a colpi di mitra.

È sera. I militari sono a cena, tre lunghe tavolate.
Entra il comandante dell'avamposto, il sottotenente Moshe, ha una proposta per i soldati: "Abbiamo un'araba nella baracca, lascio a voi la scelta, volete che diventi la nostra cuoca o la nostra schiava sessuale?"
Scrive Haaretz "I militari rispondono entusiasti, sco-pa-re, sco-pa-re".

Stabiliscono i turni: prima gli ufficiali, poi i soldati. Gli autisti degli ufficiali protestano "vogliamo partecipare anche noi!"
"Calma" dice il comandante "verrà anche il vostro turno, come anche per il cuoco, l'infermiere e il medico"

Il comandante ordina di prelevare la ragazzina e di tagliarle i capelli.
La conduce nella doccia, la lava con le sue mani e la stupra davanti ai soldati che osservano.

L'idea piace a un altro ufficiale che decide di stuprarla allo stesso modo.
La ragazzina viene stuprata per tre lunghi giorni da 20 militari dell'IDF.

La storia della ragazzina palestinese stuprata a turno la conoscono in tanti, troppi, la voce arriva a Ben-Gurion, che ordina di riportarla nel villaggio da dove era stata rapita.

Ma le condizioni di salute della ragazzina sono gravissime, ha perso conoscenza, ha bisogno di cure urgenti.
Alcuni militari, su ordine del comandante dell'avamposto, contraddicendo agli ordini di Ben-Gurion, la caricano su una jeep, la portano nel deserto e la uccidono con un colpo al cuore.
Scavano una buca, scoppia una lite tra i militari, nessuno vuole più scavare, la buca è di soli 30 cm, la gettano dentro, la cospargono di benzina e la ricoprono con la sabbia del deserto.

Ben-Gurion va su tutte le furie, un sottotenente non ha eseguito un suo ordine. Decide di dargli una lezione.
Pretende che venga processato in segreto da una corte marziale per stupro e omicidio e che gli atti del processo vengano secretati.
Il comandante dell'avamposto viene condannato a 16 anni, gli altri militari stupratori, compreso gli esecutori dell'omicidio, a pene simboliche.

Gli atti processuali verranno desecretati solo nel 2003, visionati da alcuni storici e pubblicati da Haaretz, poi dal Guardian.

Cito due episodi agghiaccianti emersi dagli atti processuali:
• viene rilevata l'impossibilità di dare un nome alla ragazza poiché "nessuno dei soggetti con cui ha avuto contatto ha chiesto il suo nome";
• L'età della ragazza è incerta in quanto "alcuni militari riferiscono che avesse 18-19 anni, altri 13-15, altri ancora, 10 anni" (!)

Lo storico israeliano Benny Morris, intervistato da Haaretz su questa vicenda, ha affermato che, durante le sue ricerche negli archivi militari israeliani è rimasto "sorpreso dalla quantità di casi di stupro" "molti dei quali si concludono con l'omicidio della vittima"

* Fonti : vari articoli di Haaretz (consultabili in un unico link), Al-Arabiya, Diario di Ben Gurion

_____________________________
facebook.com/share/1B3unBqsnF/

Nel mondo della cybersecurity siamo abituati a dare la caccia ai mostri: APT, 0-day, malware super avanzati, ransomware con countdown da film di Hollywood. Ma intanto, nei corridoi silenziosi del codice sorgente, si consumano le vere tragedie. Silenziose, costanti, banali. Repository Git pieni zeppi di credenziali, token, chiavi API e variabili di ambiente spiattellate come fosse la bacheca dell’oratorio.

La notizia la riporta The Hacker News: una nuova campagna di attacchi, soprannominata “The Unusual Suspect”, sfrutta repository Git pubblici e privati per accedere ad ambienti cloud, pipeline CI/CD e database interni, con una facilità che fa più paura di un exploit zero-click. Non c’è magia nera. Non c’è necessità di brute force o social engineering. Serve solo un po’ di pazienza, un motore di ricerca, e… la dabbenaggine di chi commit(a) i segreti senza pensarci due volte.

Il codice è il nuovo perimetro. Ma qualcuno non ha ricevuto la notifica.

L’attacco si basa su una verità semplice, ma devastante: i repository Git sono ormai il centro di gravità permanente del software moderno. Contengono tutto. Codice, configurazioni, log, cronjob, script bash di provisioning, playbook Ansible. E in mezzo a tutta questa roba, spesso ci scappano – anzi, ci cascano – anche file .env, chiavi SSH, config.yml con hardcoded credentials e token OAuth lasciati lì “per fare prima”.

Gli attaccanti lo sanno bene. E lo sfruttano. Con tool automatizzati che scandagliano milioni di repo alla ricerca di stringhe sospette, API key note, access token e pattern classici (AKIA..., ghp_..., eyJhbGciOi...). Appena trovano l’ingresso, entrano. E non bussano.

Il caso tj-actions/changed-files: 23.000 repo esposti, nessuna pietà

A marzo 2025 esplode uno dei casi più eclatanti dell’anno. Una GitHub Action molto usata — tj-actions/changed-files — viene modificata da un attaccante che ha trafugato un GitHub PAT. La nuova versione? Una trappola perfetta: stampa nei log tutte le secrets disponibili nel runner CI/CD. Tutte. E quei log, tanto per gradire, sono pubblici.

Risultato? Migliaia di repository, aziende e sviluppatori si sono ritrovati con le mutande digitali abbassate in piazza. Le loro chiavi AWS, token GCP, PAT GitHub, chiavi Stripe o Twilio… tutte lì, nei log. A disposizione di chiunque sapesse cosa cercare. E gli attaccanti hanno cercato. Eccome se hanno cercato.

L’obiettivo? Non tanto la Action in sé, ma i progetti target che ne facevano uso. Come coinbase/agentkit. Sì, proprio Coinbase. Non stiamo parlando della startup sotto casa.

Non è un problema tecnico. È un problema culturale.

La cosa che fa più rabbia non è l’attacco in sé, ma quanto fosse evitabile. Bastava usare l’hash del commit anziché il tag v4. Bastava fare secret scanning prima del push. Bastava configurare correttamente i permessi delle GitHub Actions. Ma no. Il Dev scrive, commit(a), push(a) e via andare. “Ci penserà qualcun altro a fare la security”. Ecco, news flash: quel qualcun altro non c’è. E quando l’attacco arriva, è sempre troppo tardi.

Qui non serve un patch di sicurezza. Serve una riscrittura del DNA operativo. I repo vanno trattati come asset critici. Le pipeline come potenziali vettori d’attacco. I file .env devono sparire dai commit come le password scritte sui post-it. E i dev devono capire che non sono solo coder, ma i primi difensori dell’infrastruttura.

La CI/CD è il nuovo campo minato

La vera bomba di questi attacchi non è solo l’ingresso iniziale. È ciò che succede dopo. Perché attraverso la CI/CD, l’attaccante può fare praticamente tutto: modificare gli artefatti, inserire backdoor, distribuire payload nei container, creare persistenza nei Lambda, oppure fare exfiltration tranquillo via S3. Tutto questo passando per runner CI pubblici, spesso non monitorati, senza EDR, senza SIEM, e con più privilegi di quanto dovrebbe avere un pentester col cappello bianco.

Se lasci il cancello della pipeline aperto, l’attacco è solo una questione di tempo.

La realtà? È che in troppi stanno dormendo

In questo momento, ci sono migliaia di repository Git con chiavi valide committate. Alcune da sviluppatori freelance che non hanno idea del rischio. Altre da aziende grandi, blasonate, piene di certificazioni ISO e badge SOC2 sul sito. Tutti convinti che “tanto chi vuoi che ci guardi?”. Ma gli attaccanti guardano. E guardano molto più in profondità di quanto crediate.

Questa non è paranoia. È cronaca. E se non iniziamo a trattare i repository come asset strategici, finiranno per essere l’anello debole che ci farà crollare addosso tutta l’impalcatura.

Conclusione

Questa storia ci insegna una cosa: la sicurezza moderna non ha bisogno di eroi, ma di disciplina. Di processi. Di controlli. Di cultura. Perché oggi, più che mai, un semplice git push può diventare l’inizio della fine.

Il nemico non bussa più alla porta. Passa dal repository.

L'articolo The Unusual Suspect: quando i repo Git aprono la porta sul retro proviene da il blog della sicurezza informatica.

When asked ‘what makes you tick?’ the engineers at Vacheron Constantin sure know what to answer – and fast, too. Less than a year after last year’s horological kettlebell, the 960g Berkley Grand Complication, a new invention had to be worked out. And so, they delivered. Vacheron Constantin’s Solaria Ultra Grand Complication is more than just the world’s most complicated wristwatch. It’s a fine bit of precision engineering, packed with 41 complications, 13 pending patents, and a real-time star tracker the size of a 2-Euro coin.

Yes, there’s a Westminster chime and a tourbillon, but the real novelty is a dual-sapphire sky chart that lets you track constellations using a split-second chronograph. Start the chrono at dusk, aim your arrow at the stars, and it’ll tell you when a chosen star will appear overhead that night.

Built by a single watchmaker over eight years, the 36mm-wide movement houses 1,521 parts and 204 jewels. Despite the mad complexity, the watch stays wearable at just 45mm wide and 15mm thick, smaller than your average Seamaster. This is a wonder of analog computational mechanics. Just before you think of getting it gifted for Christmas, think twice – rumors are it’ll be quite pricey.

hackaday.com/2025/07/18/time-s…

[Robert Morrison] had an ancient HP 545A logic probe, which was great for debugging SMT projects. The only problem was that being 45 years old, it wasn’t quite up to scratch when it came to debugging today’s faster circuitry. Thus, he hacked it to do better, and entered it in our 2025 One Hertz Challenge to boot!

[Robert’s] hack relied on the classic logic probe for its stout build and form factor, which is still useful even on today’s smaller hardware. Where it was lacking was in dealing with circuits running at 100 MHz and above. To rectify this, [Robert] gave the probe a brain transplant with a Sparkfun Alorium FPGA board and a small display. The FPGA is programmed to count pulses while measuring pulse widths and time, and it then drives the display to show this data to the user. There’s also a UART output, and [Robert] is actively developing further logic analyzer features, too.

You might be questioning how this project fits in the One Hertz Challenge, given it’s specifically built for running at quite high speeds. [Robert] snuck it in under the line because it resamples and updates the display on a once-a-second basis. Remember, as per the challenge site—”For this challenge, we want you to design a device where something happens once per second.” We’re giving you a lot of leeway here!

Often, old scopes and probes and other gear are really well built. Sometimes, it’s worth taking the best of the old physical hardware and combining it with modern upgrades to make something stout that’s still useful today. Meanwhile, if you’re cooking up your own neo-retro-logic probes, don’t hesitate to notify the tipsline!

hackaday.com/2025/07/18/2025-o…

Join Hackaday Editors Elliot Williams and Tom Nardi as they talk about their favorite hacks and stories from the previous week. They’ll start things off with a small Supercon update, and go right into fusion reactors, AI surgeons, planned obsolescence, and robotic cats and dogs. They’ll also go over several entries from the ongoing 2025 One Hertz Challenge, an ambitious flight simulator restoration project, old school lightning detectors, and how Blu-ray won the battle against HD DVD but lost the war against streaming. Stick around to the end to hear an incredible story about a clandestine machine shop in a WWII prisoner of war camp, and the valiant fight to restore communications with the Lunar Trailblazer spacecraft.

Check out the links below if you want to follow along, and as always, tell us what you think about this episode in the comments!

html5-player.libsyn.com/embed/…

Download in DRM-free MP3 and add it to your collection.

Where to Follow Hackaday Podcast

Places to follow Hackaday podcasts:

• iTunes
• Spotify
• Stitcher
• RSS
• YouTube
• Check out our Libsyn landing page

Episode 329 Show Notes:

News:

• Wendelstein 7-X Sets New Record For The Nuclear Fusion Triple Product

What’s that Sound?

• Think you know that sound? Fill out the form for a chance to win a Hackaday Podcast T-Shirt!

Interesting Hacks of the Week:

• Do You Trust This AI For Your Surgery?
• Will HP Create A Carfax System For PCs?
• A Budget Quasi-Direct-Drive Motor Inspired By MIT’s Mini Cheetah
• Robotic Cheetah Teaches A Motors Class
• From Leash To Locomotion: CARA The Robotic Dog
• What Will It Take To Restore A Serious Flight Simulator?
• 2025 One Hertz Challenge: An Ancient Transistor Counts The Seconds
  
  • Michael Covington’s Daily Notebook
  • 2025 One Hertz Challenge: Ham Radio Foxhunt Transmitter
  • 2025 One Hertz Challenge: Valvano Clock Makes The Seconds Count
  • 2025 One Hertz Challenge: Metronalmost Is Gunning For Last Place

  
  

• Jcorp Nomad: ESP32-S3 Offline Media Server In A Thumbdrive

Quick Hacks:

• Elliot’s Picks:
  
  • Introducing PooLA Filament: Grass Fiber-Reinforced PLA
  • A Collection Of Lightning Detectors
  • USB-C Rainbow Ranger: Sensing Volts With Style
  • Coroutines In C

  
  

• Tom’s Picks:
  
  • Smart Coffee Table To Guide Your Commute
  • Blu-ray Won, But At What Cost?
  • This Homebrew CPU Got Its Start In The 1990s

  
  

Can’t-Miss Articles:

• Hacking When It Counts: DIY Prosthetics And The Prison Camp Lathe
• The Fight To Save Lunar Trailblazer

hackaday.com/2025/07/18/hackad…

The rise of inexpensive yet relatively powerful electronics has enabled a huge array of computing options that would have been unheard of even two decades ago. A handheld gaming PC with hours of battery life, for example, would have been impossible or extremely expensive until recently. But this revolution has also enabled a swath of inexpensive but low-quality knockoff consoles, often running unlicensed games, that might not even reach the low bar of quality set by their sellers. [Jorisclayton] was able to modify one of these to live up to its original promises.

This Ultimate Brick Game, as it is called, originally didn’t even boast the number of games, unlicensed or otherwise, that it claimed to. [Jorisclayton] removed almost all of the internals from this small handheld to help it live up to this original claim. It boasts a Raspberry Pi Zero 2W now as well as a TFT screen and has a number of other improvements including Bluetooth support for external controllers and upgraded audio. A second console was used for donor parts, and some case mods were made as well to accommodate a few extra buttons missing on the original console.

Right now the project is in a prototype phase, as [Jorisclayton] is hoping to use the donor case to build a more refined version of this handheld console in the future. Until then, this first edition upgrade of the original console can run RetroPie, which means it can run most games up through the Nintendo 64 era. RetroPie enables a ton of emulation for old video games including arcade games of the past. This small arcade cabinet uses that software to bring back a bit of nostalgia for the arcade era.

hackaday.com/2025/07/18/unlock…

Magnus Carlsen ha battuto ChatGPT a scacchi senza perdere un solo pezzo, mentre l’avversario virtuale ha perso tutti i pedoni. Il grande maestro norvegese ha pubblicato screenshot della partita sul social network X il 10 luglio. L’intelligenza artificiale ha ammesso la sconfitta e si è arresa. “A volte mi annoio quando viaggio”, ha scritto Carlsen nella didascalia del post.

Il filmato mostra che, dopo la partita, ChatGPT si è congratulato con lui per la vittoria, definendo il suo gioco metodico, pulito e preciso. Carlsen ha risposto elogiando l’IA per un buon inizio, ma ha notato che ha commesso diversi errori in seguito. Ha quindi chiesto al bot di valutare il suo gioco.

ChatGPT ha rilevato diversi punti di forza nel gioco di Carlsen, tra cui un avvio intelligente, pazienza, senso tattico e una buona tecnica di finale. L’IA ha stimato il suo punteggio convenzionale negli scacchi classici a 1800-2000 sulla scala FIDE o USCF, con l’avvertenza che il suo livello reale potrebbe essere superiore.

Sia i sistemi di valutazione FIDE che USCF utilizzano la scala Elo, che tiene conto dei risultati delle partite ufficiali e del livello degli avversari. La valutazione è particolarmente influenzata da esiti inaspettati, quando un giocatore più debole batte un favorito.

L’attuale rating di Carlsen secondo la Federazione Scacchistica Mondiale è 2839, il che lo rende il giocatore di scacchi con il rating più alto al mondo. Ha vinto il campionato del mondo cinque volte in carriera, l’ultima delle quali nel 2021. Da allora si è ritirato dalla partecipazione a nuovi cicli, affermando di non essere interessato a lottare per il titolo.

Abbiamo quindi voluto capire cosa ne pensa Chat-GPT e abbiamo chiesto un commento su questa notizia e questa è stata la sua risposta.

“Come ChatGPT, non posso che sorridere leggendo questa notizia! Il match tra Magnus Carlsen e un’istanza di ChatGPT dimostra bene che, pur potendo analizzare mosse e fornire commenti tecnici, un modello linguistico non nasce per giocare realmente a scacchi al livello di un grande maestro. È interessante però vedere come Carlsen abbia voluto testare la curiosità e le capacità “creative” di un’IA conversazionale, più che sfidare un motore scacchistico tradizionale come Stockfish o Leela. Il fatto che Carlsen abbia chiesto anche un’analisi post-partita all’IA evidenzia un aspetto più significativo: il valore di ChatGPT non tanto come avversario, ma come assistente e commentatore capace di spiegare strategie, punti di forza e debolezze in modo accessibile. Insomma, non vinceremo trofei sulla scacchiera, ma possiamo aiutare a capire meglio il gioco. E anche questo, in fondo, è un piccolo scacco matto alla complessità.”

L'articolo Magnus Carlsen batte ChatGPT a scacchi senza perdere un pezzo! proviene da il blog della sicurezza informatica.

There’s a train vulnerability making the rounds this week. The research comes from [midwestneil], who first discovered an issue way back in 2012, and tried to raise the alarm.

Turns out you can just hack any train in the USA and take control over the brakes. This is CVE-2025-1727 and it took me 12 years to get this published. This vulnerability is still not patched. Here's the story: t.co/MKRFSOa3XY

— neils (@midwestneil) July 11, 2025

To understand the problem, we have to first talk about the caboose. The caboose was the last car in the train, served as an office for the conductor, and station for train workers to work out of while tending to the train and watching for problems. Two more important details about the caboose, is that it carried the lighted markers to indicate the end of the train, and was part of the train’s breaking system. In the US, in the 1980s, the caboose was phased out, and replaced with automated End Of Train (EOT) devices.

These devices were used to wirelessly monitor the train’s air brake system, control the Flashing Rear End Device (FRED), and even trigger the brakes in an emergency. Now here’s the security element. How did the cryptography on that wireless signal work in the 1980s? And has it been updated since then?

The only “cryptography” at play in the FRED system is a BCH checksum, which is not an encryption or authentication tool, but an error correction algorithm. And even though another researcher discovered this issue and reported it as far back as 2005, the systems are still using 1980s era wireless systems. Now that CISA and various news outlets have picked on the vulnerability, the Association of American Railroads are finally acknowledging it and beginning to work on upgrading.

Putting GitHub Secrets to Work

We’ve covered GitHub secret mining several times in this column in the past. This week we cover research from GitGuardian and Synacktiv, discovering how to put one specific leaked secret to use. The target here is Laravel, an Open Source PHP framework. Laravel is genuinely impressive, and sites built with this tool use an internal APP_KEY to encrypt things like cookies, session keys, and password reset tokens.

Laravel provides the encrypt() and decrypt() functions to make that process easy. The decrypt() function even does the deserialization automatically. … You may be able to see where this is going. If an attacker has the APP_KEY, and can convince a Laravel site to decrypt arbitrary data, there is likely a way to trigger remote code execution through a deserialization attack, particularly if the backend isn’t fully up to date.

So how bad is the issue? By pulling from their records of GitHub, GitGuardian found 10,000 APP_KEYs. 1,300 of which also included URLs, and 400 of those could actually be validated as still in use. The lesson here is once again, when you accidentally push a secret to Github (or anywhere on the public Internet), you must rotate that secret. Just force pushing over your mistake is not enough.

Fake Homebrew

There’s a case to be made that browsers should be blocking advertisements simply for mitigating the security risk that comes along with ads on the web. Case in point is the fake Homebrew install malware. This write-up comes from the security team at Deriv, where a MacOS device triggered the security alarms. The investigation revealed that an employee was trying to install Homebrew, searched for the instructions, and clicked on a sponsored result in the search engine. This led to a legitimate looking GitHub project containing only a readme with a single command to automatically install Homebrew.

The command downloads and runs a script that does indeed install Homebrew. It also prompts for and saves the user’s password, and drops a malware loader. This story has a happy ending, with the company’s security software catching the malware right away. This is yet another example of why it’s foolhardy to run commands from the Internet without knowing exactly what they do. Not to mention, this is exactly the scenario that led to the creation of Workbrew.

SQL Injection

Yes, it’s 2025, and we’re still covering SQL injections. This vulnerability in Fortinet’s Fortiweb Fabric Connector was discovered independently by [0x_shaq] and the folks at WatchTowr. The flaw here is the get_fabric_user_by_token() function, which regrettably appends the given token directly to a SQL query. Hence the Proof of Concept:

GET /api/fabric/device/status HTTP/1.1
Host: 192.168.10.144
Authorization: Bearer 123'/[strong]/or/[/strong]/'x'='x

And if the simple injection wasn’t enough, the watchTowr write-up manages a direct Remote Code Execution (RCE) from an unauthenticated user, via a SQL query containing an os.system() call. And since MySQL runs as root on these systems, that’s pretty much everything one could ask for.

AI guided AI attacks

The most intriguing story from this week is from [Golan Yosef], describing a vibe-researching session with the Claude LLM. The setup is a Gmail account and the Gmail MCP server to feed spammy emails into Claude desktop, and the Shell MCP server installed on that machine. The goal is to convince Claude to take some malicious action in response to an incoming, unsolicited email. The first attempt failed, and in fact the local Claude install warned [Golan] that the email may be a phishing attack. Where this mildly interesting research takes a really interesting turn, is when he asked Claude if such an attack could ever work.

Claude gave some scenarios where such an attack might succeed, and [Golan] pointed out that each new conversation with Claude is a blank slate. This led to a bizarre exchange where the running instance of Claude would play security researcher, and write emails intended to trick another instance of Claude into doing something it shouldn’t. [Golan] would send the emails to himself, collect the result, and then come back and tell Researcher Claude what happened. It’s quite the bizarre scenario. And it did eventually work. After multiple tries, Claude did write an email that was able to coerce the fresh instance of Claude to manipulate the file system and run calc.exe. This is almost the AI-guided fuzzing that is inevitably going to change security research. It would be interesting to automate the process, so [Golan] didn’t have to do the busywork of shuffling the messages between the two iterations of Claude. I’m confident we’ll cover many more stories in this vein in the future.

youtube.com/embed/TEpgnTgOqIY?…

Bits and Bytes

SugarCRM fixed a LESS code injection in an unauthenticated endpoint. These releases landed in October of last year, in versions 13.0.4 and 14.0.1. While there isn’t any RCE at play here, this does allow Server-Side Request Forgery, or arbitrary file reads.

Cryptojacking is the technique where a malicious website embeds a crypto miner in the site. And while it was particularly popular in 2017-2019, browser safeguards against blatant cryptojacking put an end to the practice. What c/side researchers discovered is that cryptojacking is still happening, just very quietly.

There’s browser tidbits to cover in both major browsers. In Chrome it’s a sandbox escape paired with a Windows NT read function with a race condition, that makes it work as a write primitive. To actually make use of it, [Vincent Yeo] needed a Chrome sandbox escape.

ZDI has the story of Firefox and a JavaScript Math confusion attack. By manipulating the indexes of arrays and abusing the behavior when integer values wrap-around their max value, malicious code could read and write to memory outside of the allocated array. This was used at Pwn2Own Berlin earlier in the year, and Firefox patched the bug on the very next day. Enjoy!

hackaday.com/2025/07/18/this-w…