PhantomRaven Attack Exploits NPM’s Unchecked HTTP URL Dependency Feature
Having another security threat emanating from Node.js’ Node Package Manager (NPM) feels like a weekly event at this point, but this newly discovered one is among the more refined. It exploits not only the remote dynamic dependencies (RDD) ‘feature’ in NPM, but also uses the increased occurrence of LLM-generated non-existent package names to its advantage. Called ‘slopsquatting’, it’s only the first step in this attack that the researchers over at [Koi] stumbled over by accident.
Calling it the PhantomRaven attack for that cool vibe, they found that it had started in August of 2025, with some malicious packages detected and removed by NPM, but eighty subsequent packages evaded detection. A property of these packages is that in their dependencies list they use RDD to download malicious code from a HTTP URL. It was this traffic to the same HTTP domain that tipped off the researchers.
For some incomprehensible reason, allowing these HTTP URLs as package dependency is an integral part of the RDD feature. Since the malicious URL is not found in the code itself, it will slip by security scanners, nor is the download cached, giving the attackers significantly more control. This fake dependency is run automatically, without user interaction or notification that it has now begun to scan the filesystem for credentials and anything else of use.
The names of the fake packages were also chosen specifically to match incomplete package names that an LLM might spit out, such as unused-import instead of the full package name of eslint-plugin-unused-imports as example. This serves to highlight why you should not only strictly validate direct dependencies, but also their dependencies. As for why RDD is even a thing, this is something that NPM will hopefully explain soon.
Top image: North American Common Raven (Corvus corax principalis) in flight at Muir Beach in Northern California (Credit: Copetersen, Wikimedia)
100-Year Old Wagon Wheel Becomes Dynamometer
If you want to dyno test your tuner car, you can probably find a couple of good facilities in any nearby major city. If you want to do similar testing at a smaller scale, though, you might find it’s easier to build your own rig, like [Lou] did.
[Lou’s] dynamometer is every bit a DIY project, relying on a 100-year-old wagon wheel as the flywheel installed in a simple frame cobbled together from 6×6 timber beams. As you might imagine, a rusty old wagon wheel probably wouldn’t be in great condition, and that was entirely true here. [Lou] put in the work to balance it up with some added weights, before measuring its inertia with a simple falling weight test. The wheel is driven via a chain with a 7:1 gear reduction to avoid spinning it too quickly. Logging the data is a unit from BlackBoxDyno, which uses hall effect sensors to measure engine RPM and flywheel RPM. With this data and a simple calibration, it’s possible to calculate the torque and horsepower of a small engine hooked up to the flywheel.
Few of us are bench testing our lawnmowers for the ultimate performance, but if you are, a build like this could really come in handy. We’ve seen other dyno builds before, too. Video after the break.
youtube.com/embed/61-e-HK6HdU?…
Half-good new Danish Chat Control proposal
Denmark, currently presiding over the EU Council, proposes a major change to the much-criticised EU chat control proposal to search all private chats for suspicious content, even at the cost of destroying secure end-to-end encryption: Instead of mandating the general monitoring of private chats (“detection orders”), the searches would remain voluntary for providers to implement or not, as is the status quo. The presidency circulated a discussion paper with EU country representatives today, aiming to gather countries’ views on the updated (softened) proposal. The previous Chat Control proposal had even lost the support of Denmark’s own government.
“The new approach is a triumph for the digital freedom movement and a major leap forward when it comes to saving our fundamental right to confidentiality of our digital correspondence”, comments Patrick Breyer (Pirate Party), a former Member of the European Parliament and digital freedom fighter. “It would protect secure encryption and thus keep our smartphones safe. However, three fundamental problems remain unsolved:
1) Mass surveillance: Even where voluntarily implemented by communications service providers such as currently Meta, Microsoft or Google, chat control is still totally untargeted and results in indiscriminate mass surveillance of all private messages on these services. According to the EU Commission, about 75% of the millions of private chats, photos and videos leaked every year by the industry’s unreliable chat control algorithms are not criminally relevant and place our intimate communication in unsafe hands where it doesn’t belong. A former judge of the European Court of Justice, Ninon Colneric (p. 34-35), and the European Data Protection Supervisor (par. 11) have warned that this indiscriminate monitoring violates fundamental rights even when implemented at providers’ discretion, and a lawsuit against the practice is already pending in Germany.
The European Parliament proposes a different approach: allowing for court orders mandating the targeted scanning of communications, limited to persons or groups connected to child sexual abuse. The Danish proposal lacks this targeting of suspects.
2) Digital house arrest: According to Article 6, users under 16 would no longer be able to install commonplace apps from app stores to “protect them from grooming”, including messenger apps such as WhatsApp, Snapchat, Telegram or Twitter, social media apps such as Instagram, TikTok or Facebook, games such as FIFA, Minecraft, GTA, Call of Duty, and Roblox, dating apps, video conferencing apps such as Zoom, Skype, and FaceTime. This minimum age would be easy to circumvent and would disempower as well as isolate teens instead of making them stronger.
3) Anonymous communications ban: According to Article 4 (3), users would no longer be able to set up anonymous e-mail or messenger accounts or chat anonymously as they would need to present an ID or their face, making them identifiable and risking data leaks. This would inhibit, for instance, sensitive chats related to sexuality, anonymous media communications with sources (e.g. whistleblowers), and political activity.
All things considered, the new Danish proposal represents major progress in terms of keeping us safe online, but it requires substantially more work. However, the proposal likely already goes too far already for the hardliner majority of EU governments and the EU Commission, whose positions are so extreme that they will rather let down victims altogether than accept a proportionate, court-proof and politically viable approach.”
The Time Of Year For Things That Go Bump In The Night
Each year around the end of October we feature plenty of Halloween-related projects, usually involving plastic skeletons and LED lights, or other fun tech for decorations to amuse kids. It’s a highly commercialised festival of pretend horrors which our society is content to wallow in, but beyond the plastic ghosts and skeletons there’s both a history and a subculture of the supernatural and the paranormal which has its own technological quirks. We’re strictly in the realm of the science here at Hackaday so we’re not going to take you ghost hunting, but there’s still an interesting journey to be made through it all.
Today: Fun For Kids. Back Then: Serious Business
Halloween as we know it has its roots in All Hallows Eve, or the day before the remembrance festivals of All Saint’s Day and All Soul’s Day in European Christianity. Though it has adopted a Christian dressing, its many trappings are thought to have their origin in pagan traditions such as for those of us where this is being written, the Gaelic Samhain (pronounced something like “sow-ain”). The boundary between living and dead was thought to be particularly porous at this time of year, hence all the ghosts and other trappings of the season you’ll see today.
Growing up in a small English village as I did, is to be surrounded by the remnants of ancient belief. They survive from an earlier time hundreds of years ago when they were seen as very real indeed, as playground rhymes at the village school or hushed superstitions such as that it would be bad luck to walk around the churchyard in an anticlockwise manner.
As a small child they formed part of the thrills and mild terrors of discovering the world around me, but of course decades later when it was my job to mow the grass and trim the overhanging branches in the same churchyard it mattered little which direction I piloted the Billy Goat. I was definitely surrounded by the mortal remains of a millennium’s worth of my neighbours, but I never had any feeling that they were anything but at peace.
Some Unexplained Phenomena Are Just That
So as you might expect, nothing has persuaded me to believe in ghosts. I can and have walked through an ancient churchyard at night as I grew up next to it, and never had so much as a creepy feeling. I do however believe in unexplained phenomena, but before you throw a book at your computer I mean it in the exact terms given: observable phenomena we know occur, but can’t immediately explain.
To illustrate, a good example of a believable unexplained phenomenon was those moving rocks in an American desert; they moved but nobody could explain how they did it. It’s now thought to be due to the formation of ice underneath them in certain meteorological circumstances, so that’s one that’s no longer unexplained.
As another slightly less cut-and-dried example there are enough credible reports of marsh lights to believe that they could exist, but the best explanation we have, of spontaneous combustion of high concentrations of organic decomposition products, remains for now a theory. I hope one day a scientist researching fenland ecosystems captures one on their instruments by chance, and we can at last confirm or deny it.
The trouble is with unexplained phenomena, that there are folks who would prefer to explain them in their own way because that’s what they want to believe. “I want to believe” is the slogan from the X Files TV show for exactly that reason.
People who want a marsh light or the sounds made by an old house as it settles under thermal contraction at night to be made by a ghost, are going to look for ghosts, and will clutch at anything which helps them “prove” their theories. In this they have naturally enlisted the help of technology, and thus there are all manner of gizmos taken into cemeteries or decaying mansions in the service of the paranormal. And of course in this we have the chance for some fun searching the web for electronic devices.
All The Fun Of Scam Devices
In researching this it’s been fascinating to see a progression of paranormal detection equipment over the decades, following the technological trends of the day. From early 20th century kits that resembled those used by detectives, to remote film cameras like the underwater Kodak Instamatic from a 1970s Nessie hunt we featured earlier this year, to modern multispectral imaging devices, with so much equipment thrown at the problem you’d expect at least one of them to have found something!
I’ve found that these instruments can be broadly divided into two camps: “normal” devices pressed into ghost-hunting service such as thermal cameras or audio recorders, and “special” instruments produced for the purpose. The results from either source may be digitally processed to “reveal” information, much in the manner of the famous “dead salmon paper“, which used an MRI of a dead fish to make a sarcastic comment about some research methodologies.
I’ve even discovered that I may have inadvertently reviewed one a few years ago, a super-cheap electric field meter touted as helping prevent some medical conditions, which I found to be mostly useful for detecting cables in my walls. Surprisingly I found it to be well engineered and in principle doing what it was supposed to for such an instrument, but completely uncalibrated and fitted with an alarm that denounced the mildest of fields as lethal. At least it was a lot cheaper than an e-meter.
Tomorrow night, there will be those who put on vampire costumes to be shepherded around their neighbourhoods in search of candy, and somewhere in the quiet country churchyard of an Oxfordshire village, something will stir. Is it a spectre, taking advantage of their yearly opportunity for a sojourn in the land of the living? No, it’s a solitary fox, hoping to find some prey under the moonlight in the undergrowth dividing the churchyard from a neighbouring field.
Wherever you are, may your Halloween be a quiet and only moderately scary one.
Header: Godstone, Surrey: Gravestone with skull and bones by Dr Neil Clifton, CC BY-SA 2.0.
Andrew Cuomo Uses AI MPREG Schoolhouse Rock Bill to Attack Mamdani, Is Out of Ideas#AISlop
Andrew Cuomo Uses AI MPREG Schoolhouse Rock Bill to Attack Mamdani, Is Out of Ideas
I am haunted by a pregnant bill in Andrew Cuomo’s new AI-generated attack ad against Zohran Mamdani.Cuomo posted the ad on his X account that riffed on the famous Schoolhouse Rock! song “I’m just a bill.” In Cuomo’s AI-generated cartoon nightmare, Zohran Mamdani lights money on fire while a phone bearing the ChatGPT logo explains, apparently, that Mamdani is not qualified.
The ad bears all the hallmarks of the sloppiest of AI trash: weird artifacting, strange voices that don’t sync with the mouths talking, and inconsistent animation. It feels both surreal and of the moment and completely ancient.
🎶“I’m Just A Shill” (FT. Zohran) pic.twitter.com/ga3JxnYO7B
— Andrew Cuomo (@andrewcuomo) October 30, 2025
And then there’s the pregnant bill.The Schoolhouse Rock! Bill is an iconic cartoon character that has been parodied by everyone from The Simpsons to Saturday Night Live. There are thousands, perhaps millions, of pictures of the cartoon bill online, all available to be gobbled up by scrapers and turned into training data for AI.
For some reason, the bill in Cuomo’s ad has thick red lips (notably absent in the original) and appears to be pregnant. Adding to the discordant AI jank of the image, the pregnancy is only visible when the bill is standing up. Sometimes it’s leaning against the steps and in those shots it has the slim figure characteristic of its inspiration. But when the bill stands it looks positively inflated, almost as if the video generator used to make Cuomo’s ad was trained on MPREG fetish art of the bill and not the original cartoon itself. The thick and luscious red lips are present whether the bill is leaning or standing.
Towards the end of the ad, an anthropomorphic phone with a ChatGPT logo wanders into the scene. Standing next to the pregnant bill, I could not but help but think that the phone is the father of whatever child the bill carried.
My observation led to an argument in the 404 Media Slack channel and opinions were split. “It does not seem pregnant to me,” said Emanuel Maiberg.
Jason Koebler, however, came to my defense. He circled the pregnant belly of the cartoon bill and shared it. “Baby is stored in the circle area,” he said.Perplexed by all this, I reached out to Cuomo’s campaign for an explanation. I wanted a response to the ad and to get his thoughts on AI-generated political content. More importantly, I needed to know their opinion on the pregnancy. “Does that bill look pregnant to you?” I asked. “I think it looks pregnant, but my editors are split. I would love for the Campaign to weigh in.” Out of journalist due diligence, I also reached out to Mamdani’s press office. Neither campaign has responded to my request for it to weigh in on the pregnancy of the AI-generated cartoon bill.
This is not the first time the Cuomo campaign has used AI. An ad in early October featured a deepfaked Cuomo working as a train operator, stock trader, and a stagehand. A week ago, the Cuomo campaign released a long, racist video depicting criminals endorsing Mamdani. Critics called the ad racist. The campaign deleted it shortly after it was posted and blamed the whole thing on a junior staffer.
It is worth noting that Cuomo's AI slop is being deployed most likely because the candidate has been utterly incapable of generating any authentic excitement about his campaign in New York City or on the internet, and he is facing a digitally native, younger candidate who just seems effortlessly Good At the Internet and Posting.
This is, unfortunately, how a lot of politics works in 2025. Desperate campaigns and desperate presidents are in a slop-fueled arms race to make the most ridiculous possible ads and social media content. It looks cheap, is cheap, and is the realm of politicians who are totally out of ideas, but increasingly it feels like slop is the dominant aesthetic of our time.
AI-generated imagery takes New York politics by storm
Andrew Cuomo's AI campaign ad sparked criticism.Bobby Cuza (Spectrum News NY1)
