Small internal combustion engines usually keep things simple, relying on carburetors to handle metering the correct amount of fuel and air. Recently, [Carlos Takeshita] decided his small engine could use an upgrade in the form of electronic fuel injection (EFI).

The build began with a Predator 212, a popular gasoline engine from Harbor Freight. [Carlos] set about kitting it out with a missing tooth trigger wheel to measure the crankshaft position with a hall effect sensor. The engine also scored a custom-built aluminium fuel cell, complete with a high-pressure fuel pump and regulator suitable for driving the solitary fuel injector installed in the custom intake manifold. A Teensy 4.0 is charged with monitoring a manifold air pressure (MAP) sensor and the crank position, and choosing when and how long to fire the injector to dose the engine with the correct amount of fuel. Files are on GitHub for those eager to dive deeper.

It can be quite a job to convert an engine to run with electronic fuel injection, but you’re certain to learn a lot during the install and tuning process. We’ve featured similar builds many times over the years.

youtube.com/embed/ApN0I983zUQ?…

hackaday.com/2026/05/18/small-…

Google has patched an Android ADB bug in the May security patch set. If you have a Pixel phone you should already have the patches, and most other major manufacturers should be close behind. Unfortunately, the biggest risk from this patch will be to the vendors who are also the least likely to release timely – or any – security updates.

ADB, the Android Debug Bridge, is the main tool for installing apps during development and debugging apps while they’re running. It can also be used to side-load apps from a PC. While most normal users are unlikely to ever enable it, developers typically do and some power users might when jailbreaking a device or setting parameters not exposed in the Android UI. Debugging can be done locally via USB, or optionally over the network. To protect the device, the user must unlock the Android device and authorize each new debug agent.

Covered by Risky.Biz, a bug introduced in 2020, and present in every Android release since, allowed bypassing authorization entirely if network debugging was enabled and at least one connection had been made to the ADB service in the past. This happens because ADB compares the certificate of the incoming debug connection with the list of saved certificates. If the certificate type does not match — for instance supplying an Ed25519 certificate instead of a RSA certificate — ADB has been incorrectly handling the error code, and allowing the connection.

In most programming languages, false is considered zero, and true is considered anything not zero. The certificate API returns a 1 for a valid match, a zero for an invalid match, and a negative-one for a type mismatch. Negative one is not zero, so when treated as a boolean value, it becomes true.

To exploit the bug, ADB must be enabled in wireless mode, and there must be at least one trusted device in the ADB configuration. For the average user this is an unlikely combination, but for developers, the time to update is now.

Mythos Finds a Curl Bug

Daniel Stenberg of Curl posts about recent interactions with the Mythos AI model finding vulnerabilities – or rather a singular vulnerability – in Curl. Curl, and the companion library libcurl, run in an estimated 20 billion instances, so any security issue could be critical.

After some confusion about access to the model, five vulnerabilities found were ultimately condensed to a single new vulnerability. Classified as “not particularly dangerous”, the issue will be assigned a CVE and be fixed in an upcoming patch.

Daniel’s post contains a wealth of additional information and commentary about the experience with Mythos. The lack of findings from Mythos may be more a reflection on the maturity of the Curl codebase than anything else; the Curl code is an excellent example of the impact of continual auditing, by all types of tools.

XBow Finds an Exim Bug

XBow has found a vulnerability in Exim using AI tooling. Exim is an open-source message transport agent (MTA, or email server to most of us) like Postfix and Sendmail. Classified as CVE-2026-45185, it has a 9.8 CVE score (out of 10), allowing arbitrary code execution without authentication.

The bug is one of the “use after free” class of mistakes: after allocating memory, using it for some task, then releasing the memory (freeing it), Exim forgets the memory has been freed and continues to use it. In this case, memory allocated as part of a TLS encrypted connection is freed when the TLS connection is ended, but the handler for incoming email data may still write to the now-destroyed buffer, which in turn allows corruption of the memory management system inside Exim and, ultimately, running arbitrary code.

Arbitrary code execution vulnerabilities are typically just as bad as they sound – the ability to run arbitrary code is essentially the ability to run anything on the system, including running system commands as if logged in. Combined with the recent collection of local privilege escalation vulnerabilities like CopyFail (and more on this later), unauthenticated code execution is a short path to full root control of the system.

The Internet indexer Shodan currently shows 2.5 million installs of Exim globally. If you run Exim anywhere, hopefully you’ve already updated – and update immediately if not!

CopyFail Three-quel

It’s the three-quel nobody wanted; being named “CopyFail 3.0” and “Fragnesia”, another vulnerability that is extremely similar to those used in CopyFail and DirtyFrag has been found and patches have begun on the Linux kernel. Like the previous bugs, this one lies in the Linux kernel handling of IPSec ESP encryption, and allows modifying the in-memory page cache used for accelerating disk IO.

Fortunately, because this uses the same kernel modules as previous vulnerabilities, any system with the mitigations for DirtyFrag in place — essentially disabling IPSec functionality — should not be impacted, however any system patched for DirtyFrag with the IPSec kernel modules available will need to be patched again!

It’s Patch Tuesday!

It’s Microsoft Patch Tuesday again! Brian Krebs has the roundup, calling out three patches in particular that allow privilege escalation to admin or system, and one remote code execution bug in the Microsoft DHCP client.

If you’re a Microsoft user, or run IT in a Microsoft shop, you already know the balancing act – update immediately because of the security implications, or wait and see if this set of patches breaks basic functionality again?

More Windows 0-Days

It seems like it wouldn’t be a Patch Tuesday without additional drama – the author behind previous Windows zero-day exploits the past two months follows up this month with two more, seemingly still upset with the Microsoft security teams responses.

The YellowKey vulnerability consists of nothing more than specifically named files on a USB stick. When booted in recovery mode, the files trigger a Windows 11 recovery image to launch a shell with Bitlocker disk encryption turned off. It’s unclear if this functionality is a deliberate backdoor or some sort of debug functionality accidentally left in the builds, but it is extremely odd.

GreenPlasma is a privilege escalation vulnerability, allowing elevation to system level privileges, which would give access to the system credentials database, among other bad results. Similar issues were patched in this months Patch Tuesday set, but not this one.

Criminals Use Tools for Crime

Google is trying to hype what is claimed to be the first use of AI to write an exploit caught in the wild. This seems extremely unlikely given the past year or more of development on the AI front.

Treating news as boring is never fun, but it seems unsurprising that criminals are going to use the tools available to continue being criminals. This feels like less of a revelation than a continuation of obvious trends: groups who have not been able to develop in-house tooling have always purchased tools, stolen tooling from other groups, or used commoditized exploits, easily as far back as the Anonymous “Low Orbit Ion Canon” tool in 2005 to allow recruitment and participation by less technical users.

Attack and exploit code doesn’t need to worry about the technical debt or repeatability challenges of AI generated code, and it seems obvious that attackers will minimize their own effort whenever possible.

Malware and Residential Proxies

Bitsight Research published a paper on the relationships between malware infections and residential proxy networks.

Proxy networks act similarly to a VPN, taking traffic from one source and tunneling it to appear to come from a different source. Made up of typically unwitting home users, residential proxy networks are often resold as cheap commercial VPN services. (Not all commercial VPN providers are equal, while some are completely legitimate, many are not.) Proxy networks can also be leveraged to allow attackers to operate inside a different country, obfuscating the true attack location or bypassing login restrictions or alerts to detect if a user has an impossible location or travel pattern. Proxy networks are also often involved in advertisement click fraud, appearing as an army of normal home users who are really interested in click on ads, and are also used to pivot into the internal home network, where devices are often completely unprotected.

Bitsight tracked over 53 million IPs acting as residential proxy devices over a two-month period, split between several proxy network brokers reselling access, typically with over eight million nodes available daily, with strong ties between malware infections and remote access proxy tool installation.

FCC Extends Router Deadline

The FCC has announced it is extending the initial timeline for foreign-made routers. Previously the FCC had declared that not only would nearly all new consumer router hardware be banned from FCC certification, it would no longer be allowed to receive software updates as of early 2027.

Possibly noticing the conflict in the stated goal of increased security while prohibiting security patches, the deadline has been extended for consumer routers and drones to receive software updates until 2029.

SMS Spammers Arrested

You might rightly assume that most SMS spam comes from compromised phones or Internet-connected SMS bridges, but TechCrunch reports on the arrest of three men in Toronto for operating a mobile SMS-spamming cell tower.

The spammers ran the spoofed cell tower in the back of a car while driving around the city. Once a phone connected to the false tower, the tower bombarded it with SMS messages with phishing lures for credential and banking theft.

Operating a fake cell tower is extremely illegal in almost all countries, in no small part because it actively interferes with emergency services such as E911. Police estimate that over a million SMS messages were sent by the trio since November, 2025.

Robot Dog Malware

A paper in IEEE Spectrum from November, 2025 covers discoveries of a potentially wormable vulnerability in the Unitree robotics platform used for canine and humanoid robots. Unitree robots are sometimes used as security or even military devices.

This week, Benn Jordan published a YouTube video exploring some of the vulnerabilities in his personal robots, referencing the GitHub of the original researchers.

Multiple vulnerabilities have been found in the robotics platform that allow overriding the safety mechanisms of the robots, as well as running arbitrary code on the robot, scanning for WiFi and Bluetooth devices, and mechanisms the robots use to communicate with various servers, some in foreign countries.

The research suggests that at least one vulnerability – the ability to gain root on the device from an unauthenticated Bluetooth Low-Energy connection – could be turned into a worm, where one infected robot could use the on-board Bluetooth to infect other nearby devices.

Benn Jordan has previously been influential in the public outcry against monitoring platforms like Flock, so highlighting vulnerabilities in a platform used by police, private security, and military seems a reasonable continuation.

TCLBANKER Trojan

A WhatsApp based worm is targeting users of banking, crypto, and fintech services. The TCLBANKER malware hijacks WhatsApp web and Outlook email accounts to spread a zip file which uses a legitimate signed Logitech tool but injects the payload into the install process.

Once infected, the user is presented with a series of falsified UI screens, including fake system updates, which hides the actual activity of the infection and tricks the user into clicking on hidden elements of the true UI to authorize actions.

The TCLBANKER worm attempts to hide from analysis by downloading encrypted payloads keyed to a hash of the environment. If analysis tools like a debugger are installed, the payload will not decrypt.

ShinyHunters Get Paid

Last week, the group known as ShinyHunters made news by compromising the Canvas educational platform and threatening to leak the personal data and messages of millions of students. The attack culminated with ransom notes taking over the portals of hundreds of schools, and the Canvas platform being shut down “for maintenance” during finals week for many schools.

This week, it appears the ransom was paid, with ShinyHunters promising to destroy the stolen data.

Paying ransom is a hot-button issue: nobody wants to see the ransomware model continue as a profitable venture, but it is tough to argue that millions of students with no voice in the choice of educational platforms should have their data released.

Token Stealer Doesn’t Want to Leave

Trojaned packages continue to be a problem for NPM and other ecosystems, as automated supply chain infections continue to infect high-profile projects.

This time, the TanStack application framework used for developing web applications was compromised by a supply chain worm, “Mini Shai Halud”, a variant of the Dune-themed “Shai Halud” worm infecting packages since March.

The worm spreads via NPM and PyPi and infects packages, developer systems, and GitHub actions, targeting service keys for package repos, cloud resources, AI platforms, and GitHub. The worm also installs services on infected developer systems to capture future service tokens when they are added, and further investigation by the TanStack team uncovered additional services which monitor the stolen credentials and attempt to wipe infected systems using rm -rf / if the stolen credentials are revoked.

Prescription Drug Ransomware

A ransomware attack has hit West Pharmaceutical in Pennsylvania, USA, with filings indicating the attack disrupted the company globally.

West Pharmaceuticals manufacturers packaging for drugs and healthcare items, so a global shutdown of manufacturing and shipping could have a much longer impact on drug availability.

[Editor’s note: Sorry this one runs late! Hackaday Europe was on and it slipped through the cracks. The next installment of This Week in Security will be hitting the pages on Friday as usual.]

hackaday.com/2026/05/18/this-w…

IT threat evolution in Q1 2026. Non-mobile statistics
IT threat evolution in Q1 2026. Mobile statistics

The statistics in this report are based on detection verdicts returned by Kaspersky products unless otherwise stated. The information was provided by Kaspersky users who consented to sharing statistical data.

Quarterly figures

In Q1 2026:

• Kaspersky products blocked more than 343 million attacks that originated with various online resources.
• Web Anti-Virus responded to 50 million unique links.
• File Anti-Virus blocked nearly 15 million malicious and potentially unwanted objects.
• 2938 new ransomware variants were detected.
• More than 77,000 users experienced ransomware attacks.
• 14% of all ransomware victims whose data was published on threat actors’ data leak sites (DLS) were victims of Clop.
• More than 260,000 users were targeted by miners.

Ransomware

Quarterly trends and highlights

Law enforcement success

In January 2026, it was reported that the FBI had seized the domains of the RAMP cybercrime forum, a major platform used extensively by ransomware developers to advertise their RaaS programs and to recruit affiliates. There has been no official statement from the FBI, nor is it clear if RAMP servers were seized. In a post on an external website, a RAMP moderator mentioned law enforcement agencies gaining control over the forum. The takedown disrupted a key element of the RaaS ecosystem, creating ripple effects for ransomware operators, affiliates, and initial access brokers.

A man suspected of links to the Phobos group was apprehended in Poland. He was charged with the creation, acquisition, and distribution of software designed for unlawfully obtaining information, including data that facilitates unauthorized access to information stored within a computer system.

In March, a Phobos ransomware administrator pleaded guilty to the creation and distribution of the Trojan, which had been used in international attacks dating back to at least November 2020.

In March, the U.S. Department of Justice charged a man who had acted as a negotiator for ransomware groups. The company he worked for specializes in cyberincident investigations. The prosecution alleges the suspect colluded with the BlackCat threat actor to share privileged insights into the ongoing progress of negotiations. Additionally, the suspect is alleged to have had a prior direct role in BlackCat attacks, serving as an affiliate for the RaaS operation.

In a separate development this March, a U.S. court sentenced an initial access broker associated with the Yanluowang ransomware group to 81 months of imprisonment. According to the U.S. Department of Justice, the convict facilitated dozens of ransomware attacks across the United States, resulting in over $9 million in actual loss and more than $24 million in intended loss.

Vulnerabilities and attacks

The Interlock group has been heavily exploiting the CVE-2026-20131 zero-day vulnerability in Cisco Secure FMC firewall management software since at least January 26, 2026. The vulnerability enabled arbitrary Java code execution with root privileges on the affected device. This campaign demonstrates the ongoing reliance on zero-day vulnerabilities for initial access, a focus on network appliances as high-value entry points, and the rapid weaponization of new vulnerabilities within the ransomware ecosystem.

The most prolific groups

This section highlights the most prolific ransomware gangs by number of victims added to each group’s DLS. This quarter, the Clop ransomware (14.42%) returned to the top of the rankings, displacing Qilin (12.34%), which had held the leading position in the previous reporting period. Following closely is a new threat actor, The Gentlemen (9.25%). Emerging no later than July 2025, the group had already surpassed the activity levels of mainstays such as Akira (7.25%) and INC Ransom (6.13%).

Number of each group’s victims according to its DLS as a percentage of all groups’ victims published on all the DLSs under review during the reporting period (download)

Number of new variants

In Q1 2026, Kaspersky solutions detected six new ransomware families and 2938 new modifications. Volumes have returned to Q3 2025 levels following a surge in Q4 2025.

Number of new ransomware modifications, Q1 2025 — Q1 2026 (download)

Number of users attacked by ransomware Trojans

Throughout Q1, our solutions protected 77,319 unique users from ransomware. Ransomware activity was highest in March, with 35,056 unique users encountering such attacks during the month.

Number of unique users attacked by ransomware Trojans, Q1 2026 (download)

Attack geography

TOP 10 countries and territories attacked by ransomware Trojans

* Excluded are countries and territories with relatively few (under 50,000) Kaspersky users.
** Unique users whose computers were attacked by ransomware Trojans as a percentage of all unique users of Kaspersky products in the country/territory.

TOP 10 most common families of ransomware Trojans

* Unique Kaspersky users attacked by the specific ransomware Trojan family as a percentage of all unique users attacked by this type of threat.

Miners

Number of new variants

In Q1 2026, Kaspersky solutions detected 3485 new modifications of miners.

Number of new miner modifications, Q1 2026 (download)

Number of users attacked by miners

In Q1, we detected attacks using miner programs on the computers of 260,588 unique Kaspersky users worldwide.

Number of unique users attacked by miners, Q1 2026 (download)

Attack geography

TOP 10 countries and territories attacked by miners

* Excluded are countries and territories with relatively few (under 50,000) Kaspersky users.
** Unique users whose computers were attacked by miners as a percentage of all unique users of Kaspersky products in the country/territory.

Attacks on macOS

In Q1 2026, Google uncovered a new cryptocurrency theft campaign. The scammers directed victims to a fraudulent video call, prompting them to execute malicious scripts under the guise of technical support fixes for connection problems.

In March, researchers with GTIG and iVerify reported the discovery of an in-the-wild exploit chain targeting both iOS and macOS devices. The exploit kit was apparently marketed on the dark web, providing threat actors with a suite of spyware capabilities alongside specialized cryptocurrency exfiltration modules. The exploit was delivered via drive-by downloads when victims visited various compromised websites. Our analysis confirmed that the toolkit included an updated version of a component previously identified in the Operation Triangulation attack chain.

Devices running macOS were similarly impacted by the high-profile supply chain attack targeting the Axios npm package, a widely used HTTP client for JavaScript. The installation of the infected package led to the deployment of a backdoor on macOS devices.

TOP 20 threats to macOS

Unique users* who encountered this malware as a percentage of all attacked users of Kaspersky security solutions for macOS (download)

* Data for the previous quarter may differ slightly from previously published data due to some verdicts being retrospectively revised.

The share of PasivRobber spyware attacks is beginning to decline, giving way to more traditional adware and Monitor-class software capable of tracking user activity. The popular Amos stealer also maintains its presence within the TOP 20.

Geography of threats to macOS

TOP 10 countries and territories by share of attacked users

* Unique users who encountered threats to macOS as a percentage of all unique Kaspersky users in the country/territory.

IoT threat statistics

This section presents statistics on attacks targeting Kaspersky IoT honeypots. The geographic data on attack sources is based on the IP addresses of attacking devices.

In Q1 2026, the share of devices attacking Kaspersky honeypots via the SSH protocol saw a significant increase compared to the previous reporting period.

Distribution of attacked services by number of unique IP addresses of attacking devices (download)

The distribution of attacks between Telnet and SSH maintained the ratio observed in Q4 2025.

Distribution of attackers’ sessions in Kaspersky honeypots (download)

TOP 10 threats delivered to IoT devices

Share of each threat delivered to an infected device as a result of a successful attack, out of the total number of threats delivered (download)

The primary shifts in the IoT threat distribution are linked to the activity of various Mirai botnet variants, although members of this family continue to account for the majority of the list. Furthermore, a new variant, Mirai.kl, surfaced in the rankings. We also observed a significant decline in NyaDrop botnet activity during Q1.

Attacks on IoT honeypots

The United States, the Netherlands, and Germany accounted for the highest proportions of SSH-based attacks during this period.

China continues to account for the largest proportion of Telnet attacks, though there was a marked increase in activity originating from Pakistan.

Attacks via web resources

The statistics in this section are based on detection verdicts by Web Anti-Virus, which protects users when suspicious objects are downloaded from malicious or infected web pages. These malicious pages are purposefully created by cybercriminals. Websites that host user-generated content, such as message boards, as well as compromised legitimate sites, can become infected.

TOP 10 countries and territories that served as sources of web-based attacks

The following statistics show the distribution by country/territory of the sources of internet attacks blocked by Kaspersky products on user computers (web pages redirecting to exploits, sites containing exploits and other malicious programs, botnet C&C centers, and so on). One or more web-based attacks could originate from each unique host.

To determine the geographic source of web attacks, we matched the domain name with the real IP address where the domain is hosted, then identified the geographic location of that IP address (GeoIP).

In Q1 2026, Kaspersky solutions blocked 343,823,407 attacks launched from internet resources worldwide. Web Anti-Virus was triggered by 49,983,611 unique URLs.

Web-based attacks by country/territory, Q1 2026 (download)

Countries and territories where users faced the greatest risk of online infection

To assess the risk of malware infection via the internet for users’ computers in different countries and territories, we calculated the share of Kaspersky users in each location on whose computers Web Anti-Virus was triggered during the reporting period. The resulting data provides an indication of the aggressiveness of the environment in which computers operate in different countries and territories.

This ranked list includes only attacks by malicious objects classified as Malware. Our calculations leave out Web Anti-Virus detections of potentially dangerous or unwanted programs, such as RiskTool or adware.

* Excluded are countries and territories with relatively few (under 10,000) Kaspersky users.
** Unique users targeted by web-based Malware attacks as a percentage of all unique users of Kaspersky products in the country/territory.

On average during the quarter, 4.73% of users’ computers worldwide were subjected to at least one Malware web attack.

Local threats

Statistics on local infections of user computers are an important indicator. They include objects that penetrated the target computer by infecting files or removable media, or initially made their way onto the computer in non-open form. Examples of the latter are programs in complex installers and encrypted files.

Data in this section is based on analyzing statistics produced by anti-virus scans of files on the hard drive at the moment they were created or accessed, and the results of scanning removable storage media. The statistics are based on detection verdicts from the On-Access Scan (OAS) and On-Demand Scan (ODS) modules of File Anti-Virus and include detections of malicious programs located on user computers or removable media connected to the computers, such as flash drives, camera memory cards, phones, or external hard drives.

In Q1 2026, our File Anti-Virus detected 15,831,319 malicious and potentially unwanted objects.

Countries and territories where users faced the highest risk of local infection

For each country and territory, we calculated the percentage of Kaspersky users whose computers had the File Anti-Virus triggered at least once during the reporting period. This statistic reflects the level of personal computer infection in different countries and territories around the world.

Note that this ranked list includes only attacks by malicious objects classified as Malware. Our calculations leave out File Anti-Virus detections of potentially dangerous or unwanted programs, such as RiskTool or adware.

* Excluded are countries and territories with relatively few (under 10,000) Kaspersky users.
** Unique users on whose computers local Malware threats were blocked, as a percentage of all unique users of Kaspersky products in the country/territory.

On average worldwide, Malware local threats were detected at least once on 11.55% of users’ computers during Q1.

Russia scored 11.92% in these rankings.

securelist.com/malware-report-…

IT'S MONDAY, AND THIS IS DIGITAL POLITICS. I'm Mark Scott, and you find me filing this dispatch via dodgy wifi on the way to Brussels. If you're in town, I'll be at the CPDP conference most of the week. Let's grab coffee.

— The United Kingdom is again engulfed in political infighting. The country's tech ambitions are equally on life support.

— In the wake of the recent China-United States summit, Middle Power countries are using their unique digital industrial policy skills to navigate the new geopolitical reality.

— The world's leading artificial intelligence firms are massively subsiziding their models to win market share. That is unsustainable.

Let's get started:

digitalpolitics.co/newsletter0…

If you need a VPN gateway to access your home network, the fastest and most cost-effective way is probably by using a Raspberry Pi Zero. But in [Samir Makwana]’s view, an ESP32-S3 is just as capable for moderate use, and in some respects even superior.

This was possible thanks to the MicroLink project, which is a full implementation of a Tailscale client for the ESP32 family. In some ways the ESP32 worked better than a Raspberry Pi: it boots in two seconds rather than thirty, draws 0.5 Watts rather than 1.5, and there’s no chance of it failing due to a corrupted SD card. Compared to a Raspberry Pi, however, which can be set up as a Tailscale client in a few minutes, this took several hours to get running. The biggest issue was making sure that there was enough memory available for TLS handshakes, which was solved by enabling the ESP32’s PSRAM.

Once the VPN client is running, the ESP32 can be used as an SSH jump machine to access other devices on the home network, without needing to expose those machines to the open Internet. The ESP32 also hosts an HTTP server which can send a wake-on-LAN magic packet to another device on the local network, letting unused devices sleep without impairing their availability.

The ESP32 doesn’t provide much bandwidth — streaming video would cause issues — but it works well enough for lightweight applications. If you’re wanting to stream video from an ESP32, though, it is technically possible.

hackaday.com/2026/05/18/runnin…

In a recent video by the [Chornobyl Family] it’s shown how they made the SKALA status display which was featured at the recent 40-year memorial exhibition of the Chornobyl Nuclear Power Plant (ChNPP) #4 reactor accident, along with the RBMK reactor control panel replica and SKALA console which they had made previously.

We previously covered this SKALA control system of the ChNPP’s RBMK reactors, as well as its 1990s modernization. This SKALA status display is one of the original elements of the control room, providing a status overview of the entire control system at a glance, including its processors and peripheral devices.

The replica uses similar looking components, with a metal casing and LED lighting that invokes the aesthetics of the original electroluminescent mnemonic panels. Overall the goal was to keep the appearance as close to the original as possible — they even had operators of the ChNPP reactors look over the panel and give it their stamp of approval.

Some of the components like the error indicators had to be 3D printed, while the metal case was cut out of sheet metal. There’s also a very big speaker for the alarm, at the top right of the panel. Along with the LEDs for the electroluminescent-style indicators this meant a lot of addressable LEDs and a lot of wiring.

The full build plans are available via the [Chornobyl Family] Patreon, if you feel like building up your own RBMK-style reactor control room.

youtube.com/embed/80UTQHD2gVM?…

hackaday.com/2026/05/18/buildi…

If you’ve got a Bambu Labs printer, it’s usually pretty straightforward to keep an eye on it via the onboard display or the various apps the company has released. However, if you want a dedicated display somewhere remote from your printer, you might like this build from [Keralots].

The project is based on an ESP32-S3 Super Mini, paired with a 1.54″ TFT display with a 240 x 240 resolution. It’s set up to talk to Bambu Labs printers over MQTT with TLS. It harvests status data and uses it to display a real-time dashboard with critical printer parameters display on arc gauges. There’s also plenty of live stats to pore over, as well as buzzer notifications if you want auditory alerts about what is going on. It’s possible to use with just about any Bambu Labs printer with a Bambu Cloud access token; otherwise, you can tinker with LAN Direct connections on certain models, but you might need to enable Developer Mode depending on your rig.

If you want to monitor your printer’s vital statistics at a glance, this project is a great way to do it. It breaks out the fundamental numbers in a clear and obvious fashion that’s a little easier to parse quickly compared to the interface of the official software. We’ve featured similar builds before, too. If you’re also paranoid about prints and using that to motivate you towards creating useful hardware, don’t hesitate to let us know on the tipsline.

hackaday.com/2026/05/17/a-stat…

Sure, you can buy a portable monitor off your favorite e-tailer, but with perfectly fine displays in devices like laptops being tossed out every single day, why not repurpose those instead? That’s what [ScuffedBits] recently did with the panels pulled from some old laptops.

A good question with any such salvaged panel is just how practical it is to still use them, with disqualifying features being things like passive-matrix TFTs as well as the use of CCFL backlighting as with one of the three panels demonstrated in the video.

Looking up the model number of a panel on a site like panelook.com will tell you the display technology, resolution and other important details before you decide to commit to using it. If it’s using a LED backlight and at least Low-Voltage Differential Signaling (LVDS) but ideally eDP you can likely find a cheap driver board for it that has all the requisite inputs like HDMI and power.

The hardest part is probably the case for the panel, as they’re rather thin and fragile. Here [ScuffedBits] opted to 3D print two different types of cases, with the second variant probably being the best version as it protects most of the panel. Installing these is quite easy: slide the panel into the first half, then add the second half of the case to close it up. Permanently keeping the case in place was left as an exercise to a future [ScuffedBits], while demonstrating why it’s definitely the hardest part of repurposing an old laptop display.

youtube.com/embed/KKTylJXI4VE?…

hackaday.com/2026/05/17/turnin…

To start things off, we’d like to extend a special thanks to everyone who joined us for Hackaday Europe this weekend in Lecco, Italy. It was 48 hours of fascinating talks, incredible badge hacks, and some of the greatest company you could hope for. For those who couldn’t make it in person, we didn’t forget you — expect to hear more about what went down once we get a chance to catch our collective breath.

That’s not the only thing to keep an eye out for in the coming days. This is your reminder that Amazon will be officially ending support for older Kindles in a few days. After May 20th, any of the megacorp’s e-readers that were introduced before 2012 will be persona non grata, so you should plan accordingly.

The biggest change is that these older devices won’t be able to buy digital books from Amazon, but you can still use them offline, and the fantastic Calibre makes it a breeze to load up content from other sources. To be perfectly honest, we’d advise any Kindle user to decouple their device from the Amazon mothership by using Calibre or even jailbreaking it and installing KOReader, so the end of official support is fine by us. In fact, if a surge of unsupported Kindles brings more attention and users to those projects, that suits us just fine.

We’ve also heard that Microsoft is removing the “Together” feature from Teams on June 30th. We actually had to look this one up — apparently, it was a mode added during the pandemic that made it look like you and the other people in the call were all sitting together in a virtual conference room of sorts. Sounds an awful lot like a dystopian nightmare to us, but to be fair, things got kinda weird there when we were all sheltering in place, so it’s hard to judge. In any event, we don’t think too many people will miss this particular feature in 2026.

While on the subject of products the world seems to have forgotten about, Electrek reports that Tesla has all but given up on their once promising solar roof tiles. The company won’t say just how many installations they’ve completed since the camouflaged panels hit the market in 2016, but estimates suggest the number may be as low as 3,000. It will probably come as little surprise to find that cost seems to be the biggest factor: a roof full of Tesla’s swanky tiles could run you six-figures, while traditional panels are only getting cheaper every year.

From end-of-life to the latest and greatest, today also marks the release of Linux 7.1-rc4. If you’re in the business of running release candidate kernels, you probably don’t need to be told what’s new, but for everyone else, Phoronix has a rundown on some of the changes. Highlights include improvements to hardware support (including a fix for the Framework Laptop 13 Pro), security fixes, and new guidance about the use of AI-generated code.

Finally, if you want a time-waster, there’s Halupedia. According to the site’s GitHub: An infinite, hallucinated encyclopedia. Every link leads to an entry that does not exist yet — until you click it, at which point an LLM pretends it has always existed and writes it for you, in the deadpan register of a 19th-century scholarly press. For example, you can read about “The Ministry of Slightly Wrong Maps,” or, if you prefer, “The Ministry of Terribly Wrong Maps.”

See something interesting that you think would be a good fit for our weekly Links column? Drop us a line, we’d love to hear about it.

hackaday.com/2026/05/17/hackad…

Streaming services have enabled many of us to have easy access to the world’s media library at the touch of a screen, but [Coconauts] thinks we’ve lost something along the way. To bring some intentionality back to the listening experience, they built an NFC record player called Minilos.

Like a normal record player, Minilos requires the user to select an album to play on the machine. These were originally decorative coasters with records printed on them, so they are much smaller than even a 45. Each one features an NFC tag that instructs ESP32 microcontroller hidden in the device to play the requested song. Once placed on the record player, it will then play through that album and come to a stop.

In [Coconauts]’s current setup, the ESP32 is connected to a Home Assistant server which then instructs a Google Speaker to play the requested song via Spotify, although we could easily imagine this being used to play music directly from an SD card or other digital storage device instead.

If you want complete control over your music listening while still keeping that authentic vinyl experience, you could always look into cutting your own records with a laser.

hackaday.com/2026/05/17/nfc-re…