TL;DR
Six malicious npm packages mimicking Rollup polyfill tools stole developer credentials and enabled remote access in a Lazarus-linked campaign.
Six malicious npm packages mimicking Rollup polyfill tools stole developer credentials and enabled remote access in a Lazarus-linked campaign.
Security researchers at JFrog have identified a set of malicious npm packages linked to North Korean threat actors that impersonate legitimate Rollup polyfill tooling to steal developer credentials and enable remote access to compromised machines. The packages, named “rollup-packages-polyfill-core” and “rollup-runtime-polyfill-core,” mimic the legitimate “rollup-plugin-polyfill-node” project down to its description, repository metadata, and package structure. All six packages in the campaign have since been removed from the npm registry.
The attack uses a layered delivery chain designed to evade detection. The first-stage packages install hidden second-stage dependencies disguised as SVG utilities, which then fetch a JSON object from a remote hosting service and execute the payload embedded in it. JFrog said the structure, combined with lookalike names, legitimate-looking metadata, and environment checks designed to avoid sandboxes and cloud development platforms, is consistent with previous Lazarus-linked npm campaigns.
Once the later stages execute, the malware gives the attacker both collection and control capabilities across the compromised machine. The payload steals data from web browsers and cryptocurrency wallets, captures clipboard content periodically, and harvests files matching specific extensions. It also targets developer tool configurations for VS Code, Windsurf, and Cursor, along with credentials for AWS, Microsoft Azure, Google Gemini, Anthropic Claude, and SSH keys.
The campaign is not an isolated incident. In April, researchers at Panther documented a sustained Lazarus npm operation that published 108 malicious packages across 261 versions to deliver BeaverTail and OtterCookie, two known North Korean malware families linked to the Contagious Interview campaign. The latest packages share features with OtterCookie, including the use of a forked keyboard and mouse control library that enables interactive remote terminal sessions, screenshot capture, and simulated user input on compromised Windows machines.
The disclosure arrives alongside a broader wave of supply chain attacks targeting open-source package repositories. Checkmarx, SafeDep, and AWS researcher Chi Tran separately identified clusters of malicious packages across npm and PyPI that steal cloud credentials, cryptocurrency wallets, SSH keys, and developer secrets. Rollup plugins are commonly loaded from developer workstations and CI build pipelines, environments that have proven increasingly vulnerable to supply chain compromises and that often hold access to sensitive assets including source code, API keys, and project secrets.
Watching [sprite_tm]’s build of a handheld 486-based gaming computer, we got to thinking about retro computers and the eternal questions of how much of the computer needs to be actually “old” for it it be retro. Where is the soul of a retro computer? The CPU? The old yellowing plastic case? Maybe it depends on what you’re trying to get out of the hobby.
There is of course a spectrum of people playing around with old computers. For some people, let’s call them “vintage computer enthusiasts”, half of the fun is in keeping the actual old hardware running. This group tends to know what teletype lubricant smells like, and how to tell which capacitors need replacing.
For others, “team retro”, the joy is in using the machine itself, whether that be teaching the old dogs new tricks, or simply loading up nostalgic video games. Team retro is more content with emulations or emulations that are wrapped up neatly in hardware workalikes. They know which registers need POKEing, and whether or not Commander Keen is running at the right framerate.
I think [sprite_tm]’s project falls in with yet another camp, the retro-reengineers. Here, the idea is to step through the engineering lessons of the past by re-designing something from a bygone era. So when [sprite_tm] went with a period 486 CPU backed up by a modern FPGA, perhaps ironically borrowing code from the modern MiSTer project, it makes sense for his goals. Retro-reengineers know the bus architecture and the memory timings, and they are reinventing the wheel as a learning experience. Or in the case of [Voja Antonic]’s imaginary four-bit machine, it’s a teaching experience.
How you work often reflects what you’d like to get out of the project, and at Hackaday, of course, we love all of the above! We’ve identified at least three broad schools of fooling around with old computers. Are we missing any?
The US age-adjusted death rate fell to a record low in 2025, likely pushing life expectancy to a record high as overdose deaths declined and mortality improved across all age groups. CNN reports: There were about 689 deaths for every 100,000 people in the US in 2025, according to a new report from the US Centers for Disease Control and Prevention — the lowest rate recorded in more than a century of tracking. The age-adjusted rate has fallen 22% since 2021, landing about 4% lower than it was just before the pandemic in 2019. […] The top causes of death in the US in 2025 followed longstanding patterns: Heart disease led with nearly 695,000 deaths, followed by cancer with nearly 623,000 deaths.
Unintentional injuries, which includes drug overdoses, were the third leading cause of death. Overdose deaths are still high — about 70,000 people died from an overdose in 2025, preliminary CDC data shows — but experts say that sharp declines probably played a large role in bringing the age-adjusted death rate down in the US.
A politician on the European Parliament’s PEGA Committee—created to investigate spyware abuses, including of the notorious Pegasus malware—was targeted with Pegasus himself, according to new research findings released this week. Meanwhile, top Google security staff warned this week that the pro-competition rule proposals in the EU could make Google Search and Android systems vulnerable to hacking and other abuse.
A WIRED investigation revealed this week that Meta contractors posed as kids and teens to see how chatbots like Gemini and ChatGPT responded to prompts about high-risk subjects, including suicide, sex and drugs.
And a researcher realized that he could use Anthropic’s Claude Opus 4.7 to break into the website of Front Gate and issue tickets to almost any United States music festival, including Lollapalooza and Bonnaroo.
But wait, there’s more! Each week, we round up the security and privacy news we didn’t cover in depth ourselves. Click the headlines to read the full stories. And stay safe out there.
Back in 2021, Apple launched its Hide My Email tool, which as the name suggests, allows people to sign-up for online services using an email address that isn’t linked directly to them. The privacy feature generates “unique, random email addresses” that will forward incoming messages to a user’s personal email address—reducing the amount of information you need to hand over to companies.
Reporting from 404 Media this week revealed that a vulnerability in the system has made it possible, for at least a year, for people’s real email addresses to be uncovered when they are using Apple’s privacy service. “Apple Hide My Email is leaking email addresses that are supposed to be hidden,” security researcher Tyler Murphy, who discovered the flaw in June 2025, told the publication. “In our limited tests with volunteers, 100% of Hide My Email addresses were exploitable,” he said.
The exact details of the vulnerability and how it works have not been revealed as the problem hasn’t been fixed. In tests conducted by 404 Media and Murphy, it was possible for a newly created Hide My Email address, which uses the @icloud.com domain, to be linked back to the real email address of its creator. Murphy said he originally reported the problem to Apple last summer and was told it had been “addressed” by March this year. However, when the researcher continued testing the issue, it remained exploitable, with Apple telling Murphy a couple of months ago that it was still investigating the issue. Apple did not respond to requests for comment from the publication.
A nineteen-year-old has been arrested and extradited to the United States to face charges over their alleged involvement in the notorious Scattered Spider hacking group, the Department of Justice (DoJ) announced this week. Peter Stokes, an Estonian-US dual citizen, was arrested in Finland in April and has been charged with computer intrusion, conspiracy and fraud, linked to the criminal gang.
It is alleged that Stokes, along with other members of the loose hacking collective, hacked into an unnamed “luxury jewelry retailer” and demanded a $8 million cryptocurrency ransom in May 2025. The company did not pay but still spent $2 million on the incident, according to a DoJ press release. In recent years, the Scattered Spider group, which is largely believed to be composed of young, English-speaking teenagers, has caused havoc around the world by hacking into and disrupting dozens of businesses. The arrest of Stokes follows two British Scattered Spider members, Thalha Jubair and Owen Flowers, recently pleading guilty to hacking Transport for London in 2024 and causing millions in damages.
Following a move by encrypted messaging app Signal last year, WhatsApp has announced it will soon roll out usernames to billions of people. The option means it is possible for people to connect and message each other without having to share phone numbers, increasing privacy protections. However, officials in India, one of WhatsApp’s biggest markets, who have previously tried to unfurl encryption protections on the Meta-owned app, have opposed the introduction of usernames. A letter from the Indian government, seen by Reuters, asked WhatsApp to pause the rollout of usernames in the country. The letter claimed the move could increase fraud and cybercrime, citing concerns around allowing online anonymity. The letter was followed by separate messages to Signal and Telegram about their use of usernames.
Thousands of automatic license plate reader cameras, known as ALPRs, have appeared across the United States over the last few years. The cameras, which can be deployed by cops, cities, and businesses, photograph passing cars and record details about their movements. As well as license plate numbers, the systems can log the time and location of the photos, make and model of a vehicle, as well as bumper stickers. Billions of images and details of car movements have been captured in vast ALPR databases.
However, an increasing body of evidence shows that when the camera systems make mistakes, innocent people can be detained by law enforcement officials and accused of crimes. A review of court records and media reports, which are likely the tip of the iceberg, by the nonprofit the Institute for Justice this week found at least 24 cases of misidentification over the last eight years. These reportedly include a couple with a baby in their car being detained at gunpoint; a camera misreading an “O” as a “0”, leading to grandparents being detained; and someone being pulled over after their license plate was not removed from a wanted list. The findings add to a growing list of errors from the AI-enabled cameras.
Humans are odd creatures, and no two are exactly alike, which is likely why so many different methods exist for tracking the progress of tasks that must be accomplished. [Simone Giertz] has graced us with her own spin on task tracking that adds an element of chance.
[Giertz] tells us that she started with written lists that she tackled in dice-determined order to keep her from overthinking or cherry-picking tasks. While this worked fine, she longed for a more elegant solution. Approaching the UI first, unlike any Open Source project ever, she determined that a marker that could randomly point to a task on a vertical list would be most pleasant.
The bulk of the project was evaluating different mechanisms to make the marker pick tasks at random while not selecting a task that had already been completed. A set of magnetic toggles that could repel the marker proved ineffective, but a simpler solution involving moving the completed tasks past a divider won the day. The finished product has a satisfying selection mechanism that makes interacting with the chore chart a joy, which probably helps make it more likely things get done.
We’ve seen many productivity hacks over the years, including Arya’s Hacking the Self, this rotary time tracker, or this e-ink macropad.
A leaker with a reasonable track record, except regarding the Apple Watch, claims that the Apple Watch Series 12 will feature a new health sensor, but only in its fluoroelastomer band.
Apple Watch already tracks a huge number of different health metrics, but Apple has regularly been rumored to add even more sensors via a watch band. According to leaker Kosutami, the company is finally going to do it, although with one significant catch.
[Censo-Wat]ch Series 12 gonna have a sensor on band, injection molded(to the silicon band, they hasn’t yet figured out how to putting a sensor on band with other materials now.).
— Kosutami (@Kosutami_Ito) July 3, 2026
The leaker says nothing about what the band’s sensor could measure, but says it will solely be in the silicone band. That is presumably the basic fluoroelastomer band that Apple provides if a customer does not also order a specific band.
If correct, this could mean that the Apple Watch’s latest health sensor could only be available on the lowest-cost band. It’s more likely, though, that Apple will sell this version of the fluoroelastomer band separately.
As for what it could measure, Apple has previously been reported to be working on multiple options for external sensors. They include a hydration sensor, or one based around muscle movement sensing.
Apple is known to be working on non-invasive blood sugar monitoring as well. To date, there has been no suggestion that this will be on a band-mounted sensor, and instead integrated into the optical array underneath the watch body. It’s not clear when this feature will ship.
Kosutami has had a fair track record with Apple leaks, and most recently claimed that the company has suspended work on its project to add cameras to AirPods. But they have been significantly wrong before, such as with a 2023 claim that Apple was going to change how bands connect to the Apple Watch.
Separately, that persistent rumor has recently resurfaced. If it’s accurate this time, perhaps it’s because a new sensor band requires a different connector.
Valve has open-sourced the design for a customizable e-ink front panel for the Steam Machine, dubbed the “Inkterface.” “All of it is available on their GitLab under the MIT license, which goes over everything you need to make your own and stick it on the front of your fancy new Steam Machine,” reports GamingOnLinux. From the report:
They’re now calling it the “Inkterface” and there’s a good few things you’ll need to make it including:
1 x Adafruit ESP32 Feather with 2MB PSRAM.
1 x Adafruit eInk Breakout Friend.
1 x Adafruit 5.83″ Monochrome eInk Panel.
13 x M2.5 x 5mm Pan Head Machine Screws.
4 x 1/4″ x 1/4″ x 3/16″ Stepped Magnet SB443-OUT.
Valve even provided a video on the GitLab showing it being put together […].
An anonymous reader quotes a report from TechSpot: Video Game History Foundation founder Frank Cifaldi recently supported claims that piracy is the only effective way to preserve video games. The comments lay the blame squarely on game companies’ refusal to keep legacy content available or allow archivists to build legal repositories. Sony’s announcement that all PlayStation games will be digital-only from 2028 onward has sparked concern that titles will become harder to preserve and more easily vanish, since the company’s servers will become the sole point of distribution. In an official statement, Cifaldi noted that the end of physical PlayStation games has surprisingly little impact on the Foundation’s efforts because the majority of games from the last two decades are already digital-only.
According to the Foundation, most games nowadays are not released for consoles, let alone on physical discs. Furthermore, many discs for major titles require downloading updates before they are playable, although the DoesItPlay database reveals that, even today, most are playable offline out of the box. Cifaldi claimed that the true reason piracy remains the best option for preservation is that the Entertainment Software Association, which lobbies for game publishers, has closed off other routes. For example, in 2018, the Association opposed efforts to grant copyright exemptions for museums, libraries, and archives to retain copies of abandoned online games for research.
This is the same organization that recently helped defeat a proposed California bill to preserve premium-priced online-only games by falsely claiming that community servers are illegal. The Foundation accused the ESA of repeatedly blocking attempts by cultural heritage institutions to reform DRM legislation. Cifaldi also described the Library of Congress’ outdated software preservation process, which currently only requires tiny snippets of source code. For example, Capcom once asked the Foundation to provide the LoC with “the first and last ten pages of code” for a Mega Man game. Unable to discern where digital records began and ended, the group simply chose random segments. Platform holders’ habit of closing online storefronts and removing media from users’ accounts is also unhelpful. “What continues to baffle us is what the industry expects institutions like ours to do about it,” the Video Game History Foundation said. “If platform owners are deciding to eliminate physical media and older digital storefronts, then we’d also like to see trade groups like the Entertainment Software Association offer meaningful solutions for archives and museums to legally preserve digital-only content and make it accessible for research.
The recent mission to the moon by Artemis II astronauts was memorable, inspiring, and scientifically important for so many reasons. It also brought us a treasure trove of new images and videos ready to be added to NASA’s vast library of content.
Consider this photo of Earth from more than 250,000 miles away, for example, taken from the other side of the moon. Or these widely shared pictures of our home planet from inside the Orion capsule, which were taken using iPhone 17 Pro Max phones. Truly out of this world snaps, but taken using a device many of us have in our pockets.
These images have popped up all across social media, but what you might not know is that NASA makes its huge library of images and videos available for anyone to dig through, marvel at, and reshare. Because NASA is funded by the US government, most of its published media is released into the public domain.
That’s the good news. The bad news is that it’s not immediately obvious where this library is and how you can access it.
If you’re ready to browse through decades’ worth of incredible photos and videoclips from NASA—from giant star constellations to spacesuit designs—here’s how to get started. A word of warning though: It’s easy to get lost for hours inside these collections.
Let’s start with the biggest resource: The NASA Image and Video Library. This is where you’ll find just about every image, video, and audioclip that NASA wants to share, from astronaut photos and space conferences to planet shots and satellite imagery. By default, you get to see the newest uploads first, but you can also click Trending & Popular to see frequently viewed content from across the years.
Click on an image or video here to get a wealth of information about it, including what it shows and when it was captured. Some of the captions here are mini-essays, and a lot of the content on this portal comes with EXIF data included, which will be of interest to photographers (or anyone who wants to know which pictures were snapped with an iPhone 17 Pro Max).
As wonderful as this resource is, it’s also difficult to sift through, unless you specifically know what you’re looking for. You’re basically relying on the search box at the top, and common keywords can return dozens and dozens of pages of results. Try being as specific as you can with search terms. Also, use the keywords on each photo and video listing to find related content.
In addition to the NASA Image and Video Library page, there’s also NASA Images—which includes a link to the Image and Video Library. (Those of you at the back, try to keep up). NASA Images isn’t as comprehensive as the Image and Video Library, but it is better organized, and it’s easier to find recent content here.
For as good as solar panels are at converting sunlight directly into usable electricity, especially for how cheap they’re becoming, they can still only gather around 20-30% of the energy that hits them. That’s fine if you have a large roof or a huge tract of land, but if you have limited space and need to do something like heat a home, there are better options available to capture more of that energy. [Greenhill Forge] has built five solar air heating panels to test this concept, and do it much more inexpensively than commercial options.
These solar heaters use sunlight to heat a fluid, in this case air, and move that heated fluid to another space. Each panel is about two square meters, insulated on all sides except the top, and configured in a way that air can flow past something that the sun has heated. The first panel, a control, does not use a glazing to help trap this heat, but the rest all have a polycarbonate window to increase the greenhouse effect of the panels. The four remaining all experiment with the way air flows around a black corrugated steel sheet to gather more of the heat, with the fifth panel using a set of black screen instead.
With the panels all set out in the sun, [Greenhill Forge] is using a set of thermocouples from a previous project to measure the efficiency of each panel. Surprisingly, he found that the panel using the layers of screen was the best at gathering energy, although he notes several times that these types of panels are extremely sensitive to changes in physical configuration, so this is not the most definitive test possible. However, at only around $100 per panel it’s quite a deal if the goal is a usable space heater that doesn’t use any fuel or grid electricity.
Here are a few other MagSafe wireless chargers we have tested that didn’t quite manage to earn a place above.
Photograph: Simon Hill
Mous Dual Charging Station for $100: This dual charger from Mous is a looker, but disappoints on charging speeds, maxing out at 15 watts for the main MagSafe pad and just 5 watts for the second Qi pad, though there is a spare USB-C port that can charge at 18 watts. You can also add an Apple Watch charger ($55) that connects magnetically to the pogo pins at one end (5-watt maximum) and pops up for Nightstand mode.
Anker MagGo Wireless Charger Pad (Qi2) for $26: Our top pick until Apple’s redesign, this Qi2 charger brings MagSafe-style magnetic charging and a 15-watt charging rate. This pad stays put, has a durable aluminum casing that remains relatively cool, and comes with a 5-foot USB-C cable permanently attached. It can also charge AirPods with a magnetic charging case, but it does not come with a power adapter.
Belkin BoostCharge Pro Convertible Magnetic Wireless Charging Stand for $55: This Qi2-certified stand has a magnetic pad that can lie flat to charge older phones or fold out to act as a stand for MagSafe iPhones and other Qi2 phones in portrait or landscape orientation (handy for StandBy mode). It charges at up to 15 watts and comes with a 5-foot USB-C to USB-C cable and a power supply.
Casetify Magnetic Wireless Charger for $38: Cute design galore elevates Casetify’s MagSafe charger lineup. It offers more than 600 designs, from cat art to sports teams. It is a Qi charger with MagSafe, so it will align perfectly with MagSafe iPhones and charge at 7.5 watts, but it also supports Qi charging and can juice up any Qi phone at up to 15 watts. It comes with a 3.3-foot (permanently attached) and a black-and-white braided USB-C cable, but you need a power adapter.
MagSafe is the name of Apple’s accessory system integrated into the iPhone 12, iPhone 13, iPhone 14, iPhone 15, iPhone 16, and iPhone 17 range, excluding the iPhone 16e. A ring of magnets on the back of the phone (and in MagSafe cases) can help transfer power more precisely and faster than traditional wireless chargers. However, it’s also a handy way to hold an accessory in place, like a wallet, or to mount the iPhone without requiring clamps. There’s an enormous range of MagSafe-compatible accessories now.
Qi2 is the next-generation wireless charging standard, and Apple worked with the Wireless Power Consortium to develop it. Compared to the original Qi standard, it brings MagSafe-style magnetic charging, faster charging rates, and improved efficiency—but where MagSafe is an Apple technology designed for Apple products, any device can support Qi2. Apple updated the iPhone 12 and newer to support Qi2, so Qi2 should be a term you look for when shopping for a magnetic wireless charger. We are starting to see more Qi2 Android phones, such as the Google Pixel 10 lineup (except the 10a), and Qi2 Ready phones that add magnets using a compatible case. A Qi2 charger can charge your iPhone and any other Qi2 phones.
Qi2 25W is the latest Qi2.2 update, supporting faster charging up to 25 watts for phones that support the standard, such as the iPhone 17 series and the Pixel 10 Pro XL.
StandBy mode was introduced in iOS 17 and enables you to use your phone as a bedside alarm clock. When you place your iPhone on a charger in landscape orientation, it will turn the screen into a dock of sorts, showing the clock (with different designs you can choose from), photos from your library, or widgets. If you have an iPhone that supports an always-on screen, you can choose to have the display automatically turn off after some time when the iPhone isn’t in use or if the room is dark. Head to Settings > Standby to customize it.
Android phone owners can set a screensaver to pop up when their phone is placed on a Qi2 charging stand. You can set a digital or analog clock, a slideshow from Google Photos, or Google Home controls for fast access to your smart home devices. Head to Settings > Display & touch > Screensaver to configure it.
How I Test MagSafe Chargers
I test every Qi2 or MagSafe charger for at least a week, using it to charge my iPhone 16 and my wife’s iPhone 12. I also test Qi2 chargers with my Pixel 10 Pro XL. I live with most chargers on my nightstand or work desk. Where possible, I check the charging rate and note the time it takes to charge my iPhone. I assess the usability of the design, the strength of the magnets, test any additional charging pads or ports, and try out any special features.
Power up with unlimited access to WIRED. Get best-in-class reporting and exclusive subscriber content that’s too important to ignore. Subscribe Today.
Weekend Open Thread: High Hopes
Bluekit phishing kit adopts browser-in-the-middle for login theft
Claude Code turned every engineer into three. Now companies need more product thinkers
Strategy authorizes up to $1.25B in Bitcoin sales under new capital plan
The House | “Reframing the debate from a binary discussion of winners and losers”: Yuan Yang reviews ‘We Are Not Machines’
MAJOR BITCOIN & MARKET UPDATE!!!! (MUST WATCH ASAP!!!)
Anonymous researcher drops 0-day ‘exploitarium’ repo
Coinbase, Circle Deepen Crypto Stock Losses Despite Resilient S&P 500
Australia treasurer says alleged access of prime minister’s bank data ’incredibly concerning’
The AI boom won’t burst all at once. It will pop in ‘rolling bubbles’: Macquarie
Broncos roster: OL Ben Powers (No. 74) entering final year of contract
Presenter Caroline Flack’s brother Paul Flack dies aged 55
Binance stock trading tops $1B in first month after launch
Silicon Valley paid to kill AI regulation, now it wants the rules back
How to Build INSANE Live Financial Dashboards With Claude
Alibaba-affiliate Ant Group enters the humanoid robot market with 12 deals
New exhibition reflects five decades of movement between island of Ireland and GB
Meta Platforms Stock Jumps 7% Today as Bloomberg Reports Company Plans to Enter the Cloud Business
What a 10 Percent Drop Means for Buyers, Sellers and Renters
Binance Re-Enters Philippines As EU MiCA Rules Restrict Access
You must be logged in to post a comment Login