The GlassWorm supply-chain campaign has returned with a new, coordinated attack that targeted hundreds of packages, repositories, and extensions on GitHub, npm, and VSCode/OpenVSX extensions.

Researchers at Aikido, Socket, Step Security, and the OpenSourceMalware community have collectively identified 433 compromised components this month in attacks attributed to GlassWorm.

Evidence of a single threat actor running the GlassWorm campaigns across multiple open-source repositories is provided by the use of the same Solana blockchain address used for command-and-control (C2) activity, identical or functionally similar payloads, and shared infrastructure.

GlassWorm was first observed last October, with attackers using “invisible” Unicode characters to hide malicious code that harvested cryptocurrency wallet data and developer credentials.

The campaign continued with multiple waves and expanded to Microsoft’s official Visual Studio Code marketplace and the OpenVSX registry used by unsupported IDEs, as discovered by Secure Annex’s researcher, John Tuckner.

macOS systems were also targeted, introducing trojanized clients for Trezor and Ledger, and later targeted developers via compromised OpenVSX extensions.

The latest GlassWorm attack wave is far more extensive, though, and spread to:

• 200 GitHub Python repositories
• 151 GitHub JS/TS repositories
• 72 VSCode/OpenVSX extensions
• 10 npm packages

Initial compromise occurs on GitHub, where accounts are compromised to force-push malicious commits.

Then, malicious packages and extensions are published on npm and VSCode/OpenVSX, featuring obfuscated code (invisible Unicode characters) to evade detection.

Across all platforms, the Solana blockchain is queried every five seconds for new instructions. According to Step Security, between November 27, 2025, and March 13, 2026, there were 50 new transactions, mostly to update the payload URL.

The instructions were embedded as memos in the transactions and led to downloading the Node.js runtime and executing a JavaScript-based information stealer. 

The malware targets cryptocurrency wallet data, credentials, and access tokens, SSH keys, and developer environment data.

Analysis of code comments indicates that GlassWorm is orchestrated by Russia-speaking threat actors. Additionally, the malware skips execution if the Russian locale is found on the system. However, this is insufficient data for confident attribution.

Step Security advises developers who install Python packages directly from GitHub or run cloned repositories to check for signs of compromise by searching their codebase for the marker variable “lzcdrtfxyqiplpd,” an indicator of the GlassWorm malware.

They also recommend inspecting systems for the presence of the ~/init.json file, which is used for persistence, as well as unexpected Node.js installations in the home directory (e.g., ~/node-v22*).

Additionally, developers should look for suspicious i.js files in recently cloned projects and review Git commit histories for anomalies, such as commits where the committer date is significantly newer than the original author date.

Malware is getting smarter. The Red Report 2026 reveals how new threats use math to detect sandboxes and hide in plain sight.

Download our analysis of 1.1 million malicious samples to uncover the top 10 techniques and see if your security stack is blinded.

Download The Report

from the not-so-opposed dept

There’s a notion that pops up in the comments here on Techdirt that Mike and our writer Karl Bode are deeply opposed in their opinions on AI and engaged in an epic ongoing debate. Alas, the truth is a little less spectacular: while they might have some differences of opinion here and there, they actually agree on most things, and would both prefer to hear (and have) more thoughtful and nuanced discussions about the technology without going to the extremes. By way of demonstration, Karl joins this week’s episode of the podcast for a long conversation with Mike all about AI, its role in our society, the challenges it raises, and where things go from here.

You can also download this episode directly in MP3 format.

Follow the Techdirt Podcast on Soundcloud, subscribe via Apple Podcasts or Spotify, or grab the RSS feed. You can also keep up with all the latest episodes right here on Techdirt.

Filed Under: ai, artificial intelligence, podcast

Back in 1984, Akai released the PJ-11, a compact stereo system that brought some fresh ideas to portable audio. Small enough to slip into a bag, it came with two independent speakers connected by cables that carried both power and audio signals, and those speakers could detach from the unit, lock into position at various angles, and be adjusted however the situation called for.

Each speaker could be swiveled precisely into position using 45 degree markers, giving you full control over where the sound was directed. Point them straight ahead for a traditional stereo image, tilt them upward for cleaner vocals, or angle them downward depending on the room. Flip them backward and the left and right channels swap, creating a surprisingly interesting effect in smaller spaces. The whole point was to put the sound where you actually were, rather than just firing it blindly forward the way most systems of the era did.

Sale

JBL Boombox 3 Black Portable Bluetooth Speaker with Massive Sound, Deepest Bass, IPX7 Waterproof, 24H…

• Massive sound and deepest bass: Enjoy your music with massive JBL Original Pro Sound. The new 3-way speakers deliver higher sensitivity of our…
• 24 Hours of play time: Celebrate every moment with the sounds you love. From your early morning workout to a late-night hang with friends, we’ve added…
• IP67 dust and water proof: To the pool. To the park. The JBL Boombox 3 is IP67 dustproof and waterproof, so you can bring your speaker anywhere, rain…

Battery power came from four C-cells tucked inside each speaker, meaning the full system ran on eight batteries when you were out and about. That added some noticeable weight, but it also gave the speakers a reassuringly solid feel in your hands. Back at home a separate power adapter plugged into the rear of the main unit, sliding into place on a dedicated rail to keep everything sitting level and stable on a shelf or table. Pull the adapter and speakers off and the whole thing becomes a genuinely compact grab and go setup with no extra bulk to worry about.

The front panel features four sliders that allow you to make rapid adjustments on the fly. On the left is your overall level, and the following three are a super simple graphic equalizer that allows you to shape the bass, midrange, and treble with a twiddle. One of the buttons opens the cassette door, but the mechanism itself is turned upside-down, so you may have to squint to figure out what’s what, especially if some of the labels on the controls appear a little strange as a result. There’s a separate metal tape playback lever, and the built-in mono microphone can easily record speech or ambient sound, automatically adjusting the settings so you don’t have to.

Tuning in is handle by a four-band radio component with AM, FM, and shortwave reception that can pull in distant broadcasts when conditions are favorable. The FM side is very sensitive, and it includes a mono mode and a beat-cut filter to reduce interference. There’s a 3.5 millimeter connection on the front panel that allows you to connect signals from external players or recorders, allowing you to play them via the speakers or record them directly into the cassette without having to look for hidden ports.

Many users were caught off guard by the PJ-11’s unusually full and rich sound despite its small size. Voices came through clearly on angled up speakers, and the overall balance was pleasing, rather than harsh and tinny like some other radios. During high solar activity years, you could pick up shortwave broadcasts loud enough to fill a room, and cassettes had a pleasant warmth that kept the listener listening in for longer than you’d expect from a budget model priced around one fifty at introduction in 1984.

Akai only produced a small number of PJ-11s before going on to larger models such as the PJ-33, which is probably why they are so hard to come by now. You had all these convenient features, such as detachable speakers that spun around, a front-facing aux in, and the ability to run on batteries. All of this combined to create a design that felt refreshingly practical for ordinary listeners in 1984, and forty years later, it retains a certain attractiveness because it solved simple difficulties in a way that appears to have been completely forgotten these days

Researchers are warning about the risks posed by a low-cost device that can give insiders and hackers unusually broad powers in compromising networks.

The devices, which typically sell for $30 to $100, are known as IP KVMs. Administrators often use them to remotely access machines on networks. The devices, not much bigger than a deck of cards, allow the machines to be accessed at the BIOS/UEFI level, the firmware that runs before the loading of the operating system.

This provides power and convenience to admins, but in the wrong hands, the capabilities can often torpedo what might otherwise be a secure network. Risks are posed when the devices—which are exposed to the Internet—are deployed with weak security configurations or surreptitiously connected to by insiders. Firmware vulnerabilities also leave them open to remote takeover.

No exotic zero-days here

On Tuesday, researchers from security firm Eclypsium disclosed a total of nine vulnerabilities in IP KVMs from four manufacturers. The most severe flaws allow unauthenticated hackers to gain root access or run malicious code on them.

“These are not exotic zero-days requiring months of reverse engineering,” Eclypsium researchers Paul Asadoorian and Reynaldo Vasquez Garcia wrote. “These are fundamental security controls that any networked device should implement. Input validation. Authentication. Cryptographic verification. Rate limiting. We are looking at the same class of failures that plagued early IoT devices a decade ago, but now on a device class that provides the equivalent of physical access to everything it connects to.”

Arizona Attorney General Kris Mayes has filed criminal charges against prediction market platform Kalshi, for allegedly operating an illegal gambling business in the state without a license and for election wagering.

The 20-count complaint, filed in Maricopa County court on Tuesday, accuses the company of engaging in unlicensed gambling activities, claiming that the site “accepted bets from Arizona residents on a wide range of events,” including state elections, a practice that is illegal in Arizona. The complaint charged Kalshi with four counts of election wagering for accepting bets from Arizona residents on the 2028 presidential race, the 2026 Arizona gubernatorial race, the 2026 Arizona Republican gubernatorial primary, and the 2026 Arizona Secretary of State race.

This is the first time a state has pursued such charges against the company, according to the Arizona Mirror, and marks a significant escalation in the battle between states and the prediction market industry.

“Kalshi may brand itself as a ‘prediction market,’ but what it’s actually doing is running an illegal gambling operation and taking bets on Arizona elections, both of which violate Arizona law,” Attorney General Mayes said in a statement. “No company gets to decide for itself which laws to follow.”

It’s worth noting that the charges are technically misdemeanors. They follow a small surge of cease-and-desist letters, lawsuits, and other official actions from states over Kalshi’s activities, in which numerous officials have complained that the company is skirting state gambling laws.

Conversely, prediction sites like Kalshi have argued that they are not in violation of state law because they are subject to federal regulation via the Commodity Futures Trading Commission.

Kalshi may be getting attacked left, right, and center, but the Kalshi has also taken its own, often preemptive, legal action.

Kalshi sued Arizona’s Department of Gaming in federal court on March 12. The company’s lawsuit argued that Arizona’s regulatory attempts were intruding “into the federal government’s exclusive authority to regulate derivatives trading on exchanges.” Kalshi also recently sued Iowa and Utah on similar grounds.

Mayes’ office argues the company is merely trying to avoid accountability.

“Kalshi is making a habit of suing states rather than following their laws. In the last three weeks alone, the company has filed lawsuits against Iowa and Utah, and now Arizona,” Mayes said in a statement. “Rather than work within the legal frameworks that states like Arizona have established, Kalshi is running to federal court to try to avoid accountability.”

Elisabeth Diana, Kalshi’s head of communications, called the Arizona criminal charges “seriously flawed” and a matter of “gamesmanship” related to the company’s own litigation against the state.

“Four days after Kalshi filed suit in federal court, these charges were filed to circumvent federal court and short-circuit the normal judicial process,” Diana said. “They attempt to prevent federal courts from evaluating the case based on the merits – whether Kalshi is subject to exclusive federal jurisdiction. These charges are meritless, and we look forward to fighting them in court.”

Federal officials have signaled that they’re on the prediction industry’s side, setting up a potential regulatory showdown between states and the federal bureaucracy. Mike Selig, chair of the Commodity Futures Trading Commission, recently published an op-ed in the Wall Street Journal in which he accused state governments of having “waged legal attacks on the CFTC’s authority to regulate” such sites. Selig also claimed that his agency would no longer “sit idly by while overzealous state governments” undermined the agency’s “exclusive jurisdiction” over the industry.

Researchers at RMIT University in Australia built a small robot shaped like a dolphin. About the size of a sneaker, the machine glides across the surface of polluted water and gathers oil with a pump mounted at the front. A filter inside separates the oil from everything else, sending only the slick into an onboard tank while the water flows away untouched.

The filter draws its clever design from sea urchins. Microscopic spikes coat the sponge-like surface, too small to see without an electron microscope. Those spikes hold pockets of air that push water aside so it beads up and rolls off. Oil, on the other hand, spreads across the spikes and soaks in right away. The coating mixes oleic acid-treated barium carbonate with thin sheets of reduced graphene oxide. No fluorine or silane chemicals go into it, which keeps the whole setup safer for the environment than many older filters.

DJI Neo, Mini Drone with 4K UHD Camera for Adults, 135g Self Flying Drone that Follows You, Palm Takeoff…

• Due to platform compatibility issue, the DJI Fly app has been removed from Google Play. DJI Neo must be activated in the DJI Fly App, to ensure a…
• Lightweight and Regulation Friendly – At just 135g, this drone with camera for adults 4K may be even lighter than your phone and does not require FAA…
• Palm Takeoff & Landing, Go Controller-Free [1] – Neo takes off from your hand with just a push of a button. The safe and easy operation of this drone…

Lab tests put the robot through its paces using blue kerosene as a stand-in for real oil. It collected about two milliliters every minute, and the liquid that ended up in the tank measured more than 95 percent pure. The filter never clogged or soaked up water. One full battery charge keeps the machine running for roughly 15 minutes. The same material can absorb between 15 and 65 times its own weight in oil, then release most of it when squeezed and return to work with over 97 percent of its original performance intact. Salt water does not corrode it, and stray contaminants rinse away easily.

Dr. Ataur Rahman, who leads the project at RMIT’s School of Engineering, described the thinking behind the build. Oil spills bring heavy costs to nature and to economies everywhere. The team wanted a device that deploys fast, steers with precision, and reaches places too dangerous for crews on boats. PhD researcher Surya Kanta Ghadei, who developed the filter material, shared what drove his part of the work. Growing up in India, he watched spills harm marine life, especially turtles. That memory pushed him to find a way for responders to act quicker and shield wildlife from harm.

Right now the robot answers to a Wi-Fi remote. A larger version, closer to the actual size of a dolphin, sits in the plans. Its exact scale will depend on the pump and the tank it carries. In that future form the machine will run without anyone steering it. It will vacuum oil from the surface, head back to a base station to empty the tank and recharge, then return to the spill and start again. The cycle keeps going until the area clears.

Engineers see clear advantages over systems that simply float in place and wait for oil to drift their way. This robot moves through the slick on its own, collecting as it goes. The filter stays dry and ready for repeated use, so crews avoid the constant swaps and messy disposal that older setups demand. Next steps include scaling up the filter area, strengthening the pump, running field trials, and checking long-term durability in open water.
[Source]

The new Center Stage selfie camera is one of the best features of Apple’s iPhone 17 series — but why settle for 18MP snaps when 48MP selfies are possible?

That’s the question posed by Kickstarter case brand Dockcase, whose latest offering, the Selfix case, adds a touchscreen to the back of your iPhone 17 Pro for seamless, main camera-quality selfies.