Last week, Elliot got his foot stepped on by a 1.5 metric ton draft horse, and boy is he glad to be back to the relative safety of podcasting! Joining him today is Jenny List, no stranger to farm life, who has been trodden by a cow. It’s going to be one of those podcasts, folks.

Another thing the two hosts have in common is a love for the mystery of the numbers station. But did you know that GPS satellites, for the last 20 years, have broadcast literally millions of secret messages to everyone on the earth with a receiver? After that bombshell, we have an ATtiny85 emulating an 8080, a primer on how to embed magnets in 3D prints, definitive proof that more than one cassette mechanism is still being manufactured, and a look at what makes home automation enthusiasts tick.

Check out the links below if you want to follow along, and as always, tell us what you think about this episode in the comments!

Download in DRM-free MP3 and play it in space.

Episode 373 Show Notes:

News:

• No news is good news.  No Mailbag, on the other hand, is no fun!  Write or mail in a question to mailbag@hackaday.com.

What’s That Sound:

• Jenny came in with a sound this week. Have a guess at it!

Interesting Hacks of the Week:

• • Spy Tech: The GPS Numbers Station
    • New address for GNSS data and products – GFZ GNSS Observatory
    • Investigation into September 2020 GPS SVN 74 Performance Anomaly
  • Secret Radio Stations By The Numbers
    • Numbers Station Simulator, Right In Your Browser
  • An Unlikely Host For An 8080 Emulator
    • Because You Can: Linux On An Arduino Uno
  • Ways To Embed Magnets In 3D Prints And Not Ruin Printers
  • As It Turns Out, There’s More Than One Cassette Mechanism Being Made After All
    • Know Audio: Mixtapes, Tape Loops, And Razor Blades
  • Vintage Turntable Gets Brain Transplant And Home Assistant Integration
  • Connecting Your Car To Home Assistant
  • Print Your Own Robby The Robot
    • 3D Printing Computer Space

Quick Hacks:

• • • Elliot’s Picks:
      • The Winners Of The 2025 Obfuscated C Code Contest
      • If You Want To Hack Me, Come In Through The Speaker
      • Pico-Driven Ultrasound Enables Scaled Acoustic Model Of Home Stereo
      • Optimizing Pancakes From Chemical Principles
    • Jenny’s Picks:
      • Re-Enable All Compute Units On The PS5-like BC-250 Cryptomining Card
      • Less Than 10 Years? Commonwealth Fusion Systems Applies To Plug Into Grid In 2030s
      • A New Life For A Rare Console

Can’t-Miss Articles:

• • • Questions Remain About Tense Moment Aboard ISS
    • NASA Announces Artemis III Crew And Ambitious Goals
    • 10 Years Ago: EVA 23 – How A High Visibility Close Call Cut Short a Spacewalk – NASA
    • Remember When Flash Drives Were Going To Make Your PC Faster?

What counts as portable is somewhat a matter of opinion, especially over the years. [Helge Fykse] has a portable spy radio of Swedish origin. For its time, it was considered very portable, crammed into a good-sized suitcase.

You can see the large crystal that sets the transmit frequency and a key to send Morse code. The receiver has a VFO, so it was more agile. Based on the regenerative knob, it appears the receiver was of the regenerative type. The suitcase had its own battery, and with tubes, it could probably put out some kind of signal if connected to anything metal, like bedsprings, a clothesline, or anything. There was a lightbulb to let you see when you were transmitting maximum power.

Speaking of tubes, there were five inside, two for the transmitter and three for the receiver. The radio had storage for spare tubes, and the agent could maintain the radio in the field.

You not only get a peek inside the suitcase, but a look at the schematic. The radio is a model of simplicity, but we are certain it did its job.

We love looking at exotic spy gear, especially radios.

Supply chain attacks continue, with Microsoft’s own open source Azure repositories being automatically disabled by GitHub following a compromise of the packages by the Miasma worm.

OpenSourceMalware reports that the infection resulted in 73 Microsoft-related package repositories being flagged and taken offline in a little over a minute by the GitHub automated security system, with over 40 repositories being related to Azure and the rest distributed across the Microsoft organization.

The center of the infection appears to be the Microsoft Durabletask package, which was previously compromised in May and used to push infected packages to PyPi. Considering that all of the supply chain worms also steal credentials for every service they can find in the build or developer environment they infect, it seems likely that credentials stolen in the original attack were never properly disabled.

Disabling the repositories can help stem the infected packages and GitHub actions from spreading and infecting more organizations, but of course any build processes depending on those packages will not function. In May, the Durabletask package showed over 400,000 downloads per month.

The OpenSourceMalware report includes a full list of the impacted repositories.

Microsoft Fixes GitHub Token Exploit

Microsoft has finally fixed a bug in GitHub which could steal a GitHub authentication token with access to all of an accounts repositories via the embedded web-based VSCode editor which is part of GitHub itself.

Ammar Askar discovered the bug and discusses it on their blog; by manipulating the sandboxed VS Code into treating an embedded web view as user keyboard strokes, it is possible to to cause it to install a VS Code extension which is then used to exfiltrate the GitHub authentication tokens of the user using the embedded VS Code instance.

TP-Link Takeover via Unregistered Domain

Julian B demonstrates capturing traffic from TP-Link routers and access points thanks to an unregistered domain name in the firmware.

After finding an archive of the firmware releases for every TP-Link product, Julian simplified the list to the latest versions, and ran a custom scraper tool to extract domain names referenced in the firmware and search for matching domain names.

After registering an available domain, Julian began receiving requests from TP-Link devices checking in to a server which had lapsed, likely years ago. Fortunately, Julian reported the issue to TP-Link and was able to transfer the domain.

It’s unclear what the risks of the unregistered domain name were in the context of the TP-Link devices, however unregistered domain names can lead to all sorts of issues in the wrong situations.

A Pile of OpenSSL Vulns

The OpenSSL library has a new collection of vulnerabilities which range from low-severity flaws in message verification in functions which aren’t used in any of the OpenSSL implemented protocols to a high-severity use-after-free bug in PKCS7 handling which could be used to run arbitrary code.

Use-after-free bugs occur when a chunk of memory is dynamically allocated, then freed and returned to the memory pool, but a later piece of code re-uses the memory that is no longer claimed. In the meantime, this memory could have been assigned to another variable or otherwise restructured, leading to memory corruption. In the case of OpenSSL, the memory associated with a PKCS7 container (a certificate storage method) or a S/MIME message (usually used in secure email) can be manipulated into using freed memory.

The advisory warns that applications processing PKCS7 or S/MIME are affected; fortunately most uses of OpenSSL are unlikely to be directly impacted (neither of those functions are common in web servers or similar), but as always, update as soon as possible!

NightmareEclipse is Back

The researcher previously identified as NightmareEclipse, known for releasing advanced Windows vulnerabilities with working proof of concept code, has returned as MSNightmare releasing several new exploits after previously being removed from GitHub. Despite a strongly worded (and poorly received) public statement by Microsoft threatening criminal investigations, the researcher returns with the RoguePlanet vulnerability.

RoguePlanet exploits race conditions in Windows Defender under Windows 10 and Windows 11 to gain a system-level shell, a fairly common trend in the vulnerabilities found by this researcher.

Additionally, another BitLocker bypass has been released, called GreatXML, which unlocks BitLocker protected drives if a Windows Defender offline scan has ever been run.

Of course, these releases coincide with Patch Tuesday, so they’re unlikely to be addressed before the July patch day.

It appears Microsoft has backed down from their initial press release which appeared to claim that vulnerability research and development outside of the guidelines Microsoft decided would be treated as criminal behavior; this was not well received by much of the security industry. At the start of the modern security industry in the late 1990s, public release of vulnerabilities was common. Companies had no way to reach a security contact to get it fixed, simply did not care to fix it, or were actively hostile to researchers. Through years and decades of community programs, it is now normal to reach out to a company with security flaws and have an expectation they will be fixed, and often rewarded either monetarily through structured bounty programs like HackerOne or through public credit to the researchers who found the flaws (nobody wants to be paid in exposure, but security is now an industry, and having a well-known name and track record can be valuable.)

Unfortunately, recently, it seems Microsoft may have forgotten that while disclosure to the vendor has become the norm, it is simply a social contract. Having already publicly alienated one skilled researcher (NightmareEclipse), the company seems to be doing the best it can to alienate others by burning community good will. Expect more publicly released vulnerabilities in the wake.

Linux Arm Fixes

Phoronix reports that the Linux kernel has patched a critical-severity flaw on Arm CPUs in the memory allocation logic. The list of processors affected continues to grow, including some NVIDIA embedded platforms.

The flaw lies in specific ordering requirements for accessing memory via the TLB, or “Translation Lookaside Buffer”, a critical part of the virtual memory and memory protection system. The TLB is a cache of recently resolved lookups of physical memory locations, so any corruption of the TLB can cause invalid memory reads, leading to almost the same results as recent kernel vulnerabilities in the Linux page cache system which allowed binaries to be replaced in RAM.

The bug was found thanks to advisories from Arm themselves clarifying that additional protections were needed around modifications to the TLB cache on these chips. The real-world impact remains to be seen, but now that the bug and patches are public, I’d expect proof of concept code to follow soon after. It’s also safe to assume that this flaw affects other operating systems on Arm platforms, as well, but there is no public information yet.

FreeBSD Gets a Page-Cache Bug

FreeBSD racks up another kernel bug this week, the amusingly named Bumsrakete (“Bum Rocket” or “Bang Rocket”), complete with a well-crafted troll of an announcement, right down to the use of Comic Sans for the announcement site.

Beneath the crap-posting exterior lies a legitimate CVE (CVE-2026-45257) where any user with access to the PMAP_HAS_DMAP system (the standard configuration) can overwrite the disk page cache in memory. This is the FreeBSD flavor of the kernel cache flaws in Linux used by CopyFail, DirtyPipe, and friends, and even involves decryption primitives in the kernel similar to the original CopyFail process.

It’s not surprising that following the multiple disk cache corruption bugs in Linux disclosed this spring, other operating systems with similar functionality are being examined and new flaws showing up.

NPM to Block Auto Install Scripts

NPM is introducing major changes in NPM 12 to attempt to stem the flood of supply-chain vulnerabilities by removing the automatic execution of commands from the install phase of packages and disabling the use of remote URLs as dependencies.

Most of the NPM-based worms infecting packages at record rates use the install script process, hooking either pre-install, install, or post-install scripts to run commands automatically as a package dependency is included. Since the install script runs as the user (or build service) pulling the dependencies, it has direct access to any credentials or files that user and service has. Under the new model an infected package could still perform malicious actions inside a compiled application or site, but a major mechanism for automatic spreading of malicious packages will be addressed.

It’s good to see progress made towards addressing the underlying weaknesses in the package ecosystem which aid in spreading malicious packages.

Libinput Security Fix

The libinput library sees a pair of security fixes this week, centered around the handling of device names for uinput and uhid devices. Maliciously named devices could execute commands as root.

To be able to exploit this, a user needs to already be on the system and have the ability to create new uinput devices. This is normally restricted to root, however if steam-devices, antimicrox, or kdeconnectd packages are installed, the permissions to create a device are modified and any user logged into the system can create a uinput device.

Go forth, and update!

Mini Shai-Hulud Hides in Censorship

The Shai-Hulud, Mini Shai-Hulud, and Miasma worms have been prolifically infecting packages on NPM and PyPi as well as VS Code extensions and GitHub actions. Using a combination of captured worm code and publicly released versions of the worms, researchers have been reverse engineering the behavior of the worm using the decrypted payloads.

Amusingly, they have discovered that the Mini Shai-Hulud worm attempts to hide from automatic analysis and detection via AI prompt injection. The payload file executed during a NPM package install contains a block of comment text referencing biological and nuclear weapons, topics many AI models refuse to allow.

Interpreting the comment as a banned request, the AI models may immediately stop processing the rest of the file, either blocking further analysis by researchers or disabling AI-based malware detection tools scanning for malicious payloads.

Another Record Patch Tuesday

For the second time this year, Microsoft has a record-breaking number of fixes included in Patch Tuesday with more than 200 security fixes, including fixes for two vulnerabilities released by NightmareEcllipse in recent weeks, however none of the fixes specifically reference the conflict between Microsoft and the researcher.

Outside of the Patch Tuesday fixes, Microsoft also fixed 360 browser vulnerabilities.

With the increasing automatic bug finding via AI tools, this may become the new normal for Patch Tuesday fix counts.

Python Linter Blocks Shai-Hulud

Sometimes pedantry pays off. StepSecurity brings the tale of a supply chain infection of the popular Pythagoria-io GPT Pilot package, an AI coding assistant tool. After one of the developers was infected by the Miasma supply chain worm, the worm performed the typical trick of attempting to reversion and push compromised versions of all accessible packages.

This time, the commits containing the trojaned were rejected by the Python linter, Ruff, for not matching the style guidelines of the project. Linters analyze code for style, comments, and syntax (think the pretty printing in a code editor that highlights incorrect tabs and spaces or deprecated functions.)

The developer will still need to clean up their system and make sure to revoke all tokens the worm has access to, but the project itself was spared infection by a humble syntax styler.

Deep Dive into Miasma

Finally, we have a dive into the Miasma worm thanks to SafeDep.

The payload source for Miasma has been open sourced, apparently by some of the developers of the malware. Previously the payload was heavily encrypted, however progress was made in decoding it during the initial wave of attacks. By open sourcing the worm, the developers likely hope to muddy the waters by creating copy-cat worms using modified techniques and signatures.

SafeDep takes a deep look into the capabilities of the payload, noting several unusual abilities including disabling GitHub environment protections, a full list of the credential harvesting capabilities, and more. Be sure to check out the full write up for an extremely detailed breakdown of each major component of the worm and the actions it takes, if that sort of thing is interesting to you!

Need a hinge in your 3D printed design and would prefer not to re-invent the wheel? You may find [Alex Krush]’s glue-in filament hinge useful.

This design prints half the hinge as a separate piece — the u-shaped one in the picture to the side — that must be glued into the target object after printing. It’s a bit of extra work, but doing it this way has a couple advantages.

One is that printing some of the hinge elements separately means one no longer needs to choose between a print orientation that best suits the object, and a print orientation that works best for the hinge. Also, the length of 1.75 mm filament used as a hinge pin is held captive after assembly so there’s no need to glue the hinge pin itself.

[Alex] helpfully provides the parts in STEP format, which makes CAD tweaks and adjustments easy. While incorporating the design should be doable even if one is just using .stl or .3mf files because boolean subtraction and merging is all that’s needed, having the model in STEP format is so much better.

Should you need some pointers on incorporating either into FreeCAD, we have you covered.

Our recently concluded event in Europe saw the return of the Hackaday Communicator badge — a stylish handheld gadget with a QWERTY keyboard, a LoRa radio, and an ESP32. It came complete with a simple messaging app built into it’s MicroPython firmware, and by all accounts it was a great success.

But there was certainly room for improvement, which is where [Giovi321]’s new firmware for the badge comes in. It brings support for Meshtastic proper, as well as longer battery life support for GPS module. To install this firmware you will need to have the ESP-IDF but fortunately there are very comprehensive instructions provided to help you. Under the hood it’s running FreeRTOS.

It’s something which is so often missing with an event badge, any sense of how it might have a life after the event rather than becoming a piece of e-waste. The Communicator badge is such a nice physical design that it obviously has potential, so this firmware unlocks it and gives the badge a use out in the real world. We really like it for this, and we’ll be flashing a few of our badges over to give it a shot shorlty.

If you’re looking to upgrade the hardware on your Communicator, check out the custom RGB keyboard we covered last week.

You know what they used to say– once you go Commodore, you’ll never leave by any door. Well, they might not have said that, but given the prevalence of projects still using Commodore-branded systems decades after the company’s demise, perhaps someone should have. A case in point is [Jit06] with this writeup on his Ultimate Amiga 1200 — or “Amiga 1232 Storm CD”– which crams just about every upgrade you might think of into the 1990s wedge computer.

Of course it has the PiStorm 32, with a CM4 providing supercomputer performance, at least by A1200 standards. That’s rather old hat, though, and it’s everything else crammed into the old Commodore that takes the score. For one thing, there’s a slot-loading, slim-form DVD drive from an old laptop that’s been incorporated so smoothly it almost looks factory. Ditto for the compact flash card slot, which is also on the IDE bus. The two share a custom IDE cable– yes, kids, we did used to roll our on 44-pin cables back in the day, but you’d better believe no one did it unless they really had to. With the space constraints inside the A1200 case, [Jit06] falls into that category.

The optical and CF cards trigger the drive LED on the Amiga case by default, but [Jit] wanted to see access on the PiStorm’s SD card as well, so he wired a couple of red LEDs to the default lightguide to get a colour-contrasting flash. That SD card is also broken out with an extender for easy access without opening the case– and once again, it looks almost as good as stock. So does the modded-on VGA port, which is stealing space that once belonged to the Amiga’s RF modulator and fed by a ScanPlus AGA board.

The only thing that really stands out as modded is the volume knob on the floppy-drive side of the case; that controls a mixer that sits between the CD audio and Paula, the Amiga’s custom sound chip. This lets him use the A1200 as a CD-32 system, and is very handy to have as CD-32 games used CD audio tracks that apparently were not well mixed with the digital audio in the games.

With all the cutting and soldering, this is not a reversible mod, something people are becoming much more concerned with as these machines slowly increase in rarity. Still, as a quality-of-life improvement, this sort of upgrade might be worth it if can keep the old A1200 relevant for another three decades. For anyone else who never got over the Amiga bug, he’s also published a linux-native SD-card creator called emu68 bootstrap on github to help with making images for the PiStorm.

Thanks to [Jit] for the tip! With the easy OS-swapping he’s enabled with the SD-breakout, there’s no reason not to try the rediscovered Amiga Unix. If you want the same without cutting into a vintage case, the PiStorm can be a sidecar.

An old algebra teacher used to say, “You have to take what you know and use it to get what you don’t know.” You might say the same thing about converting analog signals into digital. Computers know how to count and keep time. [Eric Explains] has a video purporting to explain “every type of analog-to-digital converter.” We aren’t sure he got every possible method, but there’s still a lot of information in the video, which you can see below.

From the flash ADC, using a ton of comparators to the successive approximation converter, which essentially plays a game of hi/lo, guessing the answer and figuring out if the real answer is higher or lower.

Those are pretty common, but the video also covers things like the Wilkinson ADC and other more exotic techniques. Each method, of course, has its advantages and disadvantages. For example, the flash ADC is fast, but requires a lot of components and power.

Sometimes, the method you use depends on how you are building. For example, you probably wouldn’t use a charge system on a breadboard since precision capacitors are finicky. But on an integrated circuit, capacitors made with photolithography may not be very precise, but the ratio between capacitors is super precise, making that a common technique in that domain.

Even if you never need to design your own converter, understanding the different architectures will let you make a better selection among alternatives. Then again, you can design your own. We’ve seen most of these architectures in past projects.