2026-04-11 07:00:14
Most rhythm games have a community creating custom charts, and Trombone Champ is no exception. What is exceptional, however, [CraftedCart]’s osu! played in a Trombone Champ chart.
It all started as a challenge to make the most unserious chart possible. Among some other ideas, [CraftedCart] eventually decides to make an osu! chart but play it in Trombone Champ. Okay, not a problem, let’s just–oh, you can’t run arbitrary code without a making a mod. So instead, they decided to use shaders on the GPU. There are, of course, all sorts of problems with such an idea. Being stuck in the fixed render pipeline of a game, you can’t just add any resources to your shader you want. This leads to using textures as memory, both the game state and the osu! chart are actually textures. Another interesting one is getting user input into the shader. [CraftedCart] solves that by connecting the position of the game object the background is rendered to to the cursor; then, the shader reads the world to local transform matrix to determine the mouse position. Finally, the graphics the player ends up seeing are rendered using ray marching.
Video after the break.
2026-04-11 04:00:52
After users of Battle Born LFP batteries encountered issues such as a heavily discolored positive terminal and other signs of overheating, multiple autopsies showed that the cause appeared to be the insertion of a thermoplastic between the bus bar and the terminal. Over time thermal creep loosened the connections, causing poor contact and melting plastic enclosures. According to Battle Born, this is actually part of an ingenious thermal safety design, and in a recently published article they explain how it works.
The basic theory appears to be that if there’s a thermal event, the ABS thermoplastic will soften and reduce the pressure on the bolted-together copper bus bar and brass terminal. This then allows for an aluminium-oxide layer to form on the aluminium connecting bolt courtesy of the dissimilar copper/aluminium interface. Aluminium-oxide is non-conductive and thus interrupts the flow of current.
Of course, there are countless issues with that theory, least of all the many reports of in-field failures. We recently covered [Will Prowse] studying the death of one of these 100 Ah LFP batteries from brand-new to failure under controlled circumstances. This clearly shows the thermal creep loosening up the connection and causing poor contact between the bus bar, the bolt and the terminal, with poor contact and thermal issues resulting.
Naturally, [Will Prowse] had to address this most recent statement by Battle Born, with the latter taking care to indirectly attack and dismiss his findings. Here Battle Born’s argument seems to hinge on the removal of the lid damaging this aluminium-oxide layer and preventing the ‘thermal safety’ from working, yet not addressed are the many batteries that failed in the field and showed loose connections due to thermal creep from the ABS layer.
It’s also never addressed why these LFP batteries cannot simply be equipped with a traditional thermal fuse rather than this convoluted contraption, among many other questions that remain. Correspondingly [Will] is rather incredulous at this response, as should anyone be who has been following this saga.
2026-04-11 02:30:02
Machine screws aren’t made for wood or sheet metal, they make specific screws for those applications. You probably also know there are special screws for plastic. But did you know there are at least two distinct types? In a recent video, [Lost in Tech] show us different types of plastic screws, including thermal camera shots of screws driving into 3D printed parts, along with tests using a torque driver.
We have often used “any old” screw in printed parts, which usually works OK. We’ve also used threaded inserts or captive nuts, classic choices. One of the issues with screws or inserts is that you have to get accurately sized holes in your 3D prints.
In addition to learning about the types of screws and how best to accommodate them, he also developed a free web-based tool that does all the math for you.
Of course, there are cases when you do need a threaded insert. In particular, the plastic screws will tend to wear the plastic each time you insert them. If you expect the screw to go in and out many times, this might not be the right technique for you. On the other hand, if you think you might remove and replace the screws a few dozen times over the life of the part, this might be attractive.
We’ve covered self-tapping screws in plastic before, but, as the video shows, not all of them are created equal. And, of course, there are always heat-set inserts.
2026-04-11 00:45:30
Humans flew around the Moon this week, but Hackaday Editors Elliot Williams and Tom Nardi were stuck on Earth — luckily, there was no shortage of stories and hacks to keep them occupied. From the news that Linux might be putting the i486 out to pasture, to the fascinating potential of the threadless ball screw and connecting Bluetooth calipers up to FreeCAD.
You’ll hear about the latest in Internet via high-altitude balloon, the zen of organizing your parts bins, all the problems with Markdown files, and a deep-dive into making a convincing LED fire effect. The episode wraps up with some polarizing opinions on long term data storage, and a freewheeling discussion about the importance of literal moonshots.
Check out the links below if you want to follow along, and as always, tell us what you think about this episode in the comments!
Flying around the Moon? Download this episode in DRM-free MP3 so you’ll have something to listen to.
2026-04-10 22:00:12
Rowhammer attacks have been around since 2014, and mitigations are in place in most modern systems, but the team at gddr6.fail has found ways to apply the attack to current-generation GPUs.
Rowhammer attacks attach the electrical characteristics of RAM, using manipulation of the contents of RAM to cause changes in the contents of adjacent memory cells. Bit values are just voltage levels, after all, and if a little charge leaks across from one row to the next, you can potentially pull a bit high by writing repeatedly to its physical neighbors.
The attack was used to allow privilege escalation by manipulating the RAM defining the user data, and later, to allow reading and manipulation of any page in ram by modifying the system page table that maps memory and memory permissions. By 2015 researchers refined the attack to run in pure JavaScript against browsers, and in 2016 mobile devices were shown to be vulnerable. Mitigations have been put in place in physical memory design, CPU design, and in software. However, new attack vectors are still discovered regularly, with DDR4 and DDR5 RAM as well as AMD and RISC-V CPUs being vulnerable.
The GDDR6-Fail attack targets the video ram of modern graphics cards, and is able to trigger similar vulnerabilities in the graphics card itself, culminating in accessing and changing the memory of the PC via the PCI bus and bypassing protections.
For users who fear they are at risk — most likely larger AI customers or shared hosting environments where the code running on the GPU may belong to untrusted users — enabling error correcting (ECC) mode in the GPU reduces the amount of available RAM, but adds protection by performing checksums on the memory to detect corruption or bit flipping. For the average home user, your mileage may vary – there’s certainly easier ways to execute arbitrary code on your PC – like whatever application is running graphics in the first place!
McAfee identified a malware campaign in the Android Play store targeting older devices – using vulnerabilities publicly disclosed and patched between 2016 and 2021 – that was still found in over 50 apps in the official Google store.
All of the infected apps are built using a modified Facebook SDK to avoid detection, which unpacks the actual malicious payload from inside a PNG polyglot image. By using a common SDK found in millions of apps, the app looks like any other app using common libraries, even when viewing a decompiled list of classes referenced inside the binary.
Polyglot files are files that contain multiple valid file formats simultaneously – for instance a single file for Windows, Linux, or Web Browser or a JPEG containing a ZIP of all the works of Shakespeare. Polyglot files are possible because different formats often look for the start of data at different locations or when one file format denotes the length of valid data and happily ignores extraneous information. For malware, polyglot files are often used to hide malicious content in ways that detection tools or researchers may not spot.
Once the malicious payload is extracted from the PNG image in the app, the malware collects a fingerprint of the device, contacts a control server, and downloads exploits for that specific version. After gaining root, the exploit disables SELinux protections and replaces core system libraries with Trojan copies that impact every app. McAfee reports 22 different exploits in use, including Linux IPv6 kernel and Android GPU driver vulnerabilities, however all of the exploits used were fixed as of the 2021-05-01 Android security patches.
Ultimately, the malware steals authentication tokens and message databases from WhatsApp, reading them out of the local storage of the app, extracting the key from the running WhatsApp instance, and sending the decoded databases to a remote service. The malware also contains mechanisms to survive a factory reset by modifying the system partition of the device, but a full firmware re-install is still enough to get rid of it.
Unfortunately, older Android devices are still prevalent, and devices no longer supported by their manufacturers are still vulnerable to exploits based on publicly known and fixed security issues. There isn’t a good solution for devices abandoned by manufacturers, other than alternative firmware like LineageOS, but users of devices stuck on old firmware may also not be tech savvy enough, interested enough, or in a position to risk the device becoming nonfunctional by installing custom firmware.
Flatpak 1.16.4 and xdg-desktop-portal 1.20.4 have been released to address multiple security issues:
Flatpak is a Linux application packaging format that aims to provide installations that work on any Linux distribution. Normal packaging formats like deb and rpm are tightly linked to the specific version of the specific distribution they are built for. Flatpak packages all dependencies for an application, which increases the package size but reduces the load on the developer to provide builds for every possible variation. xdg-desktop-portal is a companion helper to Flatpak to manage access to system resources like screenshots, opening files outside the sandbox, and opening links in the default browser.
Flatpak attempts to introduce a modern sandboxing security model on top of Linux apps, similar to the restricted access model most mobile apps run under on Android or iOS. Traditionally, any code running has the permissions of the user running it; reducing that access can reduce the attack surface. Flaws in the sandboxing code can allow exploits in an app to impact the rest of the system.
Almost all modern Linux distributions include Flatpak support, and it may not even be obvious to users when a package comes from Flatpak versus a traditional package – many commercial Linux applications like Slack and Steam distribute as Flatpak images, and many open source tools also provide images. For all our Linux users – make sure you’ve applied any pending security updates in your distribution!
In an example of real-world impacts, Minnesota has requested assistance from the National Guard after a significant ransomware attack against Winona County. The state has asked the National Guard to assist in recovering from an attack impacting unspecified systems, but which apparently was severe enough that local and state resources weren’t enough. The only definitive statements from county officials are that emergency dispatch and 911 services are not disrupted – a frighteningly low bar you hope to not see. This is the second ransomware attack this county has seen this year, reportedly from unrelated attackers.
While high-profile ransomware attacks against governments and major corporations get lots of press, smaller companies are also impacted. Ransomware continues to be a pervasive problem, especially for organizations with a small – or even no – official IT department or security positions. Many security companies offer discounted or sometimes even free support to small companies and non-profits; if this is you, there’s no better time to look into multi-factor authentication, account privilege auditing and limiting, and testing your (offline) backups!
Following on with the real world impacts of some of the advisories, Lumen reports a widespread campaign to exploit home routers and install authentication-hijacking malware.
The attack targets TP-Link and MikroTik routers: TP-Link is a common home router brand, while MikroTik is more common in small business and remote office environments. Lumen comments that the attack seems to focus on older models, implying that it is using older, publicly disclosed vulnerabilities in devices which have been designated end-of-life by the manufacturers. Nearly 20,000 unique IPs were seen communicating with the control servers, so there were a lot of unmaintained routers out the Internet.
Once the router was compromised, the attackers used DNS redirection to send users to fake login pages to capture authentication info for Microsoft Office and other corporate resources. By hijacking DNS in the router and passing a custom DNS server over DHCP to local systems on the network, the attackers controlled the login pages. While DNS level attacks can’t defeat protections like SSL, users may not notice that they are being phished with an unencrypted login lookalike site, or they might just ignore the SSL warnings and click through anyhow.
Lumen credits Russian state actors with the attack, with the victims including national and local governments and regulatory agencies.
Striking closer to home, this Reddit post points out a malware campaign targeting sites holding models for 3D printers such as Printables, Thingiverse, and Makerworld.
Abusing the ability to upload arbitrary files to the model sites, the goal appears to be to trick the user into downloading a zip file containing Blender assets with instructions on “how to convert them to a STL”. Unfortunately, Blender has an embedded scripting environment (Python) – opening untrusted Blender ‘blend’ files allows direct execution as the user running Blender! The malicious files and instructions then download traditional malware and infect the user. Vendors of 3D assets have experienced this before, but it may be a first for the printing sites to deal with.
The campaign appears to have been stopped a few days later, with the original poster reporting that the flood of fake accounts appears to have stopped a few days later.
Unfortunately this goes to show that constant vigilance is needed – if something that should be a basic 3d model expects you to download additional tools to convert it to the format used everywhere else on the site, it’s probably worth being suspicious. Formats with embedded scripting environments are a new level of unexpected behaviors users have to be aware of – difficult if you’re not already a Blender user familiar with the capabilities and risks!
Finally, this week’s “you hope it’s not your problem” is an advisory from CISA, the United States cyber security agency. It appears that Iranian state-sponsored agents have been attacking Programmable Logic Controller (PLC) systems. Usually outside the realm of the home hacker, PLC systems like these are used to control factories, power plants, water treatment facilities, and other industrial scale facilities.
Before the Internet of Things took the reins as the joke category for security — “the ‘S’ in IOT stands for security” — one of the strongest contenders was SCADA, or Supervisory Control and Data Acquisition devices. SCADA fills a suspiciously parallel role to IOT in the industrial space, providing network monitoring and control of physical systems, and suffers some of the same fate. A SCADA system may be too difficult to update, too important to risk the downtime of a change gone wrong, or simply too legacy to have support from the manufacturer, and like an IOT device, generally isn’t expected to be exposed to the entire Internet.
Out of the realm of most people – even technically inclined ones – SCADA attacks may still be some of the highest profile attacks someone has heard of. The Stuxnet worm in 2010 targeted SCADA control systems and modified PLC-controlled centrifuges used for uranium refinement. In 2015 and 2016 the Ukrainian power grid suffered two major attacks targeting the SCADA control systems, closing breakers and forcing manual intervention at each substation to restore power to 250,000 people. The attacks evolved into the ‘CRASHOVERRIDE’ malware, which is specifically designed to target power grid SCADA control systems.
The simplest fix is to ensure these systems are never connected to the Internet at large. (If simple can be said to apply to processes controlling multi-million dollar facilities.) But even separated from direct connections, systems that cannot be safely updated to patch security concerns will always be at risk of router and firewall appliance compromises, or compromised PCs or laptops allowed onto the control network.
2026-04-10 19:00:33
Traditionally, identifying a bacterium requires peering through a microscope. Researchers from TU Delft want to trade your eyes for your ears when identifying bacteria. This is possible because they’ve crafted nanoscale drums that convert bacteria’s movement into sound.
The technique originated when Delft researchers noticed something odd. If a living bacterium were on a graphene sheet, it would beat a distinctive pattern that you can detect with a laser. Each drumhead consists of two graphene sheets laid over an 8-micrometer-wide cavity. The sheets are less than a nanometer thick.
The sounds are due to the subtle motion of the tiny lifeform. Scientists have known about these motions, but previously had to measure them en masse. The tiny drums can respond to a single organism, typically about 1 to 10 micrometers in size.
Graphene makes this sensor possible because it is thin enough to behave like a drum with such a tiny force, yet also strong enough to support the bacterium. At first, the technique was simply to determine if antibiotics were killing the bacteria. However, they found that specific bacteria produced audio with unique spectrograms.
It is foolproof, but machine language models can identify among three common bacteria with nearly 90% accuracy. The next step is to reduce the high-tech research setup to something practical for a hospital or doctor’s office. Early prototypes are now in use in two hospitals.
We’ve seen the benefits of automated microscopes that can detect a particular disease. This technology, refined, could go even further.
