2026-04-18 01:30:53
We’ve all had those times when your electrical device of choice is running low on battery. Sometimes you even plan ahead and are also carrying a battery pack, but what happens when you’ve forgotten to charge the battery pack? This is the problem that [Arnov Sharma] addressed with the SolMate, a portable solar panel that keeps a battery bank topped up.
The SolMate is built around an efficient 2 W photovoltaic panel that’s not much bigger than a cellphone. This panel can supply 5 V at 400 mA on a sunny day. The solar output is more than enough to keep the internal 2000 mAh battery topped up and ready for use. Charging the Li-ion battery is handled by an IP5306 power management chip, which pulls double duty: it safely regulates charging while boosting the battery’s 3.7 V to the 5 V expected at the USB charge ports. Speaking of charge ports, the SolMate includes both a USB-A and a USB-C port, plus a switch to enable or disable the unit.
The case is all 3D printed, with some clever design choices. Offsetting the bulk of the battery and PCB storage area to one side lets the SolMate naturally cant toward the sun. Even the clip used to attach it to a backpack is printed.
Be sure to check out the other entries into our latest challenge!
2026-04-18 00:30:38
It’s the evening before publication, and a pair of Hackaday writers convene to record the week’s podcast. This week Elliot Williams is joined by Jenny List, and it’s a bumper episode!
Of course, a bit of Hackaday news makes the cut, as it’s time to make an entry in the Green Powered Challenge. Then we make the first of a couple of sojourns into AI, as we talk about the Linux kernel stance on AI code. In short: if you submit AI code you’re responsible for its bugs. Meanwhile out of this world, we look forward to a time when astronauts breathe oxygen from moon dust.
There are hacks aplenty for your enjoyment, starting with far more than you ever thought it was possible to know about sound-reactive LED strips. Then we have among others a Mac on an ESP32 forming the UI for a weather monitor, Doom on a toaster, and a fascinating look at screw threads for plastic.
In the longer reads we have our colleague [Tom Nardi] finding Chinese people’s personal data on hard drives he bought in an electronics store, and an attempt to look at what an LLM can do that might be useful. Grab your headphones, and join us!
2026-04-17 23:30:59
Well, this might just be a Hackaday first. Certainly not the circuit sculpture part, nor the wearable aspect, but the glorious combination of the two. Behold [CMoz]’s Fashionably on Task: a Smart Bracelet for Forgetfulness. The name may be long, but the intent is concise: to showcase your top five must-dos for the day.
This lovely bracelet uses a tri-color e-paper display, and it’s WiFi enabled in order to receive input from the corresponding phone app. Although the cute pink ESP32-C3 is programmed in PlatformIO, the code will work with the Arduino IDE as well.
To get down to business, just power on the bracelet. If it can’t connect to the network you’ve hard-coded, it will broadcast it’s own access point. Connect with your phone to the custom web page, and Bob’s your uncle. From here, you can enter the tasks, change the colors around, mark tasks as complete, and remove tasks or reset recurring reminders.
The nifty part is that e-paper screen, since it will of course continue to display your list once powered down. Here’s the full code. Then you can deep-dive into the graph theory of circuit sculptures.
2026-04-17 22:00:33
CVE-2026-34040 lets attackers bypass some Docker authentication plugins by allowing an empty request body. Present since 2024, this bug was caused by a previous fix to the auth workflow. In the 2024 bug, the authentication system could be tricked into passing a zero-length request to the authentication handler. In the modern vulnerability, the system can be tricked into removing a too-large authentication request and passing a zero-length request to the authentication handler.
In both cases, the authentication system may not properly handle the malformed request and allow creation of docker images with access to stored credentials and secrets.
Bugs like these are increasing in visibility because AI agents running in Docker, like OpenClaw, may be tricked via prompt injection into leveraging the vulnerability.
videocardz.com notes that the popular Windows monitoring software Cpu-Z and HWMonitor appear to have been compromised. Reports indicate that the download site was compromised, not the actual packages, but that it was redirecting update requests to packages including malware. While the site has been repaired, unfortunately it looks like there is no warning to users that the downloads were compromised for a period of time.
Anecdotally, there has been a rash of Discord account takeovers in the past week, where long-standing accounts in multiple servers have been compromised and turned into spambots. While there is no evidence these events are linked, clearly a new credential or authentication stealing malware is in play, which involves stealing credentials from Discord.
The X.Org and XWayland servers saw security updates this week, fixing a handful of vulnerabilities involving uninitialized memory use, use-after-free, and reading beyond the end of a buffer.
The vulnerabilities are generally classified as “moderate”, but of course, don’t leave known vulnerabilities when you can avoid it! Fixed releases should find their way into distributions soon.
OpenSSL released version 4.0 this week, adding support for Encrypted Client Hello / ECH / RFC9849 as well as deprecating some older SSL 2.0 behavior.
Encrypted Client Hello is a new enhancement to TLS (nee SSL) client handshake. When a client connects to a TLS server like a website, one of the first packets sent is the Client Hello which contains the TLS version, supported algorithms, and importantly, the server name the client is connecting to. Including the server name in the hello message allows modern multi-homed and cloud-based websites to function, because it indicates which web server and SSL certificate should be used to handle the request, but exposes the hostname the user is connecting to.
With ECH, the hello message is split into multiple messages, with the true hostname encrypted inside the second, inner message. The outer message allows routing the request to a server responsible for decrypting the inner communication and dispatching the request to the proper server. It is possible, for instance, for an ISP to see that a user has connected to a website on the Cloudflare infrastructure, but not which website hosted on Cloudflare.
For individual sites, the value of ECH is debatable – without a central server to dispatch to the specific hosts, the outer hostname is still readable – but for sites hosted behind load balancers, there is additional protection for users against identification of browsing habits. Although it brings extra complexity, adding new standards like ECH at least moves the needle towards better user privacy and protection by default.
Rockstar Games (of Grand Theft Auto and Red Dead Redemption fame) has been breached by a ransomware/extortion group. If this sounds familiar, in 2022 the company was breached and early GTA 6 gameplay was stolen.
This go around, the breach was actually of the data warehousing company Snowflake, via another service, Anodot. Used for cloud monitoring and analytics, Bleeping Computer reports that an Anodot breach was used to access Snowflake data, which is now used to extort Rockstar.
Rockstar says the data stolen does not impact players or the functioning of the company, and they will not be paying the ransom.
Linux Kernel 7.0 releases this week, and includes a fix to out-of-bounds memory access in certificate handling. The fix is also being back-ported to stable and LTS kernel versions (Linux 6.4, 6.6 LTS, 6.12 LTS, 6.18 LTS, and 6.19) so be on the lookout for updates!
The out-of-bounds bug lies in the kernel keyring API; any user on the system can submit an invalid certificate to the kernel keyring. In this specific case the impact seems limited to a kernel crash instead of arbitrary privilege escalation.
The NIST organization is no longer enriching CVE entries in the National Vulnerability Database, except for those in the Known Exploited Vulnerabilities catalog, used in federal government, or those in designated critical software. Previously, the NIST NVD provided additional information and severity rankings for reported vulnerabilities. Citing a lack of funding and an overwhelming number of reported vulnerabilities, they will no longer provide updated severity scores or details.
It’s understandable, but a net loss to the security community, and the Internet at large, when we lose analysis and commentary on risks. CVE details and risks are often self-assigned by the vendor, which can lead in some cases to a culture of “malicious compliance” where the released information is technically correct and complete, but contains little or no actual detail and assumes the least impactful interpretations. Third-party evaluation and classification by organizations like NIST offered additional context and analysis to identify the truly critical reports.
OK – don’t actually panic, but if you’re a Microsoft user, you already know. This month’s Patch Tuesday — the scheduled day for Microsoft updates, for anyone lucky enough not to have to observe — includes over 160 security updates. This makes it the second largest Patch Tuesday ever. It includes a fix to the publicly available Bluehammer exploit for bypassing Windows Defender, and over 60 patches for browser vulnerabilities.
Additionally, Chrome published fixes for 20 vulnerabilities, and Adobe published fixes for Reader, with evidence on both that the bugs are already being publicly exploited.
This is your monthly reminder to stay on top of security updates whenever they are available, on whatever platform you use. Unknown zero-day exploits might get all the attention, but outdated software with known, patched bugs can be the biggest vector for exploits and malware. Once a bug is known and patched, there is no reason to save the exploit for targeted attacks; the days and weeks after a bug is publicly fixed can be a wave of automated exploits, and many of the largest attacks use vulnerabilities fixed weeks or months prior.
Finally, a quick aside for anyone interested in pursing more related content, the Botconf EU conference about fighting botnets and malware is streaming the conference content; by the time this post goes live the conference is likely to be concluded, but the talk streams are accessible!
2026-04-17 19:00:55
You probably don’t spend a lot of time using the FAT32 file system anymore, since it’s thoroughly been superseded many times over. Even so, Microsoft has seen fit to deliver an upgrade for FAT32 for the latest Windows 11 Insider Preview build. Finally, the stock Windows tools will let you format a FAT32 drive up to 2 TB instead of locking you to a 32 GB maximum!
The size limit was never baked into the FAT32 spec itself. With a 32-bit field for counting sectors, the file system supports up to 2 TB volumes with 512-byte sectors. However, as explained by former Microsoft developer [Dave Plummer], it just so happened that the 32 GB limit came about because of a random decision made when slapping together the Format dialogue box over 30 years ago.
The pending change was first announced in 2024, affecting the command line format tool as well. It’s actually been possible to create larger FAT32 volumes for some time, you just couldn’t easily do it with Microsoft’s standard formatting tools.
FAT32 is still a terrible file system to use in 2026, mostly because it has a hard limit on file size that tops out at 4 GB. It’ll ruin your life if you’re shooting HD or 4K video. We often don’t spend a lot of time musing over file systems in detail, but they’re right at the heart of everything we do on our computers on a daily basis. Sometimes, it bears thinking about!
2026-04-17 16:00:02
Unlike the current era where most consumer electronics are black rectangles, or the early 90s where most consumer electronics were black rectangles, we got a brief glimmer of color, light, and hope in the 2000s. Cell phones had all kinds of shapes and sizes, laptops came in bright colors, and even video game consoles got in on the fun. The Nintendo GameCube not only featured its namesake shape but came in several vibrant colors, most famously a bright purple. In fact, its design was such a hit that it continues to inspire artists and console modders alike. An animator named [kidd.gorgeous] recently envisioned a GameCube as a hot tub, and [BigRig Creates] set out to make this animation a reality.
Of course, this won’t be a life-sized hot tub capable of holding a human, but [BigRig Creates] did want it to be a usable, playable Game Cube with all of the features from the animation present in the final version. Since the lid won’t be operational with a hot tub model on the top lest all of the water spill out every time a game is changed, he’s modified it with some modern tools to hold his games inside the console itself. With the case open he’s also added the LED accent lighting featured in the animation as well as added the 3D-printed hot tub to the top. The hot tub is filled with mineral oil for electronics safety, and has a small pump built in to give the appearance of a working hot tub.
The buttons around the outside are functional as well, toggling the various lighting features and hot tub operation. And of course, the console diorama is fully playable, with the staircase railing able to easily detach in order to access the leftmost controller ports. It’s a faithful adaptation of the original animation, and [BigRig Creates] has a few games on queue that are properly themed for the new hot tub addition like Wave Race 64, Super Mario Sunshine, and Pool Paradise.
