2026-04-04 00:00:18
This week, Hackaday’s Elliot Williams and Kristina Panos met up over assorted beverages to bring you the latest news, mystery sound results show, and of course, a big bunch of hacks from the previous seven days or so.
In the news, there’s quite a bit to talk about. Regarding Hackaday Europe, you can rest assured that the talks will be announced soon. The Green-Powered Challenge is still underway, and we need your entry to truly make it a contest. You have until April 24th to enter, so show us what you can do with power you scrounge up from the environment!
As usual, we published a handful of April Fool’s posts, which you may or may not find amusing. And finally — no fooling — our own Tom Nardi wrote up the Artemis moon launch, and is going to update the post every day until the mission ends.
On What’s That Sound, we can score one for Kristina, which brings her record to approximately three wins and sixty-eight losses. She knew without a doubt that the dialogue was from the Day the Earth Stood Still (1951). Oh, what? There was a remake in 2008? Kristina should get bonus points, then.
After that, it’s on to the hacks, beginning with the basics of making clean enclosures that are decidedly not 3D-printed, a couple of sweet lo-fi cameras, and a nice way to tame the tape when it comes to SMT parts. We also discuss a clock that marks time in a mathematical way, watch an electro-permanent magnet in action, and improving soda by turning it into mead. Finally, we discuss the solar balconies taking Europe by storm, and Copilot’s terrifying terms of service.
Check out the links below if you want to follow along, and as always, tell us what you think about this episode in the comments!
Download in DRM-free MP3 and savor at your leisure.
2026-04-03 23:30:46
A fun part of retro computing is saving ‘e-waste’ that was headed for certain destruction. These boards can have any number of defects, modifications and more that have to be remedied prior to using them. In the case of the Asus P5A-B Socket 7 mainboard that [Bits und Bolts] rescued from the scrapheap at least one issue was obvious: someone had ripped off the plastic part of the ZIF socket, leaving only the metal pins poking out like an awkward kind of LGA socket.
In addition to the busted PGA ZIF socket there was additional damage, including a broken SMT capacitor and missing resistor. Interestingly, someone had apparently modded the ATX power connector to permanently power on the system by removing a pin and bridging to the power-on signal. Obviously this mod had to be undone by removing the bridge and installing a new pin. After this cracked solder joints had to be addressed, before the tedious task of removing the stray PGA socket pins one by one started.
Exactly what was done to this mainboard and why will likely forever remain a mystery, but at least there didn’t seem to be any serious damage. After installing a CPU it was possible to boot and access the BIOS as well as run a couple of tools, confirming that one more Socket 7 board has been saved from the scrapper.
2026-04-03 22:00:26
The biggest story of the week is a new massive supply chain breach, which appears to be unrelated to the previous massive supply chain breaches, this time of the Axios HTTP project.
Axios was created as a more developer-friendly Javascript HTTP interface for node.js, giving a promise-based API instead of the basic callback API. (Promise-based programming allows for simpler coding workflows, where a program can wait for a promise to be fulfilled, instead of the developer having to manage the state of every request manually.) Javascript has since provided a modern Fetch API that provides similar functionality, but Axios remains one of the most popular packages on the node.js NPM repository, with 100 million weekly downloads.
The lead developer of Axios believes he was compromised by a collaboration request – a common tactic for phishing specific targets: a project for an IDE like VS Code can include code that executes on the developers system when the project is run. Even outside a traditional IDE, common development tools like configure scripts and makefiles can easily run commands.
Socket.dev breaks down the attack in detail. Once the attackers had credentials to publish to the Axios NPM, they inserted malware as a new dependency to Axios, instead of modifying Axios itself. This likely helped the attack bypass other security checkers. The dependency – plain-crypto-js – is itself simply a copy of a popular encryption utility library, but one which executes additional code during the post-installation process available to all NPM packages.
Once triggered, the plain-crypto-js package installs platform specific malware for Windows, macOS, and Linux. Work has begun on decoding the obfuscated malware, but it appears to be a remote access tool (a RAT), a tool to allow the attackers direct remote access to any compromised system to steal credentials or install further malware like keyloggers or other data stealing tools. The full capabilities of the malware are difficult to ascertain, because it contained the ability to download and launch arbitrary binaries from a control server. Different victims may have received different payloads, based on other data found on the system, the country the system was in, and more.
Like other supply chain attacks, compromising the Axios project exposes several layers:
The compromised packages were only available for a few hours before they were caught, but a naive guess from the 100 million weekly downloads means there could still have been millions of impacted builds, assuming around 500,000 downloads per hour.
Researchers at Calif.io asked the Claude engine to find vulnerabilities in the Vim text editor – and it did. So they asked it to find a vulnerability in Emacs – and it did again (though it requires git to actually execute commands).
Both vulnerabilities result in commands being executed when a file is opened, which is a pretty significant result. In Vim, the command execution occurs through the ability to encode syntax and display settings via comments in the file being opened (/* vim .... */); typically these are sanitized to prevent command execution but an exception has been found. In Emacs, git hook, automatic scripts run by git based on events, is leveraged to run the commands.
Both vulnerabilities were validated by the Calif.io team before reporting them to the respective editor development teams; the Vim team has released a fix, and the Emacs team deferred the fix to the git maintainers.
Opinion of AI bug reports has been mixed to say the least among the Open Source community, with some projects outright closing vulnerability bug bounties due to floods of AI generated false reports. But this case feels appropriate – the AI was another tool used by bug hunters, and the results were confirmed as legitimate before the bugs were filed. If more AI discovered bugs were handled this way, the industry opinion of AI results would likely be higher.
Seemingly tied to the compromise last week of the Trivy open source scanner, where attackers were able to replace the Trivy GitHub actions used by tens of thousands of projects for security scanning to gain access to CI/CD pipelines, Bleeping Computer reports that Cisco has had AWS keys and source code to products stolen.
Simultaneously, Cisco is having a bad time due to a compromise of Salesforce customer data by a prolific ransomware and data theft group behind similar breaches of Microsoft, Pluto TV, Mashable, AT&T, Jaguar, Qantas Airlines, and dozens of other high profile attacks. Independent of the Trivy compromise, they claim to have additional git repositories of Cisco source code, AWS buckets including customer and billing data, and more. How accurate these claims are remains to be seen, since ransomware groups often inflate the severity of their claims, obviously hoping for a greater payout.
If the attackers do have the source code to Cisco products, this could be the beginning of a long series of security issues. A common tactic after source code or internal bug database breaches is obviously to leverage the source code for faster remote bug finding, but to only use a single bug at a time. After weeks of continual security alerts and updates, many customers reach a point of exhaustion and begin to skip updates. A similar pattern happened following a breach of Oracle, resulting in a year-long situation with Java runtime environments with new exploits surfacing every time a patch closed the previous.
The sky is blue, grass is green, and custom manufacturer tools for random motherboard features are often poorly written. Bleeping Computer also reports an flaw in the Gigabyte Control Center that allows overwriting arbitrary files.
Control Center is a piece of software installed by default on all Windows installs on Gigabyte laptops and can also be found on Windows desktops using Gigabyte motherboards. Control Center performs hardware monitoring, RGB light control, fan control, update management, and similar functions. It also supports remote pairing to manage multiple devices – and if remote pairing is enabled, CVE-2026-4415 allows writing to any file, which allows arbitrary execution of any code.
If you’ve got a Windows system with the Gigabyte tools, make sure to upgrade to the latest version as soon as possible! Bugs like these become much more serious when combined with other attacks – like router exploits or WiFi based attacks on public networks.
With the record-breaking supply chain attacks, GitHub has announced they are accelerating their plans for securing repositories, actions, and publishing packages.
Directly from their blog post, GitHub recommends that all package maintainers should immediately:
Moving forwards, GitHub is expanding support of OpenID Connect (OIDC), a mechanism where GitHub and other providers like DockerHub and NPM can share authentication information without storing authentication tokens. While an OIDC configuration can’t prevent a compromised GitHub action, it should prevent harvesting authentication tokens which could be used directly against the packaging sites.
The GitHub Security Roadmap shows plans to harden the workflow system with locked dependencies, which has the goal of detecting and blocking unexpected changes to included actions. GitHub is also introducing immutable releases, which cannot be changed, even by removing the release tag and re-releasing it.
It’s nice to see what should be positive changes in how pipelines are run and packages are built, because the need for centrally managed packages certainly isn’t going away.
A handful (CVE-2025-55753, CVE-2025-58098, CVE-2025-59775, CVE-2025-65082, CVE-2025-66200) of vulnerabilities have been found in the Apache web server, ranging from manipulation of the user that launches CGI scripts, configuration of environment variables not being sanitized properly for CGI applications, and problems with the server-side include exec directives. None of these are world-melting bugs, but Apache is a very common web server, and is even included in standard macOS installations.
Finally in an example of enormously bad timing, Node.JS announces that they are suspending their bug bounty program due to a lack of funding. While security reports are still accepted, bounties are no longer offered.
Previously, the Node.JS bug bounty program was funded by the Internet Bug Bounty, backed by Microsoft, Adobe, Meta, and other large Internet companies. As of March 27, 2026, the IBB announced it was closed to new project submissions, citing in part AI bug submissions overwhelming responders.
2026-04-03 19:00:07
If you own a computer that’s not mobile, it’s almost certain that it will receive its power in some form from a mains wall outlet. Whether it’s 230 V at 50 Hz or 120 V at 60 Hz, where once there might have been a transformer and a rectifier there’s now a switch-mode power supply that delivers low voltage DC to your machine. It’s a system that’s efficient and works well on the desktop, but in the data center even its efficiency is starting to be insufficient. IEEE Spectrum has a look at newer data centers that are moving towards DC power distribution, raising some interesting points which bear a closer look.
A traditional data center has many computers which in power terms aren’t much different from your machine at home. They get their mains power at distribution voltage — probably 33 KV AC where this is being written — they bring it down to a more normal mains voltage with a transformer just like the one on your street, and then they feed a battery-backed uninterruptible Power Supply (UPS) that converts from AC to DC, and then back again to AC. The AC then snakes around the data center from rack to rack, and inside each computer there’s another rectifier and switch-mode power supply to make the low voltage DC the computer uses.
The increasing demands of data centers full of GPUs for AI processing have raised power consumption to the extent that all these conversion steps now cost a significant amount of wasted power. The new idea is to convert once to DC (at a rather scary 800 volts) and distribute it direct to the cabinet where the computer uses a more efficient switch mode converter to reach the voltages it needs.
It’s an attractive idea not just for the data center. We’ve mused on similar ideas in the past and even celebrated a solution at the local level. But given the potential ecological impact of these data centers, it’s a little hard to get excited about the idea in this context. The fourth of our rules for the responsible use of a new technology comes in to play. Fortunately we think that both an inevitable cooling of the current AI hype and a Moore’s Law driven move towards locally-run LLMs may go some way towards solving that problem on its own.
header image: Christopher Bowns, CC BY-SA 2.0.
2026-04-03 16:00:56
One of the pitfalls of modern engineering is that it’s entirely possible to end up in a situation where a product or solution has been designed by someone who has never left a desk. Which wouldn’t be a problem if things didn’t have a tendency to work differently in real life than they do in theory.
One of those things is automatic chicken coop doors, which have to operate reliably in not only a wide range of climates but with a number of possible physical limitations as well. [Vinnie] has taken on the challenge of building one which actually accomplishes all of these tasks, after realizing that the off-the-shelf solutions were victims of design over practicality.
[Vinnie] designed this door to be operated by the one thing that’s always 100% reliable: gravity. A linear actuator lifts the door at the beginning of the day, and then at night it’s allowed to fall back down in its track. A latch secures it against smarter intruders like raccoons. [Vinnie] has found that this lifting mechanism holds up much better in mud, snow, ice, and other difficult conditions than any other method he’s tried so far.
The system is built around a ATmega1284P, and calculates the sunrise and sunset times each day to know when to open or close the door. He’s built the system as a state machine which makes it more robust during power outages, which is a necessity since his chicken coop is mobile and is frequently out of range of WiFi and is battery powered.
The approach [Vinnie] takes to automation is something that has application outside of his own farmstead. Using state machines instead of schedules, ensuring the design is as simple as possible and works within its environment, and minimizing reliance on electric and data infrastructure can go a long way to solving problems that might not appear when designing something on paper.
He’s been automating many other things on his farm as well, and it’s worth checking it out if you haven’t seen it already.
2026-04-03 13:00:48
The topic of boiling water is apparently a rather divisive topic, with plenty of strong opinions to go around on what is safe and the most efficient way to go about it. Thus in a new video [Cahn] sought to address the many comments that came in after his previous testing of electric kettles on either 12 VDC or 240 VAC.
What’s interesting about this whole topic is that at its core the overall efficiency of boiling water is simply a matter of calculating the energy input minus energy losses, with the remaining energy going into the water.
As we can see in the video, using a higher battery voltage doesn’t really change the efficiency of a 12 VDC kettle, but the higher current draw does manage to melt a fuse that can’t take the heat — requiring a 20 amp fuse instead of the 15 A one.
One change that does make a difference is how it’s connected. Replacing the thin gauge wiring and the attached cigarette lighter plug on the 12 VDC kettle with beefier cable and an Anderson plug made things run cooler, resulting in an efficiency bump of about 10%. This cut the time required to get the water boiling by around 6 minutes.
Added to this test were an induction hob and an iso-butane-powered Jetboil, both of which scored rather unimpressively. For the induction option it’s obvious that a lot of energy is wasted by having the pan radiate it away from the water, while burning iso-butane loses energy through the exhaust gases. Ultimately what you pick to boil water with should thus be mostly determined by convenience rather than sheer physics.
