Hidden code in hundreds of models of Gigabyte motherboards invisibly and insecurely downloads programs -- a feature ripe for abuse, researchers say. From a report: Hiding malicious programs in a computer's UEFI firmware, the deep-seated code that tells a PC how to load its operating system, has become an insidious trick in the toolkit of stealthy hackers. But when a motherboard manufacturer installs its own hidden backdoor in the firmware of millions of computers -- and doesn't even put a proper lock on that hidden back entrance -- they're practically doing hackers' work for them. Researchers at firmware-focused cybersecurity company Eclypsium revealed today that they've discovered a hidden mechanism in the firmware of motherboards sold by the Taiwanese manufacturer Gigabyte, whose components are commonly used in gaming PCs and other high-performance computers. Whenever a computer with the affected Gigabyte motherboard restarts, Eclypsium found, code within the motherboard's firmware invisibly initiates an updater program that runs on the computer and in turn downloads and executes another piece of software.

While Eclypsium says the hidden code is meant to be an innocuous tool to keep the motherboard's firmware updated, researchers found that it's implemented insecurely, potentially allowing the mechanism to be hijacked and used to install malware instead of Gigabyte's intended program. And because the updater program is triggered from the computer's firmware, outside its operating system, it's tough for users to remove or even discover. "If you have one of these machines, you have to worry about the fact that it's basically grabbing something from the internet and running it without you being involved, and hasn't done any of this securely," says John Loucaides, who leads strategy and research at Eclypsium. "The concept of going underneath the end user and taking over their machine doesn't sit well with most people."

Rest now, little Chromecast. Google has announced the decade-old Chromecast 1 is finally hitting end of life. From a report: A message on Google's Chromecast firmware support page announced the wind-down of support, saying, "Support for Chromecast (1st gen) has ended, which means these devices no longer receive software or security updates, and Google does not provide technical support for them. Users may notice a degradation in performance." The 1st-gen Chromecast launched in 2013 for $35.

The original Chromecast was wildly successful and sold 10 million units in 2014 alone. For years, the device was mentioned in Google earnings calls as the highlight of the company's hardware efforts, and it was essentially the company's first successful piece of hardware. The Chromecast made it easy to beam Internet videos to your TV at a time when that was otherwise pretty complicated.

A database containing the details of almost half-a-million RaidForums users has leaked online, a year after the U.S. Department of Justice seized the notorious cybercrime forum. From a report: The leaked database was posted on Exposed, described by security researchers as an up-and-coming forum "wanting to fill the void" left by the recent BreachForums shutdown. An Exposed admin, known as "Impotent," posted the alleged RaidForums user data, which includes the details of 478,000 users, including their usernames, email addresses, hashed passwords and registration dates. "All of the users that were on raidforums may have been infected," the admin's post says. RaidForums had around 550,000 users at the time of its shutdown last year. The admin added that some users' details have been removed from the leak, though it's unclear how many or the reasoning behind this.

ASUS is extending its connector-less design to graphics cards and has showcased the first GPU, a GeForce RTX 40 design, which features now power plugs. From a report: Spotted during our tour at the ASUS HQ, the ROG team gave us a first look at an upcoming graphics card (currently still in the concept phase) which is part of its GeForce RTX 40 family. The graphics card itself was a GeForce RTX 4070 design but it doesn't fall under any existing VGA product lineup & comes in an interesting design.

So the graphics card itself is a 2.3 slot design that features a triple axial-tech cooling fan system and once again, it isn't part of any interesting GPU lineup from ASUS such as ROG STRIX, TUF Gaming, Dual, etc. The backside of the card features an extended backplate that extends beyond the PCB & there's a cut-out for the air to pass through. The card also comes with a dual-BIOS switch that lets you switch between the "Performance" & "Quiet" modes but while there's a "Megalodon" naming on the backplate, we were told that isn't the final branding for this card.

Ars Technica profiles Scott Shapiro, the co-author of a new book, Fancy Bear Goes Phishing: The Dark History of the Information Age in Five Extraordinary Hacks.

Shapiro points out that computer science "is only a century old, and hacking, or cybersecurity, is maybe a few decades old. It's a very young field, and part of the problem is that people haven't thought it through from first principles." Telling in-depth the story of five major breaches, Shapiro ultimately concludes that "the very principles that make hacking possible are the ones that make general computing possible.

"So you can't get rid of one without the other because you cannot patch metacode." Shapiro also brings some penetrating insight into why the Internet remains so insecure decades after its invention, as well as how and why hackers do what they do. And his conclusion about what can be done about it might prove a bit controversial: there is no permanent solution to the cybersecurity problem. "Cybersecurity is not a primarily technological problem that requires a primarily engineering solution," Shapiro writes. "It is a human problem that requires an understanding of human behavior." That's his mantra throughout the book: "Hacking is about humans." And it portends, for Shapiro, "the death of 'solutionism.'"
An excerpt from their interview: Ars Technica: The scientific community in various disciplines has struggled with this in the past. There's an attitude of, "We're just doing the research. It's just a tool. It's morally neutral." Hacking might be a prime example of a subject that you cannot teach outside the broader context of morality.

Scott Shapiro: I couldn't agree more. I'm a philosopher, so my day job is teaching that. But it's a problem throughout all of STEM: this idea that tools are morally neutral and you're just making them and it's up to the end user to use it in the right way. That is a reasonable attitude to have if you live in a culture that is doing the work of explaining why these tools ought to be used in one way rather than another. But when we have a culture that doesn't do that, then it becomes a very morally problematic activity.

CNN reports: Some Amazon corporate workers have announced plans to walk off the job next week over frustrations with the company's return-to-work policies, among other issues, in a sign of heightened tensions inside the e-commerce giant after multiple rounds of layoffs.

The work stoppage is being jointly organized by an internal climate justice worker group and a remote work advocacy group, according to an email from organizers and public social media posts. Workers participating have two main demands: asking the e-commerce giant to put climate impact at the forefront of its decision making, and to provide greater flexibility for how and where employees work.

The lunchtime walkout is scheduled for May 31, beginning at noon. Organizers have said in an internal pledge that they are only going to go through with the walkout if at least 1,000 workers agree to participate, according to an email from organizers.
The event comes a month after Amazon's return-to-office mandate took effect, reports the Seattle Times — with one software engineer saying they wanted to show Amazon's leadership that "employees need a say in the decisions that affect our lives." In response, an Amazon spokesperson said, "We respect our employees' rights to express their opinions." Drew Herdener, senior vice president for communications at Amazon, said there has been a good energy on the company's South Lake Union campus and other urban centers where Amazon has a significant presence. "We've had a great few weeks with more employees in the office," he said. "As it pertains to the specific topics this group of employees is raising, we've explained our thinking in different forums over the past few months and will continue to do so...."

[Since January], Amazon announced another 9,000 job cuts companywide, but has not notified Washington's unemployment office of the local impact. At the same time Amazon was re-evaluating its teams and workforce, the company announced it would require workers to return to the office at least three times a week beginning May 1. That was a change from Amazon's prior policy, put in place in the second half of 2021, that allowed leaders to decide for their teams where they should work. Announcing the mandate in February, CEO Andy Jassy told employees that senior leaders had observed that it's easier to "learn, model, practice and strengthen our culture when we're in the office together most of the time and surrounded by our colleagues." Boosters for downtown Seattle, where Amazon's headquarters campus is located, cheered the mandate and hoped that thousands of returning workers would enliven the neighborhood.

In response to the return-to-office mandate, more than 20,000 workers signed a petition urging Amazon to reconsider.

"They bring luxury workspaces, fancy coffee shops... and rising rents," reports Rest of World.org, visiting a coworking space with 70 people in its cafe and 100 more in its second-floor coworking area, that "looks as if it were picked up in Silicon Valley and dropped into Colombia by a crane... Coders and digital marketers crowd the tables, drinking pour-over coffee and enjoying loaded avocado toast. Downstairs, in the coffee shop, a stylish woman with a ring light on her laptop chats with a client thousands of kilometers away. Upstairs, in the dedicated office space, an American wearing an Oculus Rift headset attends a meeting in the metaverse. Most of the workers here are employed in the U.S., but relaxed post-pandemic office norms permit them to work from anywhere. This is the mobile, location-independent lifestyle of the digital nomad...

[The Colombian city] Medellín is one of the latest hot spots to join a global nomad circuit that spans tropical latitudes. Southeast Asia remains the preferred destination for nomads — on popular website Nomad List, four of the top 10 cities are from the region. The list also features less-expensive European cities in Portugal and Romania, as well as Latin American destinations like Mexico City, which share time zones with the U.S. The typical nomad might visit 12 or 13 countries in a year, all the while holding down a corporate job, usually in the tech sector...

But the income differential between the nomads and the Colombian professional class is immense. The result is runaway price inflation — rents in Laureles have skyrocketed, and restaurants cannot raise their prices fast enough. A one-bedroom in Medellín now rents for the "gringo price" of about $1,300 a month, in a country where the median monthly income is $300.
A digital nomad community "can distort the local economy," the article points out

• In Mexico city this November, people "took to the streets...to protest gentrification and rising rents."
• Portugal "curtailed licenses for Airbnbs in an attempt to calm rising housing costs."

Right now the top six four cities are Buenos Aires, Bangkok, Mexico City, and Canggu (in Bali), according to the article.

Bitwarden, the popular open-source password management program, has launched Bitwarden Passwordless.dev, a developer toolkit for integrating FIDO2 WebAuthn-based passkeys into websites and applications. The New Stack reports: Bitwarden Passwordless.dev uses an easy-to-use application programming interface (API) to provide a simplified approach to implementing passkey-based authentication with your existing code. This enables developers to create seamless authentication experiences swiftly and efficiently. For example, you can use it to integrate with FIDO2 WebAuthn applications such as Face ID, fingerprint, and Windows Hello. Enterprises also face challenges in integrating passkey-based authentication into their existing applications. Another way Bitwarden Passwordless.dev addresses this issue is by including an admin console. This enables programmers to configure applications, manage user attributes, monitor passkey usage, deploy code, and get started instantly.

"Passwordless authentication is rapidly gaining popularity due to its enhanced security and streamlined user login experience," said Michael Crandell, CEO of Bitwarden. "Bitwarden equips developers with the necessary tools and flexibility to implement passkey-based authentication swiftly and effortlessly, thereby improving user experiences while maintaining optimal security levels."

Researchers from Cisco's Talos security team have uncovered detailed information about Predator, a sophisticated spyware sold to governments worldwide, which can secretly record voice calls, collect data from apps like Signal and WhatsApp, and hide or disable apps on mobile devices. Ars Technica reports: An analysis Talos published on Thursday provides the most detailed look yet at Predator, a piece of advanced spyware that can be used against Android and iOS mobile devices. Predator is developed by Cytrox, a company that Citizen Lab has said is part of an alliance called Intellexa, "a marketing label for a range of mercenary surveillance vendors that emerged in 2019." Other companies belonging to the consortium include Nexa Technologies (formerly Amesys), WiSpear/Passitora Ltd., and Senpai. Last year, researchers with Google's Threat Analysis Group, which tracks cyberattacks carried out or funded by nation-states, reported that Predator had bundled five separate zero-day exploits in a single package and sold it to various government-backed actors. These buyers went on to use the package in three distinct campaigns. The researchers said Predator worked closely with a component known as Alien, which "lives inside multiple privileged processes and receives commands from Predator." The commands included recording audio, adding digital certificates, and hiding apps. [...]

According to Talos, the backbone of the malware consists of Predator and Alien. Contrary to previous understandings, Alien is more than a mere loader of Predator. Rather, it actively implements the low-level capabilities that Predator needs to surveil its victims. "New analysis from Talos uncovered the inner workings of PREDATOR and the mechanisms it uses to communicate with the other spyware component deployed along with it known as 'ALIEN,'" Thursday's post stated. "Both components work together to bypass traditional security features on the Android operating system. Our findings reveal the extent of the interweaving of capabilities between PREDATOR and ALIEN, providing proof that ALIEN is much more than just a loader for PREDATOR as previously thought to be." In the sample Talos analyzed, Alien took hold of targeted devices by exploiting five vulnerabilities -- CVE-2021-37973, CVE-2021-37976, CVE-2021-38000, CVE-2021-38003, CVE-2021-1048 -- the first four of which affected Google Chrome, and the last Linux and Android. [...] The deep dive will likely help engineers build better defenses to detect the Predator spyware and prevent it from working as designed. Talos researchers were unable to obtain Predator versions developed for iOS devices.

Liam Proven, reporting for The Register: Over 21 years after it first came out, the Microsoft operating system that will not die is receiving another lease of life. It's possible to activate new installations, safely and securely, without a crack, off line. A blog post on tinyapps has revealed the hot news that nobody sane has been waiting for: the algorithm that Microsoft uses to validate Windows XP product keys has been cracked and reimplemented. As a result it's now possible to generate valid activation codes for Windows XP, without an internet connection, even though Microsoft has turned off all the activation servers.

This is not a recommendation But first, a word of caution and restraint. Please don't take this article as a recommendation to run Windows XP. It wasn't the most secure of operating systems back in 2001, and you really should not be running it in 2023 -- especially not on anything that is connected to the internet. However, saying that, the problem is that sometimes people need to. There is, for example, hardware out there that only works with Windows XP and won't work with anything newer... and some of it might be very expensive hardware, which is still perfectly functional -- but which requires a long-obsolete version of Windows to operate it. If you are lumbered with such a device, or you have got some single specific and very particular piece of software that you need to run and which doesn't work properly on any newer version of Windows, then you may be forced to use XP. If so, one of the problems is that Microsoft has turned off the activation servers, so even if you install clean fresh copy, you can no longer activate it over the Internet. (Allegedly, the telephone activation service still works, if that's an option for you.)

An anonymous reader quotes a report from Wired: Bcrypt turns 25 this year, and Niels Provos, one of its coinventors, says that looking back, the algorithm has always had good energy, thanks to its open source availability and the technical characteristics that have fueled its longevity. Provos spoke to WIRED about a retrospective on the algorithm that he published this week in Usenix ;login:. Like so many digital workhorses, though, there are now more robust and secure alternatives to bcrypt, including the hashing algorithms known as scrypt and Argon2. Provos himself says that the quarter-century milestone is plenty for bcrypt and that he hopes it will lose popularity before celebrating another major birthday.

A version of bcrypt first shipped with the open source operating system OpenBSD 2.1 in June 1997. At the time, the United States still imposed stringent export limits on cryptography. But Provos, who grew up in Germany, worked on its development while he was still living and studying there. "One thing I found so surprising was how popular it became," he says. "I think in part it's probably because it was actually solving a problem that was real, but also because it was open source and not encumbered by any export restrictions. And then everybody ended up doing their own implementations in all these other languages. So these days, if you are faced with wanting to do password hashing, bcrypt is going to be available in every language that you could possibly operate in. But the other thing that I find interesting is that it's even still relevant 25 years later. That is just crazy."

Provos developed bcrypt with David Mazieres, a systems security professor at Stanford University who was studying at the Massachusetts Institute of Technology when he and Provos collaborated on bcrypt. The two met through the open source community and were working on OpenBSD. [...] Password security is always lagging, though, and both Provos and Mazieres expressed disbelief and disappointment that the state of passwords broadly has not evolved in decades. Even new schemes like passkeys are only just beginning to emerge. "Bcrypt should have been superseded already," Provos says. "It's surprising how much reliance we still have on passwords. If you had asked me 25 years ago, I would not have guessed that."

An anonymous reader quotes a report from Ars Technica: Researchers have uncovered malware designed to disrupt electric power transmission and may have been used by the Russian government in training exercises for creating or responding to cyberattacks on electric grids. Known as CosmicEnergy, the malware has capabilities that are comparable to those found in malware known as Industroyer and Industroyer2, both of which have been widely attributed by researchers to Sandworm, the name of one of the Kremlin's most skilled and cutthroat hacking groups.

Researchers from Mandiant, the security firm that found CosmicEnergy, wrote: "COSMICENERGY is the latest example of specialized OT malware capable of causing cyber physical impacts, which are rarely discovered or disclosed. What makes COSMICENERGY unique is that based on our analysis, a contractor may have developed it as a red teaming tool for simulated power disruption exercises hosted by Rostelecom-Solar, a Russian cyber security company. Analysis into the malware and its functionality reveals that its capabilities are comparable to those employed in previous incidents and malware, such as INDUSTROYER and INDUSTROYER.V2, which were both malware variants deployed in the past to impact electricity transmission and distribution via IEC-104. The discovery of COSMICENERGY illustrates that the barriers to entry for developing offensive OT capabilities are lowering as actors leverage knowledge from prior attacks to develop new malware. Given that threat actors use red team tools and public exploitation frameworks for targeted threat activity in the wild, we believe COSMICENERGY poses a plausible threat to affected electric grid assets. OT asset owners leveraging IEC-104 compliant devices should take action to preempt potential in the wild deployment of COSMICENERGY."

Right now, the link is circumstantial and mainly limited to a comment found in the code suggesting it works with software designed for training exercises sponsored by the Kremlin. Consistent with the theory that CosmicEnergy is used in so-called Red Team exercises that simulate hostile hacks, the malware lacks the ability to burrow into a network to obtain environment information that would be necessary to execute an attack. The malware includes hardcoded information object addresses typically associated with power line switches or circuit breakers, but those mappings would have to be customized for a specific attack since they differ from manufacturer to manufacturer. "For this reason, the particular actions intended by the actor are unclear without further knowledge about the targeted assets," Mandiant researchers wrote.

An anonymous reader quotes a report from Ars Technica: An app that had more than 50,000 downloads from Google Play surreptitiously recorded nearby audio every 15 minutes and sent it to the app developer, a researcher from security firm ESET said. The app, titled iRecorder Screen Recorder, started life on Google Play in September 2021 as a benign app that allowed users to record the screens of their Android devices, ESET researcher Lukas Stefanko said in a post published on Tuesday. Eleven months later, the legitimate app was updated to add entirely new functionality. It included the ability to remotely turn on the device mic and record sound, connect to an attacker-controlled server, and upload the audio and other sensitive files that were stored on the device.

The secret espionage functions were implemented using code from AhMyth, an open source RAT (remote access Trojan) that has been incorporated into several other Android apps in recent years. Once the RAT was added to iRecorder, all users of the previously benign app received updates that allowed their phones to record nearby audio and send it to a developer-designated server through an encrypted channel. As time went on, code taken from AhMyth was heavily modified, an indication that the developer became more adept with the open source RAT. ESET named the newly modified RAT in iRecorder AhRat.

Stefanko installed the app repeatedly on devices in his lab, and each time, the result was the same: The app received an instruction to record one minute of audio and send it to the attacker's command-and-control server, also known colloquially in security circles as a C&C or C2. Going forward, the app would receive the same instruction every 15 minutes indefinitely. [...] Stefanko said it's possible that iRecord is part of an active espionage campaign, but so far, he has been unable to determine if that's the case. "Unfortunately, we don't have any evidence that the app was pushed to a particular group of people, and from the app description and further research (possible app distribution vector), it isn't clear if a specific group of people was targeted or not," he wrote. "It seems very unusual, but we don't have evidence to say otherwise."

Michael Larabel, reporting at Phoronix: AMD engineers have been working out many quirks and oddities in system suspend/resume handling to make it more reliable on their hardware particularly around Ryzen laptops. In addition to suspend/resume reliability improvements and suspend-to-idle (s2idle) enhancements, one of their engineers also discovered an easy one-liner as a small step to speeding up system resume time. AMD engineer Basavaraj Natikar realized a missing check in the USB XHCI driver can avoid an extra 120ms delay during system resume time. It's only 120 ms, but it's a broad win given it's for the XHCI driver code and part of their larger effort of improving the AMD Ryzen platform on Linux and this 120ms savings is from altering one line of code.

Microsoft's ARM-based Surface Pro X tablet is not having a good time, and neither are its owners. From a report: According to multiple reports, the tablet's cameras stopped working out of the blue, showing a cryptic error when trying to launch the Windows Camera app or other software: "Something went wrong. If you need it, here's the error code: 0xA00F4271 (0x80004005)."

The first thing that comes to the user's mind when experiencing issues like this is reinstalling the corresponding driver. However, this is not true with Surface Pro X's botched cameras. Affected customers say removing and installing camera drivers on the Surface Pro X has no effect and leaves them stranded, unable to join video calls, take pictures, and perform other camera-related tasks. More importantly, the bug also breaks facial recognition, forcing customers to use their PIN codes instead.

schwit1 shares a report from TechXplore: Chinese researchers say they successfully bypassed fingerprint authentication safeguards on smartphones by staging a brute force attack. Researchers at Zhejiang University and Tencent Labs capitalized on vulnerabilities of modern smartphone fingerprint scanners to stage their break-in operation, which they named BrutePrint. Their findings are published on the arXiv preprint server.

A flaw in the Match-After-Lock feature, which is supposed to bar authentication activity once a device is in lockout mode, was overridden to allow a researcher to continue submitting an unlimited number of fingerprint samples. Inadequate protection of biometric data stored on the Serial Peripheral Interface of fingerprint sensors enables attackers to steal fingerprint images. Samples also can be easily obtained from academic datasets or from biometric data leaks.

And a feature designed to limit the number of unsuccessful fingerprint matching attempts -- Cancel-After-Match-Fail (CAMF) -- has a flaw that allowed researchers to inject a checksum error disabling CAMF protection. In addition, BrutePrint altered illicitly obtained fingerprint images to appear as though they were scanned by the targeted device. This step improved the chances that images would be deemed valid by fingerprint scanners. To launch a successful break-in, an attacker requires physical access to a targeted phone for several hours, a printed circuit board easily obtainable for $15, and access to fingerprint images.

An anonymous reader shares a report: Then, at some point, someone at Microsoft must have gotten fed up with rushing their .rar operations the way I have for 20 years and thought, there must be a better way. And so, under the subheading of "Reducing toil," we have a few helpful UI updates, then casually and apropos of nothing, this:

"In addition... We have added native support for additional archive formats, including tar, 7-zip, rar, gz and many others using the libarchive open-source project. You now can get improved performance of archive functionality during compression on Windows."

An anonymous reader quotes a report from Wired: Spain has advocated banning encryption for hundreds of millions of people within the European Union, according to a leaked document obtained by WIRED that reveals strong support among EU member states for proposals to scan private messages for illegal content. The document, a European Council survey of member countries' views on encryption regulation, offered officials' behind-the-scenes opinions on how to craft a highly controversial law to stop the spread of child sexual abuse material (CSAM) in Europe. The proposed law would require tech companies to scan their platforms, including users' private messages, to find illegal material. However, the proposal from Ylva Johansson, the EU commissioner in charge of home affairs, has drawn ire from cryptographers, technologists, and privacy advocates for its potential impact on end-to-end encryption.

For years, EU states have debated whether end-to-end encrypted communication platforms, such as WhatsApp and Signal, should be protected as a way for Europeans to exercise a fundamental right to privacy -- or weakened to keep criminals from being able to communicate outside the reach of law enforcement. Experts who reviewed the document at WIRED's request say it provides important insight into which EU countries plan to support a proposal that threatens to reshape encryption and the future of online privacy. Of the 20 EU countries represented in the document leaked to WIRED, the majority said they are in favor of some form of scanning of encrypted messages, with Spain's position emerging as the most extreme. "Ideally, in our view, it would be desirable to legislatively prevent EU-based service providers from implementing end-to-end encryption," Spanish representatives said in the document. The source of the document declined to comment and requested anonymity because they were not authorized to share it.

In its response, Spain said it is "imperative that we have access to the data" and suggests that it should be possible for encrypted communications to be decrypted. Spain's interior minister, Fernando Grande-Marlaska, has been outspoken about what he considers the threat posted by encryption. When reached for comment about the leaked document, Daniel Campos de Diego, a spokesperson for Spain's Ministry of Interior, says the country's position on this matter is widely known and has been publicly disseminated on several occasions. Edging close to Spain, Poland advocated in the leaked document for mechanisms through which encryption could be lifted by court order and for parents to have the power to decrypt children's communications. Several other countries say they would give law enforcement access to people's encrypted messages and communications. "Cyprus, Hungary, and Spain very clearly see this law as their opportunity to get inside encryption to undermine encrypted communications, and that to me is huge," says Ella Jakubowska, a senior policy advisor at European Digital Rights (EDRI) who reviewed the document. "They are seeing this law is going far beyond what DG home is claiming that it's there for."

A prosecutor in Germany has indicted former executives of surveillance technology company FinFisher GmbH, accusing them of unlawfully supplying the Turkish secret services with spyware that could be used to hack into phones and computers. From a report: In an announcement on Monday, a spokesperson for the Munich Public Prosecutor's said that the office had carried out an "extensive and complex" investigation of the company following searches of 15 properties. Four of the company's managing directors had violated foreign trade laws, according to the prosecutor's office. The prosecutor's office named the indicted directors only as "G," "H," "T" and "D." FinFisher, prosecutors say, signed a contact in January 2015 worth $5.4 million to supply spyware to Turkey's National Intelligence Organization, but did not receive the necessary export approval from German authorities. Instead, company executives sought to conceal the deal by transferring the technology through another company they had established in Bulgaria, according to the prosecutor, though all business activities were still controlled and coordinated out of Munich.

Violations of export licensing requirements under Germany's Foreign Trade and Payments can be punishable with a prison sentence of between three months and five years. The prosecutor's office pointed to a particular provision of the law that states a prison sentence of not less than one year shall be imposed if a person if found to have acted for the secret service of a foreign power. The Munich prosecutor began investigating FinFisher in the summer of 2019, after a coalition of advocacy groups filed a criminal complaint against the company, alleging that it had supplied its spyware to Turkey without obtaining the required license from Germany's federal government. The spyware had been used in Turkey to infect the phones of government critics, monitoring their calls, text messages, photos and location data, according to a technical report published by the digital rights group Access Now.

On Saturday PyPI, the official third-party registry of open source Python packages, "temporarily suspended new users from signing up, and new projects from being uploaded to the platform" reports BleepingComputer.

"The volume of malicious users and malicious projects being created on the index in the past week has outpaced our ability to respond to it in a timely fashion, especially with multiple PyPI administrators on leave," stated an incident notice posted by PyPI admins Saturday.

Hours ago they posted a four-word update: "Suspension has been lifted." No details were provided, but The Hacker News writes the incident "comes as software registries such as PyPI have proven time and time again to be a popular target for attackers looking to poison the software supply chain and compromise developer environments." Earlier this week, Israeli cybersecurity startup Phylum uncovered an active malware campaign that leverages OpenAI ChatGPT-themed lures to bait developers into downloading a malicious Python module capable of stealing clipboard content in order to hijack cryptocurrency transactions. ReversingLabs, in a similar discovery, identified multiple npm packages named nodejs-encrypt-agent and nodejs-cookie-proxy-agent in the npm repository that drops a trojan called TurkoRat.