News from KW37.2025 My 9 news of the week from 8.-14.9.25

This week it's Queerbeet again through the IT and technology, so that I'm not the twelfth thousandth one to post the Apple keynotes I save you details and jump to the summary. Spoilers: It becomes flatter, more expensive and has a new number (17). Otherwise here again my 9 news of the week from 8.-14.9.25 (KW37)

Article 1

A real disaster: npm supply chain attack.

Imagine going to a huge supermarket to buy ingredients for your favorite recipe. The supermarket is the programming world, and the ingredients include the countless npm packages.

These little snippets of code are created and shared by developers around the world to make your own work easier and not have to reinvent the wheel.

This is exactly where a nasty attack strikes: A single, hardworking developer becomes the target of a Spearphishing attack. Imagine a criminal sending him a deceptively real email from his grocery store provider asking him to urgently update his password. The developer panics and falls into the trap.

What happened?

The attacker posing as legitimate npm support has a developer's npm account named qix (Josh Junon) Taken over. This developer is instrumental in maintaining and developing some of the most used packages across the Node.js ecosystem. It's a horror scenario!

Due to the compromised access, manipulated versions of over 20 popular packages were provided with nasty malware and uploaded to the npm inventory. The figures are frightening: Overall, these packages More than 2 billion times a week Downloaded. This means that the malware had the potential to spread rapidly across much of the Node.js developers and their projects.

What does the malicious code do?

Once an affected package is installed on a system, the malware nests into the user's web browser. It basically makes itself invisible and waits for the perfect moment to strike.

The main objective: Cryptocurrency theft.

The code searches the victim’s browser for strings that look like cryptocurrency wallet addresses (e.g. a Bitcoin, Ethereum or Litecoin address). Once such an address is found, the malware replaces it. But not just with any wrong address, but with one that looks like the original address to be confused. The attacker uses a complex algorithm called Levenshtein distance, to maximize optical similarity.

The perfidious thing is that even an attentive user who checks the address again before the transaction will hardly notice a difference. The malware even manipulates browser extensions for crypto wallets to fake the transfer in memory. The code intercepts the transfer before signing and replaces the address of the transfer recipient. The falsified transaction is then forwarded to the wallet for approval. If the user does not look closely, he signs the fraudulent transfer.

How did this disaster happen?

The developer qix has made the incident public itself. According to his own description, he received an email from support@npmjs.help asking him to renew his two-factor authentication (2FA) because it had been unchanged for twelve months. The email even threatened that his account would otherwise be shut down on Wednesday. In the hustle and bustle of everyday life, he fell into the trap. He himself said that the email had been ‘shockingly genuine’.

Such targeted attacks are particularly dangerous because they are aimed not at mass but at trusting a person or service. They use temporal pressure and false urgency to lure victims into an inconsiderate act.

The attack has shaken the entire Node.js community. It highlights the weaknesses in the Supply chain Software packages based on trust. If only one link in this chain is compromised, far-reaching consequences can arise that affect thousands or even millions of users. The attacker gave the falsified packages the latest version numbers to speed up their distribution. The code was also obscured and provided with invisible characters to make analysis more difficult.

What to do?

The affected packages have now been removed from the npm inventory, but it is possible that older versions or other accounts are also affected. If you are a Node.js developer, you should urgently examine, whether you are using the affected packages. It's best to make one npm audit in your project directory to identify potential vulnerabilities.

Known affected packages

According to IT security firm Aikido At least these packages are affected:

ansi-regex
ansi-styles
backslash
chalk
chalk template
color-convert
color name
color string
debug
error-ex
has-ansi
is-arrayish
simple-swizzle
slice-ansi
strip-ansi
supports-color
supports hyperlinks
wrap-ansi

Socket.dev also has the package proto-tinker-wc made out. Several of the packages are managed by qix together with Sindre Sorhus, the npm developer with the largest number of downloads.

This incident is a wake-up call for the entire developer community to rethink security measures and exercise extreme caution when making suspicious requests.

Update 9.9:
According to aikido, the package is duckdb as well as the packages @duckdb/node-api and @duckdb/node-bindings affected as well. The developers have also released dewormed packages today.

Article 2

Plex users: Attack on the media server

If you're using Plex to stream your favorite movies, series, or music, there's bad news. On Tuesday, it was revealed that unknown attackers had looted data from Plex's customer database.

The Plex team has confirmed this incident and communicated it to users via email. Sensitive information such as Email addresses, usernames and hashed passwords stolen. The good news is that the passwords are hashed, which means the attackers can't just read them in plain text. Thankfully, credit card information or other payment information is not affected.

Plex's team has now closed the vulnerability that hijacked the data and quickly mitigated the incident. Nevertheless, the outflow of data could not be prevented.

What should you do now?

Plex has urged all users to act immediately to protect their accounts. Late Tuesday noon/afternoon, the password reset recommendations have already arrived by eMail. If you are affected, you should do the following immediately:

Change your Plex password: This is the most important step to prevent the stolen hash values from being misused. Choose a strong, unique password that you don't use for other services.
Decouple all connected devices: After changing your password, you should disconnect all devices associated with your account. These include your smartphones, tablets, smart TVs and, above all, your own media server.
Reconnect your media server: After decoupling, you'll need to reconnect your self-hosted media server to your Plex account. In Plex’s technical language, this process is referred to as ‘claiming’.

Why is this so important?

Theft of usernames and email addresses poses a major risk to Phishing attacks. Criminals can use this information to write deceptively real emails that look like they came from Plex. They might try to trick you into entering your login details or even your payment details on a fake website. So be extra careful with emails that ask you to enter personal information, and never click on suspicious links.

Plex explicitly warns that they never ask for passwords or payment details by email. Everyone should be familiar with every service by now, but it's safe.

To further protect you, the company strongly recommends activating two-factor authentication (2FA) unless you have already done so.

In the official forums and by Reddit Some users already report problems after the password change, especially when installing in containers or on NAS systems. If you encounter similar difficulties, take a look at the forums, where you may find useful solutions from other members of the community.

Unfortunately, this incident is not a one-off for Plex. In recent years, there have been repeated security incidents in which user data has been stolen. This is a serious problem that Plex needs to address in order to regain the trust of its users.

Article 3

Beware of SSD users: What's behind Windows 11 problems?

Do you remember the reports of failing SSDs? A few weeks ago, messages from users whose solid-state drives suddenly gave up on Windows systems with the widespread controllers of Phison caused uncertainty.

Many suspected a connection with the current Windows patch packages, but both Microsoft and Phison were initially unable to reproduce the behavior in their own tests. But now there are new findings.

What happened?

In another experiment in which Phison with the Facebook group PCDIY! If they worked together, the error could be recreated, at least under very specific conditions. The SSD controllers switched off when copying large amounts of data, which could cause the entire operating system to crash.

The reason for this seems to be experimental firmware for engineering previews that work incorrectly in conjunction with the August patches of Windows 11. According to Phison's statement to Neowin magazine In the tests, such firmware was used on a Corsair Force Series MP600 SSD 2TB.

The thrill of it: The drives with the controller in question are available on the consumer market, although this should allegedly be excluded. How such pre-series firmware models could have ended up in the trade unfortunately remains unanswered so far.

However, the bug has not yet been definitively identified.

Another possible cause could have been fixed with a small patch from Microsoft. Apparently, a firmware for a single-byte file system was accidentally distributed to Japanese computers. Since the first reports about the bug come from Japan and are needed there for the many characters double-byte symbols, there may have been problems here.

It remains to be seen whether the investigation will reveal further details. For users, this means keeping an eye on the situation.

For the weekend there was a few more information, for example, the Youtuber Jay2Cents No more problems after a bios update. Also in Saloman Kane Tech Talk There are more details:

In sum, not everything is still cleared up, but at least it is no longer generally claimed that the problem would not exist at all.

I'm curious to see how this goes on...

Article 4

„Jupiter’ in Jülich: Germany's new supercomputer

Germany is taking a big step towards technological leadership: In Jülich, a computing system was inaugurated with the supercomputer ‘Jupiter’, which is also intended to revolutionise the research and development of artificial intelligence.

I don't know how I slept last week, so here again in review: Politicians such as Federal Chancellor Friedrich Merz and NRW Prime Minister Hendrik Wüst celebrated ‘Jupiter’ as a milestone, to make Germany and Europe a leading AI location.

What makes ‘Jupiter’ so special

Jupiter is the first supercomputer in Europe to Exaflop computing power reached. That means he can do more than one. Trillion (one with 18 zeros) arithmetic operations per second perform. To illustrate this: This corresponds to the performance of approximately 5 million laptops. With this immense computing power, Jupiter is one of the most powerful supercomputers in the world. "Jupiter" is the abbreviation of the Joint Undertaking Pioneer for Innovative and Transformative Exascale Research.

What is Jupiter used for?

The main task of ‘Jupiter’ is to: Training of large AI models. This ability can be used in many areas:

Climate research: Atmospheric scientists hope to use Jupiter to improve weather models so that they can predict extreme weather events such as heavy rain or thunderstorms much more accurately.
Science and research: From the development of new drugs to complex simulations in particle physics, Jupiter aims to provide groundbreaking scientific evidence.
Economy: The government hopes that the presence of ‘Jupiter’ will attract start-ups and companies, thus AI hotspot in the Rhenish area This is driving the structural change from coal to AI.

An important aspect is the digital independence Europe. By using its own supercomputers such as Jupiter, it aims to reduce reliance on US systems.

The price of super power

The construction of ‘Jupiter’ cost one Half a billion euros, financed by the federal government, the state of North Rhine-Westphalia and a European cooperation. Despite its enormous performance, ‘Jupiter’ is energy efficient but still consumes a lot of electricity. Part of the resulting Waste heat is used to heat the research center This improves the overall balance.

The system is only accessible for strictly selected research projects. ‘Jupiter’ symbolises Germany’s departure into a new era of AI research and innovation. He is the newest member in a no less impressive ridge on other systems in the JSC.

Article 5

Nano11: The naked Windows 11 for minimalists

Windows 11 can be cumbersome on old computers. But what if you could reduce the operating system to less than 3 GB?

This is the goal of Nano11, one Extreme debloating script the Developer NTDEV. This tool removes everything that is not absolutely necessary and makes Windows 11 a true minimal version.

Extreme Diet for Windows

Nano11 is based on the same principle as the more well-known script Tiny11, But it goes a big step further. It not only removes unnecessary pre-installed apps like Solitaire or the Weather app, but also basic features like the Windows Defender and even Windows updates. The result is a Windows installation that only 2.8 GB Requires storage space. The installation file (ISO) is involved with 2.3 GB Extremely compact.

Only for experiments, not for everyday life

NTDEV warns on GitHub explicitly that Nano11 exclusively for testing purposes is thought. The missing components make it unsuitable for daily use. It is not possible to add languages, drivers or updates afterwards. The operating system is so heavily circumcised that it is only used for special use cases such as Test environments or Virtual Machines (VMs) This makes sense, where minimal storage space and fast loading times are important.

For anyone looking for a sleek but fully functional version of Windows 11 for everyday use, Tiny11 Still the better choice. It removes unnecessary bloatware and Microsoft account compulsion, but leaves important features and updates intact. Read on golem.de

Article 6

AI in government: Albania gets an artificial minister

While many countries are still wondering how to deal with the rapid rise of artificial intelligence (AI), Albania has made a remarkable decision:

With this step, the Albanian government not only foresight, But also the will, Actively seize the opportunities of AI. The chatbot ‘Diella’, the Albanian word for ‘sun’, has so far guided users through the menus on a government website. There, the AI is depicted as a young woman in traditional Albanian clothing.

At the presentation of his new cabinet, Prime Minister Rama stated that ‘Diella’ was the first minister not physically present but created by AI. In the future, Diella will decide on the award of public contracts as a virtual minister. Laut Rama aims to make Albania the first country in which tenders are ‘100% corruption-free’.

Why is this so important?

Artificial intelligence is not just a technical issue, it affects all areas of our society – from business and education to healthcare and administration. So far, these issues have often been spread across different ministries, leading to inconsistent strategies. A separate minister for this field is to ensure that Albania has a Coherent and forward-looking vision developed for the integration of AI.

What does this mean for other countries?

The appointment of her own AI as minister makes Albania a pioneer. Many nations will be eager to see if this approach succeeds. It could be a landmark example of how governments can drive digital transformation at the highest level to not only keep pace with technological progress, but actively shape it.

Albania proves that it is ready to face the challenges of the future. It remains to be seen what concrete successes Diella will achieve in her new role, but the beginning has been made and could trigger a wave in global politics.

Article 7

At the end of the week bissl ct3003 KI Upscaling / FrameGen Info

More frames, almost without disadvantages: New games often have high hardware requirements, but technologies like NVIDIA's DLSS and AMD's FSR can also help older PCs.

These so-called AI Upscaler render the game at a lower resolution and then scale it back up to native screen resolution using artificial intelligence. This massively relieves the graphics card and ensures significantly higher FPS (frames per second), without appreciably affecting the image quality, at least in the ‘Quality Mode’.

What is the difference between upscaling and frame generation? AI upscaling It just scales up the resolution. The Frame generation, which is included with newer versions of DLSS (from version 3.0) and FSR (from version 3.0), goes one step further. It analyzes two consecutive images and then adds a ‘Fake frame’ in between. This doubles the perceived frame rate without the graphics card actually having to calculate twice as many images.

The hook: Frame Generation is not available in all games and only with newer hardware. DLSS Frame Generation only works with NVIDIA RTX 4000 Cards, while AMD's FSR 3.0 works with almost all graphics cards, but only from the RX 5000 series recommended.

Alternative lossless scaling: The universal solution?

This is where the tool comes in. Lossless scaling into the game. For around 7 euros on Steam, this tool can Upscaling and Frame generation Activate in almost every game, regardless of whether the game supports the technique from scratch. The tool runs in the background and generates the additional frames as long as the game is borderless window mode It's running.

However, there is a catch: The generated fake frames require a certain minimum number of real frames as a basis. If you want to push a game from 20 FPS to 60 FPS, it often leads to Visual artifacts and a strong Input lag. For the best result, you should therefore find a sweetspot and use the tool to double the frame rate if the game is already running smoothly. So you can quickly turn 75 FPS into 150 FPS, which makes the gaming experience much smoother.

Ultimately, they work Manufacturer's own solutions Even better from NVIDIA and AMD, but for games that don't offer an integrated frame generation, lossless scaling is an excellent and effective alternative to get a lot of performance even with older hardware.

Super detailed information is also available in the video above or in the ct3003 article.

Game on!

Article 8

It's time, chamber hunters! The galaxy has been waiting for this moment: Borderlands 4 is here!

Forget your worries, grab your favorite worms and get ready for a new adventure full of chaos, loot and wacky humor that only Pandora (or in this case the new Planet Kairos) can offer.

Chaos again at last!

After years of waiting, the fourth main part of the Borderlands saga is finally in our hands. The developers of Gearbox have promised that this will be their most ambitious game to date, and the first trailers have already shown: You didn't lie. With four new chamber hunters that couldn't be more different, and a brand new planet of Kairos to explore, we're on the verge of a true loot festival in Borderlands' signature cartoonish style. IGN has one nice detailed article about the release posted, I'm trying to steam up the details bit:

What's new?

New chamber hunters: Who needs old acquaintances when you can have fresh blood? Jump into the turmoil with the new heroes and their unique abilities. Whether you prefer to shoot from a distance or go straight to close combat, everyone will find their style of play here.
Billions of weapons: Yes, you heard it right. Not millions, not billions, but billions. With Borderlands' chaotic, procedurally generated weapon system, you never know what to find next. But one thing is certain: It's going to be crazy and deadly.
A new planet: Welcome to Kairos! A whole new world just waiting to be explored and looted by you. With new enemies, new environments and of course even more secrets to discover.

Micha and Max have on the Youtube Channel The prototypes To give you a first impression of the gameplay: (Gameplay starts about 25min)

The biggest highlight: the Humor

What would a Borderlands game be without its incomparable black humor? The developers have promised that we will experience the weirdest characters and the funniest dialogues again. Get ready for absurd missions and jokes that make you laugh and let the controller fall out of your hands.

So, what are you waiting for? Drum your friends together, because in co-op mode the hunt for the best loot is the most fun anyway. The Mayhem party can begin!

And if your system is ‘weak on the chest’ and you only noticed it after you bought it, Take a look at Gamestar, which help bissl in optimizing the graphics settings.

Have fun!

Article 9

A digital plague: Patch 1.7 Pandemic in Azeroth

On 13 September 2005 Something unexpected happened in World of Warcraft, the world of Azeroth, which reverberates to this day in the annals of video game history: The Plague of blood broke out.

What as a harmless bug in the brand new Raid instance Zul’Gurub It began, developed into a full-blown digital epidemic that paralyzed servers and brought the virtual life of entire cities to a standstill.

No kidding: This incident even has its own Wikipedia page!

The outbreak in Zul’Gurub

The culprit was the raid boss. Hakkar the Soul Slayer. His Corrupt Blood ability inflicted 200 damage per tick over time on players and was able to skip to others nearby. After a short fight, the effect disappeared again, actually. However, a bug in the code caused the debuff to stick to some of the companions of hunters and warlocks when they packed your companions away while they had the debuff, even if they later left the instance.

These players, unsuspecting at first, travelled to the densely populated capitals such as Orgrimmar, Stormwind, Undercity and Ironforge. There, in the middle of the player pool, the plague broke out again as soon as the players in question summoned your companions again. The communicable disease spread in seconds, killing low-level characters and creating an atmosphere of chaos.

To make matters worse, some NPCs were also infected. The cities became ghost towns littered with skeletons, as players died and were immediately re-infected as soon as they attempted to recover their bodies.

What happened to containment?

Blizzard's developers faced an unprecedented situation. What to do if a virtual virus brings the game world to the brink of collapse?

Quarantine: Players tried to set up quarantine zones by locking off certain areas. However, as with a real pandemic, this only helped to a limited extent, as infected people repeatedly invaded the cities.
Communication: Communication between players was chaotic, and misinformation spread quickly. Some players tried to cure the infected, while others made fun of deliberately spreading the disease.
Blizzard's intervention: After several days of chaos, Blizzard was forced to intervene. They did temporary server maintenance work to fix the error. The only way to stop the disease was to reset the infected characters and affected areas.

However, the fix, which made it possible to ‘export’ the disease from the instance via companions, took a few weeks. Patch 1.8 removed the option to infect with Corrupted Blood companions and thus the possibility to spread the disease.

Real Lessons from a Virtual Epidemic

The blood disease was not only a notable event in the gaming world, but also attracted the attention of scientists. Epidemiologists used players' behavior to simulate and understand the spread of disease in the real world.

Human behaviour: The disease showed how people behave in a crisis: Some act altruistically and try to help, while others act out of pure self-interest or even maliciously.
Information flows: The rapid spread of misinformation, but also helpful advice, was an important point for researchers. They were able to investigate how rumors spread in a dense population.
Quarantine measures: The failure of voluntary quarantines in the game world showed how difficult it is to enforce such measures without state authority.

The Plague of blood from World of Warcraft To this day, it is a fascinating example of how a virtual world can map the complex dynamics of the real world. It is a milestone in the history of online games and a disturbing and at the same time educational reminder of the power of epidemics, whether digital or real.

Sun-Tsu, today as a blue teamer at the start of course also this week has a wisdom to print out: Study your opponent's psychology: Cybercriminals often follow predictable patterns. By studying their motivations and methods, you can anticipate their next traits and take proactive defenses.