News from KW38.2025 - my news as Wews

This week we start with Groundhog Day, because there are more NPM news directly to Monday, and like the last weeks also my 9 news of the week, this time from 15.-21.9.25 (KW38)

Article 1

Marmot Day at NPM Repositories, new wave of attacks this week

Your code may also be infected. Did you hear about it? A new, large-scale attack is shaking the npm ecosystem and thus the world of millions of you JavaScript developers. What began as an attack on just a few dozen packages has become a real pandemic in code. And the worst: This time it's not crypto-theft malicious code, but a worm that multiplies itself More and more packages are infected.

The new malicious code, which also includes known packages such as @ctrl/tinycolor and even libraries of the security company Crowdstrike infected It is extremely refined. It scans your systems for secret data such as API credentials, GitHub tokens, and access data for Google and Amazon Cloud. He then directs this prey over a Webhook to his assailants.

According to the socket report, the worm loads the script, among other things bundle.js After installation, automatically Trufflehog Developed by Truffle Security Open source tool to scan for credentials.

The perfidious thing about it: It has a built-in replication mechanism. He independently searches for further packages that are maintained by the compromised developer, infects them with his own code and then uploads them to the npm registry under the wrong flag. This is why this malware is also referred to as worm. A true chain reaction of malware!
The attackers, who may be the same as the last major attack, gave their worm a curious name: ‘Shai-Hulud’, named after the godlike sand worms from the science fiction classic dune.

On socket.dev you can find A list of 40+ affected versions.

Update on the start of the week, Now there are over 500! packages affected. Uiuiui.

What should you do now?

The threat is serious, but you can protect yourself! When working with the Node Package Manager, be sure to follow these steps:

Check package list: Immediately consult the lists of affected packages, including those from companies such as StepSecurity and Aikido Further details on the detection have been published. Check if you are using infected versions in your projects.
Delete and reinstall: If you find an affected version, immediately delete the package and install a secure version. It is best to cover the whole node_modules Deleting folders and then using npm install Reinstalled.
Change access data: The worm steals your credentials! Therefore, it is essential that you have all the credentials, passwords, and tokens associated with npm, GitHub, and your cloud services (AWS, GCP, etc.), Changed immediately.
Take safety precautions: Make your development environment safer. Pay attention to it, package-lock.json use and pin your package versions to avoid unwanted updates.

Even though the npm administrators have already removed many of the malicious versions, there is still a high risk as the malware has spread like wildfire. Act now and protect your projects and data!

Article 2

Server hard drives sold out for months. Delivery time up to one year!

I read on heise.de on Tuesday, Hard drives are running out again. Can you remember 2021, when the green Bitcoin alternative Chia triggered the last hard drive run? Yay, fun times ahead!

Server operators who currently want to order HDDs for their data centers have to prepare for a waiting period of up to one year. The reason for this is an unexpectedly high demand, driven by the hype about artificial intelligence.

Market observers warn of massive bottlenecks in server hard drives (HDDs) Nearline class. According to reports from Asia, inventories at the manufacturers are exhausted and delivery times of up to twelve months are reported. The bottleneck is due to the many new data centres that are building hyperscalers for AI applications.

Prices are rising, supply chains are changing

In response to the shortage, manufacturers have already started to raise prices. An internal letter from Western Digital (WD) to its partners announces an immediate price increase for all hard drives. In addition, WD reorganizes the delivery routes: Instead of expensive air freight, the slower sea freight should now be used. This saves costs, but extends delivery times from Asia to Europe and the USA to up to ten weeks.

Manufacturers like WD were apparently not prepared for this rapid increase in demand and have not significantly expanded their production capacities in recent years.

SSDs as an expensive alternative

The long delivery times force server operators to consider SSDs for so-called cold storage, the storage of large amounts of data without frequent access. Although SSDs are significantly more expensive, they could be the only immediately available alternative. This has already led to price increases in the NAND flash market:

Sandisk has the prices for NAND flash chips Already at 10% increased.
Micron has suspended the price information for a week in order to increase the price up to 30% to be determined.

Impact on end customers

So far, end customers have been largely spared from the price increases. The shortage primarily affects high-capacity QLC components, which are mainly used in servers. However, if manufacturers increasingly switch their production to server hardware, this could also lead to a shortage and price increases in HDDs and SSDs for the end consumer in the long term.

Let me leave you this song without further comment:

Article 3

Dirk-Jan Mollema informs about really big thing! Entra IDs accessible worldwide via Global Tokens.

Renowned security author Dirk-Jan Mollema has uncovered a monumental vulnerability in Microsoft's Entra ID (formerly Azure AD) that could potentially have allowed attackers to: every Entra ID Tenant worldwide to take over.

The gap identified on 17 September 2025 detailed in his blog post ‘One Token to rule them all’ It could have had catastrophic consequences, as it without any preconditions and unnoticed could be exploited. Microsoft has immediately fixed the vulnerability after Mollema's report on which the CVE-2025-55241 | EUVD-2025-26828 Vulnerability rated with highest score 10.0.

What happened?

The vulnerability consisted of two critical components:

Undocumented actor tokens: These are special tokens used internally by Microsoft for communication between their services. Mollema found that these tokens No safety guidelines It is conditional access.
Error in the old Azure AD Graph API: The API, an older interface for managing Entra ID, did not validate the origin of the tokens correctly. This allowed an attacker to use an actor token issued in his own lab tenant to access every other tenant in the world to be used.

In short: A single token was enough to authenticate itself as any user, including Global Admins, in a foreign Entra ID tenant and take full control of it.

The potential consequences

The scope of this vulnerability is hard to overestimate. The use of these tokens No audit logs generated in the target tenant, an attacker could have gone completely unnoticed in read mode.

With the stolen tokens, attackers could have accessed the following sensitive data:

All user information, including personal details.
Group and role affiliations.
Settings and security policies (e.g. conditional access policies).
Details of applications, service principals, and devices, including BitLocker keys.

An escalation to the Global Admin would have created the possibility to manipulate or exfiltrate any data in Microsoft 365. An attacker could have created new accounts with administrator privileges or changed the privileges of existing accounts. Access to Azure resources would also have been possible.

The shocking nature of the attack

Attacking a tenant would have been terrifyingly easy. The attacker would only have Public tenant ID and one valid "netId" Requires a user in the target tenant. The attacker was able to obtain this ‘netId’ in various ways:

Through brute force attacks, as the IDs are incrementally assigned.
From old tokens found online containing the ‘netId’ (also known as the ‘puid’ claim).
Most efficient: Through the Exploitation of B2B trusts. Since guest accounts in foreign tenants store the user’s ‘netId’ from the user’s home tenant, an attacker could have moved from one tenant to the next and triggered a chain reaction to compromise a huge number of Entra ID tenants. Mollema believes that the information needed to compromise most global tenants within minutes could have been collected.

Reaction and all-clear

Mollema immediately reported the vulnerability to the Microsoft Security Response Center (MSRC). Microsoft responded lightning fast and fixed the gap within a few days. In addition, further measures have been taken to prevent applications from requesting these insecure ‘actor tokens’ for the Azure AD Graph API. Fortunately, Microsoft's telemetry no hints It was found that the vulnerability was exploited before its discovery. For admins who still want to search for traces, Mollema has a specific KQL query to detect potential manipulation attempts with these tokens. He explains in the blog post:

When data about the Azure AD Graph API Changing with Actor Tokens creates strange audit logs. Since the Actor Token contains both the application and the imitated user, this confuses the system. The log then shows the UPN of the imitated Global Admin, but the Exchange display names.

This curiosity is a stroke of luck for security experts, as it gives an indication of the use of Actor tokens. Together with the researchers Fabian Bader and Olaf Hartong, a KQL query developed that can detect such suspicious entries:

AuditLogs  ⁇  where not(OperationName has "group")  ⁇  where not(OperationName == "Set directory feature on tenant")  ⁇  where InitiatedBy has "user"  ⁇  where InitiatedBy.user.displayName has_any ( "Office 365 Exchange Online", "Skype for Business Online", "Dataverse", "Office 365 SharePoint Online", "Microsoft Dynamics ERP")

Timeline according to his blog post:

July 14, 2025 – reported issue to MSRC.
July 14, 2025 – MSRC case opened.
July 15, 2025 – reported further details on the impact.
July 15, 2025 – MSRC requested to halt further testing of this vulnerability.
July 17, 2025 – Microsoft moved a fix for the issue globally into production.
July 23, 2025 – Issue confirmed as resolved by MSRC.
August 6, 2025 – Further mitigations prevented out preventing Actor tokens being issued for the Azure AD Graph with SP credentials.
September 4, 2025 – CVE-2025-55241 issued.
September 17, 2025 – Release of this blogpost.

Article 4

Google now integrates Gemini AI directly into Chrome

Now regardless of whether you use that or not, some of the features presented can be considered quite practical. Whether it ‘needs’ is on another page.

Google itself says this.: Today we present you the biggest Chrome upgrade of all time. We'll show you how we use the latest Google AI to improve your browsing experience. We're integrating multi-level Google AI into Chrome so Chrome can better anticipate your needs, help you understand more complex information, and make you more productive while surfing the web - all while keeping you safe.

Here are ten new ways AI helps us make Chrome smarter, safer, and more useful than ever:

Gemini in Chrome: Now available for desktop users in the US (Mac and Windows). It can summarize complex information on web pages and will soon be available on mobile devices as well.

Agent functions: In the coming months, Gemini in Chrome will be able to take on recurring tasks such as booking a hairdresser's visit or ordering groceries.

Summary of several tabs: Gemini can compare and summarize information from multiple open tabs to create travel plans, for example.

History search: Soon you can ask Gemini to find websites you've visited in the past without having to scroll through your history.

Integration with Google Apps: A deeper integration with apps like Google Calendar, YouTube and Maps allows you to schedule appointments or find details without leaving the current page.

AI mode in the address bar: A new option allows you to access Google's most powerful AI search mode right in the Chrome address bar.

Page-related questions: You can ask questions about the entire page and get an AI overview from Google Search right next to the page.

Improved fraud detection: Gemini Nano is used to protect even better against fraud attempts, such as fake virus warnings or sweepstakes.

Less annoying notifications: Chrome detects potentially unwanted notifications and asks less intrusively for permissions.

Password change with one click: Soon, you can change compromised passwords on supported websites with a single click.

Curse or Blessing? Let's wait and see. The wizard that scans the chronicle sounds like at least one useful feature. Improved security I also take with me, whereby a password safe and / or security software helps me, which are already installed anyway. Does Karl Klammer still have to point his finger at it?

Article 5

Advertising on your refrigerator? Samsung makes it possible!

Some things sound so absurd that they could almost be satire again. Unfortunately, this is bitterly serious. Previously for US customers of Samsung

Imagine: You went deep in your pocket to buy one of these fancy, connected Samsung refrigerators. Things that are not uncommon More than $1,800 They want to make your life easier with their big screen. And now Samsung is coming around the corner with a ‘great’ innovation: Advertising on display!

That's right. According to a recent report by Aamir Siddiqui from Android Authority Samsung has confirmed that it has launched a pilot program for its Family Hub refrigerators Start in the United States. What does that mean? Quite simply: If your expensive device is idle and the cover screen is active, the company will delight you with sponsored content. It is called ‘promotions and curated advertising’.

So, instead of a simple weather display or a nice color, you now get the latest offer for frozen pizzas served. The whole thing is to be sold as ‘added value’ for customers, which is almost an insult. You pay a huge sum for a device and are then made into an advertising space. Sure, there are exceptions – art and photo gallery modes are likely to remain ad-free. And yes, the advertisements can allegedly be ‘wiped away’. But who wants to do it all the time?

We have reached a point where even our kitchen appliances become advertising columns. What's next? A toaster that yells at me in the morning the latest offers for bread?

This approach is not only cheeky, but also raises the question of whether you can still own something that is not constantly trying to sell us something. The only solution that seems to stop advertising is to disconnect the internet from the refrigerator. However, this means that you lose exactly the ‘smart’ functions for which you originally paid.

Thanks for nothing, Samsung. You feel like you were in the 90s again, with the continuous advertising channels interrupted by short content, except that you now have a high-tech refrigerator that identifies as an advertising poster or advertising column.

Article 6

Nvidia's entry helps Intel share take off

New cooperation on the horizon: Intel designs systems-on-chips (SoCs) with x86 CPU cores and Nvidia's GeForce RTX graphics units.

Nvidia rises with $5 billion investment, which represents a share of more than four percent, at Intel. The two companies enter into a partnership in which they work together on processors. For Nvidia with a market capitalization of 4 trillion US dollars (yes, that's not a translation error, that's 4000 billion!), an entry from the postage box. In the future, Intel will develop system-on-chips (SoCs) for notebooks and desktop PCs that contain both x86 CPU cores and Nvidia's GeForce RTX graphics units that communicate with each other via an Nvlink connection.

In addition, Intel will manufacture custom x86 processors for Nvidia's data centers. This cooperation is seen as strengthening the x86 architecture over ARM. The news led to an Intel share price jump of 30 percent. The final implementation of the deal is still subject to approval by the US authorities. However, the US government itself already has more than double the amount of shares (~10).%) for little more capital ($8.9 billion) has entered Intel I don't think that's going to be a problem.

At Heise there is even more information: Some questions remain unanswered, such as what the stock deal will look like. It's similar to the U.S. government's entry., Intel is issuing new shares, diluting the security. Nvidia will pay $23.28 per share if the US authorities give the green light.

Also the Heise Podcast ‘Bit-Rauschen’ This week I'm going to talk about it, and I like to listen to it.

For data centers, Intel installs custom x86 processors according to Nvidia's ideas. Nvidia wants to integrate them into its own platforms, but also sell them individually to third-party companies. This step is less surprising than the end-customer processors: Nvidia already uses Xeon processors in its DGX systems and Intel has been stressing for years, to sell adapted CPUs to corporate customers.

Nvidia could use it in two ways: Own server boards consisting of CPU and GPU carry self-designed ARM processors, while at least some large servers come with Intel processors. Currently, the company is still using the aged 64-core Grace, the coming year The successor will replace Vera..

I wonder at the number if that could have something to do with the fact that a few weeks ago someone Donald Explains What Nvidia Is and how big they are, whereupon he has now made a deal for Intel after the Gen13 and Gen14 CPU Debacle To reach under your arms? Certainly had nothing to do with the import-customs threats. Oh, and instead of building a competitor, you might get the required expertise even more conveniently through participation. And the monopoly pays for it. Win-win!

Let's see how that goes on. The last 2-3 years have been crap and 2025 hasn't been much better so far. Can't you remember? Steve from GamersNexus helps you:

Article 7

German researchers develop AI that predicts diseases 20 years in advance

A team of German scientists has developed a revolutionary artificial intelligence in collaboration with the German Center for Diabetes Research (DZD).

The system with the name Health Risk Radar be able to reduce a person's individual risk of certain diseases up to 20 years in advance to calculate.

The AI analyzes personal health data such as blood values, weight and lifestyle and compares them with a huge database of over 50,000 patients. The aim is to show healthy people at an early stage what risks they bear in order to enable preventive and personalised prevention.

The system may, among other things, reduce the risk of Type 2 diabetes, fatty liver, high blood pressure and cardiovascular disease predict. It not only shows the user the risk factors, but also simulates how simple lifestyle changes, such as more exercise or a healthier diet, would have a positive effect on personal risk. It is a "GPS for health", according to the researchers.

Currently, the project is still in the pilot phase and is not an officially approved medical device. An important focus is on the privacy, As AI processes a large amount of sensitive information, this data is anonymised.

The developers hope that the system will be used in medical screenings in the future to motivate people to actively take charge of their health and prevent diseases before they even arise.

Sources: Nature.com | Focus.de

Article 8

Bye-bye, AAA blockbuster: Why the Indies are now giving us the best games

The market is changing: The mega titles of the big publishers disappoint, while small teams inspire us with surprise hits.

Have you ever had that happen to you lately? The big gaming publishers blow out one blockbuster after another and yet you have the feeling that something is missing. Huge budgets, AAA(A) titles and then often only a quick flop comes out. But what if the real treasures can be found elsewhere? This is exactly the trend in the gaming industry! Golem.de I read a nice article there.

Why indie games are the new heroes

In the past, indie titles were the small, pixelated niche for connoisseurs or lovers. Today? Indie games are the new mainstream! 2025 would have been the year of GTA 6 But instead, smaller studios have totally thrilled us with their titles. For example, there would be Clair Obscur - Expedition 33, Surprisingly, it has sold over 3.5 million copies. Co-op game Peak, It became a real phenomenon with 10 million sales. And of course Hollow Knight: Silksong, It caused an incredible amount of hype before release.

Major publishers such as Ubisoft and Electronic Arts are increasingly focusing on a few mega titles with gigantic budgets – often without success. Just think of the flops like Concord or Suicide Squad. At the same time, many smaller studios will be closed and thousands of developers will be fired. The problem? Quality doesn't necessarily have to do with budget.

Creativity instead of quarterly figures

The recipe for success of the indies is simple: They are independent. A team like Larian Studios, the creators of Baldur’s Gate 3, Although they have 500 people, they still see themselves as Indies. Your secret? You don't have to worry about quarterly profits or the wishes of shareholders. Larian CEO Swen Vincke recently commented on the issue.. He now looks after 500 employees, sees himself as an indie studio developer and does not have the problems to make his shareholders happy. Especially in time when the AAA publishers had laid off hundreds of employees despite several record quarters, As he put it last year at the GDC in San Francisco:

“It's all about quarterly profits. The only thing that matters is the numbers. [...] That really gets on my nerves.”

This independence allows for creative freedom. Instead of squinting at the broad mass taste, indie developers often serve an enthusiastic niche audience. Who would have thought that a hardcore role-playing game like Baldur’s Gate 3 Is it going to be a $15 million seller? Or that a one-man studio with a poker roguelike called Balatro Millions of dollars?

Another big plus: the Price. Many indie hits don't cost $5, while the big AAA games are getting more and more expensive. And thanks to crowdfunding and early access, the studios can now finance themselves without a huge publisher.

What the future brings

The big studios are jealous of the indie successes, because their data models simply can't predict the hits. It takes experimentation and instinct to inspire the players. And while AAA publishers are hoping for AI to make their games faster and cheaper, the creative spell is probably reserved for independent developers.

So you see: The gaming world is changing. The best experiences no longer come only from the big players, but more and more often from the small, courageous studios.

Have you recently discovered an indie game that has totally blown your mind? Were you at Gamescom in the IndieArena?

Article 9

The word for Sunday: ‘Come home to the Reich’, US-Edition aka Tech-Gruppe-Panik after Trump-EO

On T3N I was able to find this gem: U.S. government demands $100,000 a year for work visas

Imagine working in the USofA, planning a trip abroad for your company and zack, there's a new rule that turns everything upside down! This is exactly what has just happened in the USA and is causing a lot of chaos among the big tech and financial corporations.

As of September 21, 2025, the U.S. government will pay the fees for the so-called H-1B work visas Massively increased and by executive order directly from the ‘Chef’ $100,000 per person per year. So far, it's only been a few thousand dollars. No wonder tech giants like Amazon, Microsoft, and Meta have panicked. They immediately asked their employees, who are currently abroad, to return to the USA as soon as possible. If you don't do this quickly, you will probably have to wait abroad for new instructions.

Why this drastic step? The U.S. government probably wants to get the companies to hire more U.S. specialists instead of getting people from India or China. This is, of course, a hard blow for companies that rely on these highly qualified professionals. For Amazon, for example, which received about 15,000 such visas in 2024 alone, the cost could rise to $1.5 billion per year. It's pretty hard, isn't it?

As a small consolation patch (or rather a very expensive counterpart) there is now also the new “Trump Gold Card“ programme. If you pay a million dollars, you get a permanent residence permit. And for companies that shell out $2 million, there is the possibility to bring an employee into the country who can then stay permanently as a citizen. There's the $100,000 almost a bargain... almost. Oh yes, a platinum card is still in the works, which should then cost 5 million dollars, allow you a 270 days work stay with US tax exemption, but without citizenship. Virtually only the “Get out of (tax) prison free card”

Fun times ahead! At least the U.S. tech world is likely to be decently upset this weekend.

Sun-Tsu, our ISO27001 safety officer, has another tip for you this week. ‘The strength of the team lies in its unity’ Encourage collaboration and communication within your IT team. A fragmented or fragmented team is susceptible to errors and attacks.