Researchers have found malicious software that received more than 6,000 downloads from the NPM repository over a two-year span, in yet another discovery showing the hidden threats users of such open source archives face.

Eight packages using names that closely mimicked those of widely used legitimate packages contained destructive payloads designed to corrupt or delete important data and crash systems, Kush Pandya, a researcher at security firm Socket, reported Thursday. The packages have been available for download for more than two years and accrued roughly 6,200 downloads over that time.

A diversity of attack vectors

“What makes this campaign particularly concerning is the diversity of attack vectors—from subtle data corruption to aggressive system shutdowns and file deletion,” Pandya wrote. “The packages were designed to target different parts of the JavaScript ecosystem with varied tactics.”

Read full article

Comments

When web services shut down and have time to put up a blog post about it, there's typically some real understatement in their explanation of "why." Bookmarking service Pocket's goodbye post truly delivers on this front, noting almost off-handedly that "the way people use the web has evolved." Yes, you might just say that.

Both Pocket and another browser add-on, Fakespot, are being shut down by Firefox maker Mozilla in early July. In a post about the closures, Mozilla cites the need to "invest our time and resources so we can make the biggest impact." Pocket's saving and curation powers will be implemented into Firefox, while Fakespot's analysis of online shopping reviews "didn't fit a model we could sustain."

Pocket started in 2007 as Read It Later, a way to bookmark web articles for later reading. It's not just the focus on published text articles that now seems quaint but also the idea that there was a finite amount of web material you would get back to and would have the time to do so. Those who do want that nice-sounding media experience can cobble it together in most modern browsers, which have built-in tools for managing bookmarks, distinct "reading lists," and even creating stripped-down "readable" versions of articles.

Read full article

Comments

The Federal Aviation Administration gave the green light Thursday for SpaceX to launch the next test flight of its Starship mega-rocket as soon as next week, following two consecutive failures earlier this year.

The failures set back SpaceX's Starship program by several months. The company aims to get the rocket's development back on track with the upcoming launch, Starship's ninth full-scale test flight since its debut in April 2023. Starship is central to SpaceX's long-held ambition to send humans to Mars and is the vehicle NASA has selected to land astronauts on the Moon under the umbrella of the government's Artemis program.

In a statement Thursday, the FAA said SpaceX is authorized to launch the next Starship test flight, known as Flight 9, after finding the company "meets all of the rigorous safety, environmental and other licensing requirements."

Read full article

Comments

While our Sun prefers to go solo, many other stars are parts of binary systems, with a pair of stars gravitationally bound to each other. In some cases, the stars are far enough apart that planets can form around each of them. But there are also plenty of tight binary systems, where the stars orbit each other at a radius that would place them both comfortably inside our Solar System. In these systems, exoplanets tend to be found at greater distances, in orbits that have them circling both stars.

On Wednesday, scientists described a system that seems to be neither of the above. It is a tight binary system, with a heavy central star that's orbited by a white dwarf at a distance two to three times larger than Earth's orbit. The lone planet confirmed to be in the system is squeezed in between the two, orbiting at a distance similar to Earth's distance from the Sun. And, as an added bonus, the planet is orbiting backward relative to the white dwarf.

Orbiting ν Octantis

The exosolar system is termed ν Octantis (or Nu Octantis), and its primary star is just a bit heavier than our Sun (1.6 solar masses). It's orbited by a far dimmer companion that's roughly half of our Sun's mass, but which hasn't been characterized in detail until now. The companion's orbit relative to the central star is a bit lopsided, ranging from about two astronomical units (AU, the typical Earth-Sun distance) at its closest approach to roughly three AU at its farthest. And, until yesterday, the exact nature of the companion star was not clear.

Read full article

Comments

AT&T has struck a deal to buy CenturyLink's consumer fiber broadband division for $5.75 billion, giving the Internet provider another 1.1 million fiber customers in 11 states.

The all-cash deal is expected to close during the first half of 2026 assuming the companies obtain regulatory approval. AT&T will gain new customers in Arizona, Colorado, Florida, Idaho, Iowa, Minnesota, Nebraska, Nevada, Oregon, Utah, and Washington.

The deal will give AT&T room to grow its user base by more than the 1.1 million existing CenturyLink customers, as AT&T said the network areas being sold include over 4 million fiber-enabled locations. "The transaction will enable AT&T to significantly expand access to AT&T Fiber in major metro areas like Denver, Las Vegas, Minneapolis-St. Paul, Orlando, Phoenix, Portland, Salt Lake City and Seattle, as well as additional geographies," AT&T said.

Read full article

Comments

Ever since a mourning mother, Megan Garcia, filed a lawsuit alleging that Character.AI's dangerous chatbots caused her son's suicide, Google has maintained that—so it could dodge claims that it had contributed to the platform's design and was unjustly enriched—it had nothing to do with C.AI's development.

But Google lost its motion to dismiss the lawsuit on Wednesday after a US district judge, Anne Conway, found that Garcia had plausibly alleged that Google played a part in C.AI's design by providing a component part and "substantially" participating "in integrating its models" into C.AI. Garcia also plausibly alleged that Google aided and abetted C.AI in harming her son, 14-year-old Sewell Setzer III.

Google similarly failed to toss claims of unjust enrichment, as Conway suggested that Garcia plausibly alleged that Google benefited from access to Setzer's user data. The only win for Google was a dropped claim that C.AI makers were guilty of intentional infliction of emotional distress, with Conway agreeing that Garcia didn't meet the requirements, as she wasn't "present to witness the outrageous conduct directed at her child."

Read full article

Comments

Do you miss the feel of tactile buttons on your kitchen appliances or lament car manufacturers' insistence on touchscreens? Have you ever found yourself clumsily fumbling with the door handles of a vehicle or distracted by the bright blue light beaming from your vacuum or Wi-Fi router?

If so, you're not alone. The way technology gadgets are designed largely relies on things like blue, often LED, lights, flat resistive or capacitive touch input, and software. Some, like Amber Case, founder of the Calm Tech Institute, believe that these design choices distract from devices' purpose and functionality and are calling for a new approach to product design.

"Calm Tech Institute is kind of a consumer advocacy body that's collecting stories and research from neuroscientists that says, look at how the mind wants texture, and look at how it wants physical buttons, and there's a part of your mind that needs [those]," Case told Ars Technica. "When we don't have it and we replace it with glass, we're not only losing something about human experience, but we're actually causing the mind stress.”

Read full article

Comments

I initially felt bad for the Medeo T9 City e-bike that Gazelle sent me for review. Not through any fault of its own but because I had just recently ridden Gazelle's Eclipse C380+, an all-inclusive beast that retailed for roughly 2.5 times the price of the Medeo T9 City. Would the lower-priced bike, with different versions of some of the same hardware, suffer compared to its beefier brethren?

Short answer: not really. The Medeo T9 City isn't trying to dominate the road; it just wants to get you where you're going. It has the same kind of automatic electric assist level shifting, just packed into a smaller handlebar display instead of a center console. It's has chain and gear cogs instead of the Eclipse's belt drive and stepless shifting, an external battery instead of an inline, and a 250-watt Bosch Active Line motor instead of a 350-watt Performance Line Speed.

I think the Medeo T9 City likely makes for a good first or second e-bike, or perhaps a nice upgrade if you're prioritizing comfort and transport. Given its hill-smoothing motor, wide range of sizes, stable ride feel, and the backing of known bike brands, you could do much worse than a Gazelle with a Bosch motor.

Read full article

Comments

VMware's business model under Broadcom is "legally and ethically flawed," a group of cloud service provider (CSP) customers and partners alleged in a report released today.

The report (PDF) comes from the European Cloud Competition Observatory (ECCO), which describes itself as "independent monitoring body" composed of members of the Cloud Infrastructure Services Providers in Europe (CISPE) trade association, "with the support—acting as observers—of European customer organizations." ECCO says its goals include "highlighting ongoing or new unfair software licensing practices from any software vendors in the cloud sector," and it has previously written similar reports about Broadcom and Microsoft.

In its announcement of the report, ECCO said that CISPE members have met with Broadcom once about the changes it has made to VMware's business model, which is now built around subscriptions of bundled products, but didn't see any changes.

Read full article

Comments

MOUNTAIN VIEW, Calif.—Get ready to see Android in a new-ish way. It's been 13 years since Google announced its Google Glass headset and 10 years since it stopped selling the device to consumers. There have been other attempts to make smart glasses work, but none of them have stuck. As simpler devices like the Meta Ray-Ban glasses have slowly built a following, Google is getting back into the smart glasses game. After announcing Android XR late last year, the first usable devices were on site at Google I/O. And you're not going to believe this, but the experience is heavily geared toward Gemini.

As Google is fond of pointing out, Android XR is its first new OS developed in the "Gemini era." The platform is designed to run on a range of glasses and headsets that make extensive use of Google's AI bot, but there were only two experiences on display at I/O: an AR headset from Samsung known as Project Moohan and the prototype smart glasses.

Moohan is a fully enclosed headset, but it defaults to using passthrough video when you put it on. If you've worn an Apple Vision Pro or a Meta Quest with newer software, you'll be vaguely familiar with how Moohan works. Indeed, the interactions are consistent and intuitive. You can grab, move, and select items with the headset's accurate hand tracking. With Android XR, you also get access to the apps and services you've come to know from Google. Outside of games and video experiences, content has been a problem on other headsets.

Read full article

Comments

On Thursday, Anthropic released Claude Opus 4 and Claude Sonnet 4, marking the company's return to larger model releases after primarily focusing on mid-range Sonnet variants since June of last year. The new models represent what the company calls its most capable coding models yet, with Opus 4 designed for complex, long-running tasks that can operate autonomously for hours.

Alex Albert, Anthropic's head of Claude Relations, told Ars Technica that the company chose to revive the Opus line because of growing demand for agentic AI applications. "Across all the companies out there that are building things, there's a really large wave of these agentic applications springing up, and a very high demand and premium being placed on intelligence," Albert said. "I think Opus is going to fit that groove perfectly."

Before we go further, a brief refresher on Claude's three AI model "size" names (introduced in March 2024) is probably warranted. Haiku, Sonnet, and Opus offer a tradeoff between price (in the API), speed, and capability.

Read full article

Comments

A consortium of global law enforcement agencies and tech companies announced on Wednesday that they have disrupted the infostealer malware known as Lumma. One of the most popular infostealers worldwide, Lumma has been used by hundreds of what Microsoft calls “cyber threat actors” to steal passwords, credit card and banking information, and cryptocurrency wallet details. The tool, which officials say is developed in Russia, has provided cybercriminals with the information and credentials they needed to drain bank accounts, disrupt services, and carry out data extortion attacks against schools, among other things.

Microsoft’s Digital Crimes Unit (DCU) obtained an order from a United States district court last week to seize and take down about 2,300 domains underpinning Lumma’s infrastructure. At the same time, the US Department of Justice seized Lumma’s command and control infrastructure and disrupted cybercriminal marketplaces that sold the Lumma malware. All of this was coordinated, too, with the disruption of regional Lumma infrastructure by Europol’s European Cybercrime Center and Japan’s Cybercrime Control Center.

Microsoft lawyers wrote on Wednesday that Lumma, which is also known as LummaC2, has spread so broadly because it is “easy to distribute, difficult to detect, and can be programmed to bypass certain security defenses.” Steven Masada, assistant general counsel at Microsoft’s DCU, says in a blog post that Lumma is a “go-to tool,” including for the notorious Scattered Spider cybercriminal gang. Attackers distribute the malware using targeted phishing attacks that typically impersonate established companies and services, like Microsoft itself, to trick victims.

Read full article

Comments

Tired of using bulky night vision goggles for your clandestine nocturnal activities? An interdisciplinary team of Chinese neuroscientists and materials scientists has developed near-infrared contact lenses that enabled both mice and humans to see in the dark, even with their eyes closed, according to a new paper published in the journal Cell.

Humans and other mammals can only perceive a limited range of the electromagnetic spectrum (light), usually in the 400–700 nm range. There are creatures that can see in infrared (snakes, mosquitoes, bullfrogs) or ultraviolet (bees, birds), and goldfish can perceive both. But humans must augment themselves with technology in order to expand our range of vision.

Night vision goggles and similar devices have been around since the 1930s, including infrared-visible converters, but these require external energy sources, and the converters have a multilayer structure that makes them opaque and hence challenging to integrate with a human eye. The authors previously were able to confer near-infrared vision to mice by injecting nanoparticles that bind to photoreceptors into their eyes—basically creating a near-infrared nanoantenna—but realized that most people would be averse to the prospect of sticking needles in their eyes. So they looked for a better alternative. Contact lenses seemed the obvious choice.

Read full article

Comments

The extent of Tesla's meteoric decline in popularity is on vivid display in the latest new car registration numbers coming out of Europe. New car sales were essentially flat in the region last month, with just under 1,400 more cars sold this year than last. But the market is far from static; plug-in sales are booming, with battery electric vehicle registrations up by 28 percent according to the analysts at JATO Dynamics, and plug-in hybrid EV sales increased by 31 percent. Almost every automaker has capitalized on this growth, with a few exceptions—Tesla being the most significant.

As the first mainstream BEV-only brand, Tesla led the way in European EV sales and made much of the fact that its Model Y crossover was the best-selling car in Europe for some time. Those days are long gone. Model Y registrations fell by 53 percent last month to just 4,495 units, dropping it to 9th on the list of most-registered BEVs. First place went to the Skoda Elroq, followed by VW's ID.3, ID.7, ID.4, and the new Kia EV3.

When you look at sales at the brand level, things get a little worse for the American automaker. Volkswagen sold more EVs than anyone else in Europe last month, increasing by 61 percent to 23,514 units. As for Tesla? It fell to 11th place, with just 7,165 sales in total, a 49 percent decrease year on year.

Read full article

Comments

For a couple of years now, I've been trying to find an excuse to buy a decent 3D printer.

Friends and fellow Ars staffers who had them would gush about them at every opportunity, talking about how useful they can be and how much can be printed once you get used to the idea of being able to create real, tangible objects with a little time and a few bucks' worth of plastic filament.

But I could never quite imagine myself using one consistently enough to buy one. Then, this past Christmas, my wife forced the issue by getting me a Bambu Lab A1 as a present.

Read full article

Comments

China is poised to be the next big donor to the World Health Organization after Trump abruptly withdrew the US from the United Nations health agency on his first day in office, leaving a critical funding gap and leadership void.

On Tuesday, Chinese Vice Premier Liu Guozhong said that China would give an additional $500 million to WHO over the course of five years. Liu made the announcement at the World Health Assembly (WHA) being held in Geneva. The WHA is the decision-making body of WHO, comprising delegations from member states that meet annually to guide the agency's health agenda.

“The world is now facing the impacts of unilateralism and power politics, bringing major challenges to global health security," Liu told the WHA, according to The Washington Post. "China strongly believes that only with solidarity and mutual assistance can we create a healthy world together."

Read full article

Comments

Out of all the books I read for my formal education, one bit, from one slim paperback, has lodged the deepest into my brain.

William Blundell's The Art and Craft of Feature Writing offers a "selective list of what readers like." It starts with a definitive No. 1: "Dogs, followed by other cute animals and well-behaved small children." People, Blundell writes, are your second-best option, providing they are doing or saying something interesting.

I have failed to provide Ars Technica readers with a dog story during nearly three years here. Today, I intend to fix that. This is a story about a dog, but also a rare optimistic take on a ubiquitous "smart" product, one that helped out a very good girl.

Read full article

Comments

The Department of Justice today asked the Supreme Court to block a ruling that requires DOGE to provide information about its government cost-cutting operations as part of court-ordered discovery.

President Trump's Justice Department sought an immediate halt to orders issued by US District Court for the District of Columbia. US Solicitor General John Sauer argued that the Department of Government Efficiency is exempt from the Freedom of Information Act (FOIA) as a presidential advisory body and not an official "agency."

The district court "ordered USDS [US Doge Service] to submit to sweeping, intrusive discovery just to determine if USDS is subject to FOIA in the first place," Sauer wrote. "That order turns FOIA on its head, effectively giving respondent a win on the merits of its FOIA suit under the guise of figuring out whether FOIA even applies. And that order clearly violates the separation of powers, subjecting a presidential advisory body to intrusive discovery and threatening the confidentiality and candor of its advice, putatively to address a legal question that never should have necessitated discovery in this case at all."

Read full article

Comments

Signal Messenger is warning the users of its Windows Desktop version that the privacy of their messages is under threat by Recall, the AI tool rolling out in Windows 11 that will screenshot, index, and store almost everything a user does every three seconds.

Effective immediately, Signal for Windows will by default block the ability of Windows to screenshot the app. Signal users who want to disable the block—for instance to preserve a conversation for their records or make use of accessibility features for sight-impaired users—will have to change settings inside their desktop version to enable screenshots.

My kingdom for an API

“Although Microsoft made several adjustments over the past twelve months in response to critical feedback, the revamped version of Recall still places any content that’s displayed within privacy-preserving apps like Signal at risk,” Signal officials wrote Wednesday. “As a result, we are enabling an extra layer of protection by default on Windows 11 in order to help maintain the security of Signal Desktop on that platform even though it introduces some usability trade-offs. Microsoft has simply given us no other option.”

Read full article

Comments

Whenever something bad happens to us, brain systems responsible for mediating emotions kick in to prevent it from happening again. When we get stung by a wasp, the association between pain and wasps is encoded in the region of the brain called the amygdala, which connects simple stimuli with basic emotions.

But the brain does more than simple associations; it also encodes lots of other stimuli that are less directly connected with the harmful event—things like the place where we got stung or the wasps’ nest in a nearby tree. These are combined into complex emotional models of potentially threatening circumstances.

Till now, we didn’t know exactly how these models are built. But we’re beginning to understand how it’s done.

Read full article

Comments