execution Archives

Tech Optimizer

April 26, 2026

CanisterSprawl: pgserve Compromised on npm: Malicious Versions Harvest Credentials and Exfiltrate to a Decentralized ICP Canister

On April 21, 2026, compromised versions of pgserve (1.1.11, 1.1.12, and 1.1.13) were published on npm, containing a 1,143-line credential-harvesting script that executes during the postinstall phase of npm install. The malware functions as a supply-chain worm, reinjecting itself into other packages if it finds an npm publish token. Stolen credentials are encrypted using RSA-4096 and AES-256 and exfiltrated to a decentralized Internet Computer Protocol (ICP) canister. The last legitimate release was v1.1.10, published on April 17, 2026. The malware was detected by StepSecurity AI Package Analyst and Harden Runner, which flagged the compromised versions as Critical / Rejected and confirmed live exfiltration during analysis. The injected script performs operations such as harvesting environment variables, collecting filesystem secrets, encrypting payloads, and propagating to other npm packages and Python packages if a PyPI token is detected. The exfiltration domains have been added to a global block list.

Winsage

April 25, 2026

Linux and Windows 95 running side by side? This dev made it happen.

Open-source developer "Hailey" has introduced the Windows 9x Subsystem for Linux (WSL9X), which allows users to run both Windows and Linux applications simultaneously on classic versions of Windows, including Windows 95, 98, and Me. WSL9X operates by running a modern Linux kernel (6.19) alongside the Windows 9x kernel, enabling features such as paging, memory protection, and pre-emptive scheduling. It is neither emulation nor virtualization and does not require hardware virtualization. WSL9X is available for download, but users must build it from the source provided by Hailey. It allows access to a genuine Linux terminal alongside classic Windows applications, enabling various tasks without compromising system stability.

AppWizard

April 25, 2026

Xbox admits its PC gaming presence is not strong enough

Microsoft is retiring the term "Microsoft Gaming," which was introduced in 2022, and will revert to using the Xbox brand as the primary identifier for all gaming-related endeavors. A memo from Xbox CEO Asha Sharma and chief content officer Matt Booty, released on April 23, acknowledges that the company's presence in the PC gaming market is lacking. The memo outlines a strategy focused on "flexible pricing," being "open to all creators," and increasing "daily active players," but lacks specific commitments or timelines. It highlights Windows as a crucial battleground for gaming, noting that it now represents more players and hours, amidst competition from platforms like Steam. The memo also reflects on Microsoft's historical challenges in executing a competitive PC gaming ecosystem and coincides with an announcement of an early-retirement buyout program for employees as the company reallocates resources toward AI initiatives.

Tech Optimizer

April 24, 2026

Fileless Malware and Email Authentication Gaps

Fileless malware operates stealthily within networks, utilizing legitimate system tools like PowerShell and Windows Management Instrumentation (WMI) to execute malicious code in memory without leaving traces on disk. Traditional antivirus solutions struggle to detect these threats due to their reliance on file signatures. The primary vector for fileless malware is email, where attackers use spoofed messages to trick users into activating malicious scripts. Misconfigurations in Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM) records create vulnerabilities that attackers exploit to deliver spoofed emails. Traditional endpoint protection mechanisms are inadequate against fileless attacks, necessitating a shift towards behavioral analysis for detection. Organizations must assess their preparedness by ensuring proper email authentication configurations and enhancing endpoint security capabilities. Integration among security teams and updated employee security awareness programs are also essential. Sendmarc helps organizations mitigate vulnerabilities by providing visibility into SPF, DKIM, and DMARC configurations and enforcing DMARC to block unauthenticated messages.

Winsage

April 23, 2026

Engineering secure passkey sync in Microsoft Password Manager

Passkeys are a new form of authentication that replace traditional passwords, providing a phishing-resistant and streamlined sign-in process. Microsoft Password Manager allows users to save and synchronize passkeys across devices linked to their Microsoft accounts, enhancing accessibility. The architecture for passkey syncing includes confidential computing for sensitive operations, hardware-rooted key protection for encryption keys, tamper-evident recovery storage, and encrypted synchronization across devices. Sensitive passkey operations are executed in Azure's confidential computing environments, ensuring cryptographic materials are processed securely. The encryption keys are protected using Azure Managed HSM, with access governed by attestation-based mechanisms. Registration and recovery processes require user authentication and enforce security measures within confidential computing boundaries, including a lockout state after consecutive incorrect PIN attempts. The system aims to provide a secure and user-friendly experience as part of a transition to a passwordless future.

Tech Optimizer

April 21, 2026

Microsoft quietly reveals whether you need a third-party antivirus software in Windows 11

Microsoft has stated that third-party antivirus software is not necessary for Windows 11, as its built-in antivirus solution, Windows Defender, is sufficient for most users. This assertion was made public on April 9, when Microsoft declared Windows 11 the most secure version of its operating system. Windows Defender is effective when users regularly install Security Intelligence Updates, apply monthly Patch Tuesday updates, and activate SmartScreen for filtering harmful downloads. While third-party antivirus solutions may be beneficial in certain scenarios, such as enterprise environments or for users seeking additional features, Microsoft advises relying on a single real-time antivirus solution, which is typically Windows Defender. Microsoft Defender is a comprehensive protection stack that includes real-time scanning, cloud-delivered protection, and automatic updates. Independent tests have shown that Microsoft Defender achieves high protection rates, comparable to leading paid antivirus solutions. The built-in Windows Security application includes features like SmartScreen, Smart App Control, and ransomware protection, providing extensive coverage without additional costs. The consensus is that most users will not need third-party antivirus software in 2026, as Windows Security offers robust protection against modern threats.

Winsage

April 19, 2026

Copilot to Be Removed From These Windows Applications

Microsoft is phasing out Copilot from various applications in Windows 11, reducing the overall presence of AI in the operating system. In the latest version of Notepad (11.2512.28.0), the Copilot icon has been replaced with a traditional pencil icon, but the underlying functions remain unchanged, allowing users to disable AI features if desired. The Snipping Tool has completely removed Copilot integration, eliminating the AI button and any references to AI features. Microsoft previously indicated plans to streamline Copilot access points in applications like Notepad, Photos, Widgets, and the Snipping Tool. Despite these changes, Microsoft intends to integrate AI more subtly within Windows 11, keeping functionalities intact but positioning them discreetly.

AppWizard

April 18, 2026

Help! The Millennium Bug made all the robots in my mansion go berserk, and only Homer Simpson can save the day

Y2K: The Game is a PC game that pays homage to the Millennium Bug, reflecting the concerns of the late 1990s regarding technology. The game features a character named Buster, whose slow pacing has drawn criticism. Its soundtrack includes eclectic melodies, adding to its quirky charm. Despite not fully realizing its premise, the game is considered an intriguing relic of its time.

Winsage

April 18, 2026

Microsoft’s Patch Tuesday release for April is a whopper

A series of updates have been released, focusing on system integrity and performance. Users should perform verification tasks, including installing, uninstalling, and repairing MSI packages, connecting and disconnecting cloud sync providers, and enrolling devices in Intune or MDM solutions. The Common Log File System driver (clfs.sys) is receiving a follow-up patch, along with updates to Storage Spaces (spaceport.sys) and app isolation file system drivers (bfs.sys, wcifs.sys). Users should also run Windows Update installation and rollback cycles, install and uninstall applications, and verify data integrity through backup solutions. For Storage Spaces, creating a pool with mirrored and thin virtual disks and ensuring clean deletion is necessary. April's updates for Office target MSI editions, including Excel 2016 (KB5002860), PowerPoint 2016 (KB5002808), Office 2016 shared libraries (KB5002859), and SharePoint Server editions from 2016 to 2019. These updates do not apply to Click-to-Run deployments like Microsoft 365 Apps. Users should validate complex Excel workbooks, PowerPoint presentations, SharePoint document libraries, and the functionality of Office add-ins. Testing for two High Risk components is essential: changes to Kerberos may disrupt services using RC4 keytabs, and the Remote Desktop client update requires validation of clipboard functionality, printer redirection, and session reconnection. Validating Secure Boot and BitLocker is critical as CVE-2023-24932 key rolling progresses. Additionally, cloud sync testing is important due to five patches to the Projected File System driver, and regression testing is needed for dual afd.sys updates and VPN/IPsec patches across remote-access infrastructure. Office updates are limited to MSI editions.

Winsage

April 18, 2026

RedSun: Windows 0day when Defender becomes the attacker

A vulnerability has been discovered in Windows Defender that allows standard users to exploit a logic error in the file remediation process, enabling code execution with elevated privileges without administrative access. This flaw, identified by security researcher Chaotic Eclipse, occurs because Windows Defender does not verify if the restoration location of flagged files has been altered through a junction point. The exploit, named RedSun, takes advantage of a missing validation in the MpSvc.dll file, allowing attackers to redirect file restoration to the C:WindowsSystem32 directory. RedSun operates by chaining together four legitimate Windows features: Opportunistic Locks (OPLOCKs), Cloud Files API, Volume Shadow Copy Service (VSS), and Junction Points. The execution of the exploit involves monitoring shadow copies, triggering Defender's detection, synchronizing OPLOCKs, and ultimately writing malicious binaries to the System32 directory. The root cause is the lack of reparse point validation in the restoration process, and currently, no patch or CVE has been assigned for this vulnerability. It affects Windows 10, Windows 11, and Windows Server 2019 and later, and organizations are advised to implement behavioral detection strategies until a fix is available.