root Archives

Winsage

April 9, 2026

BlueHammer: Windows zero-day exploit leaked

A proof-of-concept (PoC) exploit called BlueHammer has been released on GitHub, targeting an unpatched local privilege escalation vulnerability in Windows. The exploit, attributed to users Chaotic Eclipse and Nightmare Eclipse, has been modified by security researchers to work on updated versions of Windows 10, 11, and Windows Server. The exploit manipulates Microsoft Defender to create a Volume Shadow Copy, allowing access to sensitive registry files and enabling the extraction of NTLM password hashes. This facilitates the alteration of a local Administrator's password and subsequent login. The exploit can duplicate the Administrator's security token and create a malicious Windows Service that runs with SYSTEM privileges. While there are no reports of BlueHammer being exploited by malicious actors, researchers warn that such PoC code can be weaponized quickly. Microsoft has committed to investigating reported security issues related to this vulnerability.

Winsage

April 8, 2026

Microsoft rolls out fix for broken Windows Start Menu search

Microsoft has implemented a server-side remedy for an issue affecting the Windows Start Menu search functionality on select Windows 11 23H2 devices, which began impacting users on April 6. The problem was linked to a server-side Bing update aimed at improving search performance. Microsoft has rolled back the problematic Bing update and expects search issues to decrease as the fix is deployed. Users have reported blank search results in the Start Menu, but options remain clickable. Microsoft confirmed that the issue will resolve automatically with the rollout of the fix, provided devices are connected to the internet and Web Search is enabled. Additionally, there have been previous Start Menu-related issues, including crashes and error messages, with Microsoft working on permanent solutions for these problems.

Winsage

April 8, 2026

Linux gamers didn’t do anything wrong, but they might pay for Windows piracy anyway

Gaming on Linux has advanced significantly due to Valve's Proton compatibility layer and the Steam Deck, allowing most single-player PC games to run on the platform. Data from ProtonDB indicates that nearly every Windows game is now playable on Linux. However, hypervisor-based DRM bypass techniques have emerged, weakening Denuvo's anti-tamper protections and reviving day-zero piracy. Hypervisors operate beneath the operating system, allowing pirates to manipulate Denuvo's validation checks, drastically reducing the time to crack games. This resurgence of piracy poses security risks, as users must disable kernel-level security features, exposing their systems to vulnerabilities. Irdeto, the company behind Denuvo, recognizes the need for updated security measures, but these could complicate the gaming experience for Linux users. Linux's open-source nature complicates enforcing kernel integrity, making effective anti-cheat and DRM systems challenging. Despite these issues, Linux gaming has seen considerable growth, but the threat of hypervisor-based piracy could jeopardize this progress and lead to tighter DRM measures that may reduce Linux compatibility.

AppWizard

April 7, 2026

Researchers find 50 ‘dangerous’ Android apps that are secretly hijacking phones: Who is at risk

Recent findings from McAfee have revealed a malware campaign named Operation NoVoice that has infiltrated over 50 applications on the Google Play Store, which collectively received over 2.3 million downloads before being removed. The malware uses a rootkit attack strategy to gain administrator-level control of Android devices while remaining undetected. Affected apps appeared benign, performing tasks like cleaning files or managing photos, but were secretly communicating with a remote server to send device information. This allowed attackers to deploy custom exploit code, achieving root-level access and posing significant security risks. The malware persists even after factory resets, potentially requiring firmware reinstallation for complete removal. Users with older or unpatched Android versions are at greater risk, as well as anyone who downloaded the compromised apps.

Tech Optimizer

April 6, 2026

36 Malicious npm Packages Exploited Redis, PostgreSQL to Deploy Persistent Implants

Cybersecurity researchers have discovered 36 malicious packages in the npm registry that impersonate Strapi CMS plugins. These packages exploit Redis and PostgreSQL, deploy reverse shells, harvest credentials, and establish persistent implants. Each package consists of three files—package.json, index.js, and postinstall.js—without descriptions or repositories, and all use version 3.6.8 to mimic legitimate Strapi plugins. The malicious packages follow a naming convention starting with "strapi-plugin-" and were uploaded by four accounts within 13 hours. The identified packages include names like strapi-plugin-cron, strapi-plugin-database, and strapi-plugin-server. The malicious code is embedded in the postinstall script, executing automatically upon installation with the same privileges as the user. The payloads evolve from exploiting Redis for remote code execution to attempting direct PostgreSQL database exploitation and deploying persistent implants for remote access. The campaign appears to target cryptocurrency platforms, as indicated by the focus on credential theft and digital assets. Users of these packages are advised to assume compromise and rotate credentials. This incident reflects a broader trend of supply chain attacks in the open-source ecosystem, with recent examples including credential exfiltration payloads in GitHub repositories and compromised GitHub Actions workflows. Group-IB reported that software supply chain attacks are increasingly reshaping the cyber threat landscape, targeting trusted vendors and open-source software to gain access to downstream organizations.

AppWizard

April 6, 2026

Dangerous “NoVoice” malware found in over 50 Play Store apps that were installed 2.3 million times

A new malware threat called "NoVoice" has been found in over 50 applications on the Google Play Store, with 2.3 million installations on Android devices. Discovered by McAfee, this malware is hidden in seemingly harmless apps like system cleaners, games, and image galleries. It exploits Android vulnerabilities to gain root access, potentially allowing attackers to steal sensitive information and manipulate applications without user consent. In some cases, it may persist even after a factory reset. Google has stated that Android devices updated since May 2021 are protected against this threat and that Google Play Protect actively removes malicious apps and blocks new installations. The malware was not able to infect devices in Beijing and Shenzhen, suggesting the attackers may be avoiding local law enforcement. One identified app carrying the NoVoice payload is SwiftClean, developed by Biodun Popoola. The malware operates using a silent audio file, executing its code without user detection. Users are advised to download apps only from the Google Play Store and keep their devices updated.

Tech Optimizer

April 5, 2026

Linux 7.0 Cuts PostgreSQL Performance in Half

An AWS engineer reported a significant drop in PostgreSQL throughput on Linux 7.0, with performance reduced to approximately half of its previous capability. Benchmark tests showed that the removal of the PREEMPT_NONE scheduling option was the main cause of this regression. On a 96-vCPU Graviton4 instance, throughput measured at just 0.51x compared to earlier kernel versions. Salvatore Dipietro from Amazon/AWS conducted benchmarking analysis of PostgreSQL 17, revealing that Linux 7.0 delivered only 0.51x the throughput of its predecessors. The root cause was traced to kernel commit 7dadeaa6e851, which eliminated PREEMPT_NONE as the default option, leading to increased contention due to the new PREEMPT_LAZY model. Profiling data indicated that 55% of CPU time is consumed by spinning in PostgreSQL’s spinlock, causing significant performance degradation. When a revert patch was applied, throughput rebounded to 1.94x the baseline. The decision to restrict preemption modes in Linux 7.0 aimed to address issues within the kernel's scheduling model. Dipietro proposed a patch to restore PREEMPT_NONE, but kernel developers suggested PostgreSQL adopt the rseq time slice extension instead. Database operators running PostgreSQL on Linux face potential performance reductions with the upgrade to Linux 7.0.

Winsage

April 5, 2026

Scheduler function Windows breaks video recording on Radeon chips

Many users of graphics accelerators from a well-known company are experiencing technical issues, particularly when recording video content using OBS Studio. A YouTube channel creator analyzed this problem and identified hardware scheduling, a feature introduced by Microsoft in Windows, as the cause of frequent crashes and performance issues. This feature was meant to improve hardware performance by managing memory more efficiently for video cards, but it has led to conflicts when running demanding games and applications while capturing screens. The blogger recommends that Radeon graphics card owners disable hardware scheduling, as it only provides a minimal performance boost of about two percent in gaming, which does not outweigh the recording and streaming problems it causes.

Winsage

April 5, 2026

Scheduler function Windows breaks video recording on Radeon chips

Owners of Radeon graphics cards are experiencing technical challenges, particularly crashes and instability when using OBS Studio for video recording. The issues stem from the hardware scheduling feature in Windows, which was intended to improve performance by reducing CPU load but has instead caused conflicts during resource-intensive tasks. The creator of the YouTube channel OCExtreme recommends disabling this feature, as it only offers a minimal performance boost of about two percent, which is not worth the significant problems it causes during content recording and broadcasting.

Tech Optimizer

April 4, 2026

AWS Engineer Reports PostgreSQL Performance Halved By Linux 7.0, But A Fix May Not Be Easy

An engineer from Amazon/AWS reported a significant performance regression in PostgreSQL when running on the nearly finalized Linux 7.0 kernel, with throughput dropping to about half of previous kernel versions. The regression, observed on a Graviton4 server, is attributed to increased time spent in a user-space spinlock due to changes in preemption modes in Linux 7.0. A patch to revert to PREEMPT_NONE as the default preemption model has been submitted but may not be adopted. Peter Zijlstra suggested that PostgreSQL should adapt to utilize the Restartable Sequences (RSEQ) time slice extension to mitigate the performance drop. If this adaptation is accepted, the responsibility for the performance decline may shift to PostgreSQL, potentially affecting users until the database is updated. The stable release of Linux 7.0 is expected in about two weeks, coinciding with the launch of Ubuntu 26.04 LTS.