"We have removed all malicious artifacts from the affected registries and channels," Trivy maintainer Itay Shakury posted today, noting that all the latest Trivy releases "now point to a safe version." But "On March 19, we observed that a threat actor used a compromised credential..."

And today The Hacker News reported the same attackers are now "suspected to be conducting follow-on attacks that have led to the compromise of a large number of npm packages..." (The attackers apparently leveraged a postinstall hook "to execute a loader, which then drops a Python backdoor that's responsible for contacting the ICP canister dead drop to retrieve a URL pointing to the next-stage payload.") The development marks the first publicly documented abuse of an ICP canister for the explicit purpose of fetching the command-and-control (C2) server, Aikido Security researcher Charlie Eriksen said... Persistence is established by means of a systemd user service, which is configured to automatically start the Python backdoor after a 5-second delay if it gets terminated for some reason by using the "Restart=always" directive. The systemd service masquerades as PostgreSQL tooling ("pgmon") in an attempt to fly under the radar...

In tandem, the packages come with a "deploy.js" file that the attacker runs manually to spread the malicious payload to every package a stolen npm token provides access to in a programmatic fashion. The worm, assessed to be vibe-coded using an AI tool, makes no attempt to conceal its functionality. "This isn't triggered by npm install," Aikido said. "It's a standalone tool the attacker runs with stolen tokens to maximize blast radius."

To make matters worse, a subsequent iteration of CanisterWorm detected in "@teale.io/eslint-config" versions 1.8.11 and 1.8.12 has been found to self-propagate on its own without the need for manual intervention... [Aikido Security researcher Charlie Eriksen said] "Every developer or CI pipeline that installs this package and has an npm token accessible becomes an unwitting propagation vector. Their packages get infected, their downstream users install those, and if any of them have tokens, the cycle repeats."
So far affected packages include 28 in the @EmilGroup scope and 16 packages in the @opengov scope, according to the article, blaming the attack on "a cloud-focused cybercriminal operation known as TeamPCP."

Ars Technica explains that Trivy had "inadvertently hardcoded authentication secrets in pipelines for developing and deploying software updates," leading to a situation where attacks "compromised virtually all versions" of the widely used Trivy vulnerability scanner: Trivy maintainer Itay Shakury confirmed the compromise on Friday, following rumors and a thread, since deleted by the attackers, discussing the incident. The attack began in the early hours of Thursday. When it was done, the threat actor had used stolen credentials to force-push all but one of the trivy-action tags and seven setup-trivy tags to use malicious dependencies... "If you suspect you were running a compromised version, treat all pipeline secrets as compromised and rotate immediately," Shakury wrote.

Security firms Socket and Wiz said that the malware, triggered in 75 compromised trivy-action tags, causes custom malware to thoroughly scour development pipelines, including developer machines, for GitHub tokens, cloud credentials, SSH keys, Kubernetes tokens, and whatever other secrets may live there. Once found, the malware encrypts the data and sends it to an attacker-controlled server. The end result, Socket said, is that any CI/CD pipeline using software that references compromised version tags executes code as soon as the Trivy scan is run... "In our initial analysis the malicious code exfiltrates secrets with a primary and backup mechanism. If it detects it is on a developer machine it additionally writes a base64 encoded python dropper for persistence...."

Although the mass compromise began Thursday, it stems from a separate compromise last month of the Aqua Trivy VS Code extension for the Trivy scanner, Shakury said. In the incident, the attackers compromised a credential with write access to the Trivy GitHub account. Shakury said maintainers rotated tokens and other secrets in response, but the process wasn't fully "atomic," meaning it didn't thoroughly remove credential artifacts such as API keys, certificates, and passwords to ensure they couldn't be used maliciously.

"This [failure] allowed the threat actor to perform authenticated operations, including force-updating tags, without needing to exploit GitHub itself," Socket researchers wrote.
Pushing to a branch or creating a new release would've appeared in the commit history and trigger notifications, Socket pointed out, so "Instead, the attacker force-pushed 75 existing version tags to point to new malicious commits." (Trivy's maintainer says "we've also enabled immutable releases since the last breach.")

Ars Technica notes Trivy's vulnerability scanner has 33,200 stars on GitHub, so "the potential fallout could be severe."

Bruce66423 shares a report from the Associated Press: Federal officials on Thursday approved a new type of pain pill designed to eliminate the risks of addiction and overdose associated with opioid medications such as Vicodin and OxyContin. "It's the first new pharmaceutical approach to treating pain in more than 20 years, offering an alternative to opioids and over-the-counter medications such as ibuprofen and acetaminophen. But the medication's modest effectiveness and lengthy development process underscore the challenges of finding new ways to manage pain.

Studies in more than 870 patients with acute pain due to foot and abdominal surgeries showed Vertex's drug provided more relief than a dummy pill but didn't outperform a common opioid-acetaminophen combination pill. "It's not a slam dunk on effectiveness," said Michael Schuh of the Mayo Clinic, a pharmacist and pain medicine expert who was not involved in the research. "But it is a slam dunk in that it's a very different pathway and mechanism of action. So, I think that shows a lot promise." The new drug will carry a list price of $15.50 per pill, making it many times more expensive than comparable opioids, which are often available as generics for $1 or less. [...]

Opioids reduce pain by binding to receptors in the brain that receive nerve signals from different parts of the body. Those chemical interactions also give rise to opioids' addictive effects. Vertex's drug works differently, blocking proteins that trigger pain signals that are later sent to the brain. "In trying to develop medicines that don't have the addictive risks of opioid medicines, a key factor is working to block pain signaling before it gets to the brain," Vertex's Dr. David Altshuler, told The Associated Press last year. Commonly reported side effects with the drug were nausea, constipation, itching, rash and headache.

The U.S. Justice Department has filed a complaint and announced a civil enforcement action against financial technology company Dave and its CEO Jason Wilk for alleged violations of federal law. From a report: The Justice Department and the Federal Trade Commission alleged the company lured users to its personal finance app by advertising cash advances of up to $500 that many never receive.

The complaint, filed by the Justice Department, seeks unspecified amounts of consumer redress and monetary civil penalties from the defendants and a permanent injunction to prohibit them from engaging in future violations, the Justice Department said. The government alleges that Dave misled consumers by deceptively advertising its cash advances, charging hidden fees, misrepresenting how Dave uses customers' tips and charging recurring monthly fees without providing a simple mechanism to cancel them.

Security Week brings news about CI/CD workflows using GitHub Actions in build processes. Some workflows can generate artifacts that "may inadvertently leak tokens for third party cloud services and GitHub, exposing repositories and services to compromise, Palo Alto Networks warns." [The artifacts] function as a mechanism for persisting and sharing data across jobs within the workflow and ensure that data is available even after the workflow finishes. [The artifacts] are stored for up to 90 days and, in open source projects, are publicly available... The identified issue, a combination of misconfigurations and security defects, allows anyone with read access to a repository to consume the leaked tokens, and threat actors could exploit it to push malicious code or steal secrets from the repository. "It's important to note that these tokens weren't part of the repository code but were only found in repository-produced artifacts," Palo Alto Networks' Yaron Avital explains...

"The Super-Linter log file is often uploaded as a build artifact for reasons like debuggability and maintenance. But this practice exposed sensitive tokens of the repository." Super-Linter has been updated and no longer prints environment variables to log files.

Avital was able to identify a leaked token that, unlike the GitHub token, would not expire as soon as the workflow job ends, and automated the process that downloads an artifact, extracts the token, and uses it to replace the artifact with a malicious one. Because subsequent workflow jobs would often use previously uploaded artifacts, an attacker could use this process to achieve remote code execution (RCE) on the job runner that uses the malicious artifact, potentially compromising workstations, Avital notes.
Avital's blog post notes other variations on the attack — and "The research laid out here allowed me to compromise dozens of projects maintained by well-known organizations, including firebase-js-sdk by Google, a JavaScript package directly referenced by 1.6 million public projects, according to GitHub. Another high-profile project involved adsys, a tool included in the Ubuntu distribution used by corporations for integration with Active Directory." (Avital says the issue even impacted projects from Microsoft, Red Hat, and AWS.) "All open-source projects I approached with this issue cooperated swiftly and patched their code. Some offered bounties and cool swag."

"This research was reported to GitHub's bug bounty program. They categorized the issue as informational, placing the onus on users to secure their uploaded artifacts." My aim in this article is to highlight the potential for unintentionally exposing sensitive information through artifacts in GitHub Actions workflows. To address the concern, I developed a proof of concept (PoC) custom action that safeguards against such leaks. The action uses the @actions/artifact package, which is also used by the upload-artifact GitHub action, adding a crucial security layer by using an open-source scanner to audit the source directory for secrets and blocking the artifact upload when risk of accidental secret exposure exists. This approach promotes a more secure workflow environment...

As this research shows, we have a gap in the current security conversation regarding artifact scanning. GitHub's deprecation of Artifacts V3 should prompt organizations using the artifacts mechanism to reevaluate the way they use it. Security defenders must adopt a holistic approach, meticulously scrutinizing every stage — from code to production — for potential vulnerabilities. Overlooked elements like build artifacts often become prime targets for attackers. Reduce workflow permissions of runner tokens according to least privilege and review artifact creation in your CI/CD pipelines. By implementing a proactive and vigilant approach to security, defenders can significantly strengthen their project's security posture.
The blog post also notes protection and mitigation features from Palo Alto Networks....

Friday the Python Software Foundation published several blog posts about this year's "Python Language Summit" May 15th (before PyCon US), which featured talks and discussions by core developers, triagers, and Python implementation maintainers.

There were several lightning talks. One talk came from the maintainer of the PyO3 project, offering Rust bindings for the Python C API (which requires mapping Rust concepts to Python — leaving a question as to how to map Rust's error-handling panic! macro). There was a talk on formalizing the PEP prototype process, and a talk on whether the Python team should have a more official presence in the Apple App Store (and maybe the Google Play Store). One talk suggested changing the formatting of error messages for assert statements, and one covered a "highly experimental" project to support structured data sharing between Python subinterpreters. One talk covered Python's "unsupported build" warning and how it should behave on platforms beyond Python's officially supported list.

Python Foundation blog posts also covered some of the longer talks, including one on the idea of using type annotations as a mechanism for transformers. One talk covered the new interactive REPL interpreter coming to Python 3.13.

And one talk focused on Python's security model after the xz-utils backdoor: Pablo Galindo Salgado, Steering Council member and the release manager for Python 3.10 and 3.11, brought this topic to the Language Summit to discuss what could be done to improve Python's security model... Pablo noted the similarities shared between CPython and xz-utils, referencing the previous Language Summit's talk on core developer burnout, the number of modules in the standard library that have one or zero maintainers, the high ratio of maintainers to source code, and the use of autotools for configuration. Autotools was used by [xz's] Jia Tan as part of the backdoor, specifically to obscure the changes to tainted release artifacts. Pablo confirmed along with many nods of agreement that indeed, CPython could be vulnerable to a contributor or core developer getting secretly malicious changes merged into the project.

For multiple reasons like being able to fix bugs and single-maintainer modules, CPython doesn't require reviewers on the pull requests of core developers. This can lead to "unilateral action", meaning that a change is introduced into CPython without the review of someone besides the author. Other situations like release managers backporting fixes to other branches without review are common.
Much discussion ensued about the possibility of altering workflows (including pull request reviews), identity verification, and the importance of post-incident action plans. Guido van Rossum suggested a "higher bar" for granting write access, but in the end "Overall it was clear there is more discussion and work to be done in this rapidly changing area."

In another talk, Hugo van Kemenade, the newly announced Release Manager for Python 3.14 and 3.15, "started the Language Summit with a proposal to change Python's versioning scheme. The perception of Python using semantic versioning is a source of confusion for users who don't expect backwards incompatible changes when upgrading to new versions of Python. In reality almost all new feature releases of Python include backwards incompatible changes such as the removal of "dead batteries" where PEP 594 marked 19 modules for removal in Python 3.13. Calendar Versioning (CalVer) encompasses a wide array of different versioning schemes that have one property in common: using the release date as part of a release's version... Hugo offered multiple proposed versioning schemes, including:

- Using the release year as minor version (3.YY.micro, "3.26.0")
- Using the release year as major version (YY.0.micro, "26.0.0")
- Using the release year and month as major and minor version (YY.MM.micro, "26.10.0")

[...] Overall the proposal to use the current year as the minor version was well-received, Hugo mentioned that he'd be drafting up a PEP for this change.

The European Union has opened a second formal investigation into TikTok under its Digital Services Act (DSA), an online governance and content moderation framework. The investigation centers around TikTok Lite's "Task and Reward" feature that may harm mental health, especially among minors, by promoting addictive behavior. TechCrunch reports: The Commission also said it's minded to impose interim measures that could force the company to suspend access to the TikTok Lite app in the EU while it investigates concerns the app poses mental health risks to users. Although the EU has given TikTok until April 24 to argue against the measure -- meaning the app remains accessible for now. Penalties for confirmed violations of the DSA can reach up to 6% of global annual turnover. So ByeDance, TikTok's parent, could face hefty fines if EU enforcers do end up deciding it has broken the law.

The EU's first TikTok probe covers multiple issues including the protection of minors, advertising transparency, data access for researchers, and the risk management of addictive design and harmful content. Hence it said the latest investigation will specifically focus on TikTok Lite, a version of the video sharing platform which launched earlier this month in France and Spain and includes a mechanism that allows users to earn points for doing things like watching or liking videos. Points earned through TikTok Lite can be exchanged for things like Amazon gift vouchers or TikTok's own digital currency for gifting to creators. The Commission is worried this so-called "task and reward" feature could negatively impact the mental health of young users by "stimulating addictive behavior."

The EU wrote that the second probe will focus on TikTok's compliance with the DSA obligation to conduct and submit a risk assessment report prior to the launch of the "Task and Reward Lite" program, with a particular focus on negative effects on mental health, including minors' mental health. It also said it will look into measures taken by TikTok to mitigate those risks. In a press release announcing the action, the EU said ByeDance failed to produce a risk assessment about the feature which it had asked to see last week -- when it gave the company 24 hours to produce the document. Since it failed to submit the risk assessment paperwork on April 18 the Commission wrote that it suspects a "prima facie infringement of the DSA."

A Linux Foundation subsidiary has developed a free and open-source 3D game engine distributed under the Apache license. And last week the Open 3D Foundation announced "a big step forward, showcasing the power of open-source technologies in giving gamers around the globe unforgettable gaming experiences."

"We are proud to unveil MadWorld as the first mobile title powered by O3DE," said Joe Bryant, Executive Director of the Open 3D Foundation, "demonstrating the large potential of open-source technologies in game development."

And then this week Los Angeles Business Journal reported that El Segundo-based gaming studio Carbonated Inc. "has raised $11 million of series A funding to finance the development and release of its debut game title... Prior to its most recent round, Carbonated closed an $8.5 million seed funding round in 2020, which also included participation from Andreessen and Bitkraft." Since its founding [in 2015], the company has been focusing on research and development for its upcoming first title, called "MadWorld." The third-person, multiplayer shooter game is set in a post-apocalyptic world and features both player-versus-player and player-versus-environment features. Players of the game will battle for land control in a dystopian setting. Using a combination of open-source mapping tools and Carbonated's proprietary custom operations technology, called Carbyne, the game's world is designed around real-life cities and locations. Players are initially dropped into the game's version of their own real-time location.

The game allows players to optionally engage using blockchain technology with a digital asset-ownership layer powered by a blockchain network called XPLA.
Earlier this month Madworld "opened up for Early Access registration," reports the egamers web site, arguing that the game "is set to redefine the gaming landscape and will make its public debut later this year." After a catastrophic event named "The Collapse," MadWorld takes place in a desolate Earth where players engage in a battle for survival, highlighting the game's unique setting and immersive experience. The game's world is intricately designed with 250,000 land plots mapped out on a hexagonal grid, each presenting unique resources and strategic benefits. This innovative approach to game design enhances the gameplay experience and introduces a new layer of strategy and competition.

MadWorld's gameplay is centered around integrating Web3 technologies, which allows for the ownership, enhancement, and trading of tokenized representations of real-world locations. This feature encourages players to create clans and work together or compete for essential resources that are spread across the vast game world. Clans can acquire these resources by paying tributes to NFT landowners using "Rounds," the in-game currency. This mechanism not only fosters a sense of community and teamwork but also creates unique economic opportunities within the game by blending traditional gaming elements with the emerging field of digital assets.
"With its use of O3DE, Carbonated can enhance the game's visual fidelity, performance, and scalability," according to the Linux Foundation's announcement, "in order to deliver a fast-paced adventure on mobile platforms." O3DE is an open-source game engine developed by a collaborative community of industry experts. It includes state-of-the-art rendering capabilities, dynamic lighting, and realistic physics simulation. These features have enabled Carbonated to build realistic dystopian environments and create action-packed gameplay in MadWorld.
According to its official site, MadWorld "is set to be released to the public sometime in 2024 and is currently being tested on iOS and Android operating systems."

Carbonated's CEO Travis Boatman made this prediction to the site Decrypt. "We think mobile is where the breakout will happen for Web3."

Hackers unbricked a train in Poland that had been deliberately disabled by its manufacturer. Now the manufacturer is threatening legal action against the hackers despite evidence it sabotaged the trains. From a report: The manufacturer is also now demanding that the repaired trains immediately be removed from service because they have been "hacked," and thus might now be unsafe, a claim they also cannot substantiate.

The situation is a heavy machinery example of something that happens across most categories of electronics, from phones, laptops, health devices, and wearables to tractors and, apparently, trains. In this case, NEWAG, the manufacturer of the Impuls family of trains, put code in the train's control systems that prevented them from running if a GPS tracker detected that it spent a certain number of days in an independent repair company's maintenance center, and also prevented it from running if certain components had been replaced without a manufacturer-approved serial number.

This anti-repair mechanism is called "parts pairing," and is a common frustration for farmers who want to repair their John Deere tractors without authorization from the company. It's also used by Apple to prevent independent repair of iPhones.

Europe's biggest telecoms companies have called on the EU to compel Big Tech to pay a "fair" contribution for using their networks, the latest stage in a battle for payments that has pitched the sector against companies such as Netflix and Google. From a report: Technology companies that "benefit most" from telecoms infrastructure and drive traffic growth should contribute more to costs, according to the chief executives of 20 groups including BT, Deutsche Telekom and Telefonica, who signed an open letter seen by the Financial Times. It will be sent to the European Commission and members of the European parliament. "Future investments are under serious pressure and regulatory action is needed to secure them," they warned. "A fair and proportionate contribution from the largest traffic generators towards the costs of network infrastructure should form the basis of a new approach."

They added that regulators need to take action to help secure future investment, with telecoms groups having to spend billions to support the rollout of 5G and upgrade to full-fibre networks. Signatories included Timotheus Hottges at Deutsche Telekom, Christel Heydemann at Orange, Jose Mara Alvarez-Pallete at Telefonica and Pietro Labriola at Telecom Italia. It was also supported by outgoing BT chief executive Philip Jansen, his successor Allison Kirkby, who is currently chief executive at Telia, as well as Vodafone's chief executive Margherita Della Valle. They suggested that a payment mechanism might only make demands on "the very largest traffic generators" with a focus on "accountability and transparency on contributions...so that operators invest directly into Europe's digital infrastructure."

As detailed in a paper published in Cell Chemical Biology, researchers have developed a "cancer-killing pill" capable of destroying solid tumors while leaving healthy cells unaffected. The new drug has been in development for 20 years and is now undergoing pre-clinical research in the U.S.. Derek Lowe, a medicinal chemist and freelance writer on science and pharmaceutical topics, writes about the new paper via Science Magazine: It's about a molecule designated AOH1996, which seems to have a unique mode of action in tumor cells, one that might make it more more selective for those as compared to normal ones. The key target here is a protein called PCNA (from its old name of "proliferating cell nuclear antigen"). [...] The current molecule is a traditional direct small molecule binder that is selective for caPCNA over the regular type, which is a very attractive advantage to explore. The team behind it has been working on it for several years now to validate that mechanism, and the new paper linked first above is their report of going all the way into animal models. AOH1996 is a very unremarkable-looking molecule - to be honest, it looks like the sort of stuff that you used to see in old combinatorial chemistry libraries in the late 90s and early 2000s, a couple of aryl-rich groups strung together with amide bonds. It's certainly not going to be the most soluble stuff in the world, but they seem to have been able to formulate it. But I'm definitely not going to make fun of any chemical structure that works! [...]

The new paper shows preclinical toxicity testing in two species (mice and dogs), which is what you need to get to human trials. It seems to pass those very well, with no signs of trouble at 6x the effective dose in either species. And if you were throwing DSBs all over the place in normal tissues, believe me, you'd see tox. It is clean in an Ames test, for example. As for efficacy, in cell assays the concentration needed for 50% growth inhibition across 70 different cancer cell lines averaged around 300nM, while it showed no toxic effects on various non-cancer lines up to 10 micromolar (at least a 30x window). The affected cells show cell-cycle arrest, replication stress, apoptosis, and so on. And application of AOH1996 along with other known chemotherapy agents made the cells much more sensitive to those, presumably because they couldn't deal with those on top of the problems that AOH1996 was already causing.

It also shows growth arrest in xenograft tumors in mouse models, with a no-effect dose at least six times its effective dose, and combination therapy with a topoisomerase inhibitor showed even more significant effects. The compound has entered a Phase I trial in humans on the basis of the above data, and I very much look forward to seeing it advance to Phase II, where it will doubtless be used in combination with several existing therapies. I hope that human cancers will prove vulnerable to this new mode of attack in the clinic, and that they are not able to mutate around it with new forms of caPCNA too quickly, either. The comparison with the peptide agent mentioned above will be especially interesting, too. There's only one way to find out - good luck to everyone involved!

Nintendo is facing a potential class-action lawsuit filed by a young gamer and backed by his father, alleging that the microtransactions in the mobile game Mario Kart Tour are "immoral." Axios reports: The suit calls for refunds for all minors in the U.S. who paid to use Mario Kart Tour's "Spotlight Pipes," which delivered players in-game rewards using undisclosed odds. Until last year, Mario Kart Tour players could spend real money to repeatedly activate the pipes, in the hope they'd randomly produce useful upgrades. The suit alleges that Nintendo intentionally made the game difficult to proceed in without paying, using "dark patterns," an industry term for tricking consumers, to steer players toward spending more.

The suit was filed in March but emerged on the federal docket last week after it was moved out of state court. Its plaintiff, identified as N.A., spent more than $170 on Mario Kart Tour microtransactions, via his father's credit card, which was linked to their Nintendo user account. "Defendant's lootbox mechanism capitalized on and encouraged addictive behaviors akin to gambling," according to N.A.'s suit. It states that minors are particularly susceptible to systems that involve surprise rewards. Axios notes that Nintendo "discontinued use of spotlight pipes in Mario Kart Tour last September, switching to a system that lets players directly purchase items offered in its in-game shop."

An anonymous reader quotes a report from Ars Technica: New data suggests that psychedelics may activate serotonin signaling in a very different way than serotonin itself can, reaching the receptors in parts of the cell that serotonin can't get to. Serotonin signaling is complicated. There are seven classes of receptors in humans; some activate signaling pathways, while others inhibit them. One group of receptors allows ions into a cell in response to serotonin, triggering nerve impulses. The rest interact with proteins inside the cell, triggering longer-term responses to serotonin. Psychedelics such as LSD and mescaline bind to members of this latter group and activate it.

This action produces some rather dramatic changes in how people perceive their surroundings. But there's also some evidence that psychedelics promote changes to nerve cells that allow these cells to alter their connectivity. This occurs by causing the structures that receive input from other nerve cells, called dendrites, to grow and branch, potentially allowing additional or altered inputs. One hypothesis is that this altered connectivity allows cells to escape whatever network configuration has been associated with a medical disorder. The researchers confirmed these results using DMT, a psychedelic found in ayahuasca, and psilocin, the active form of the drug psilocybin, which is typically obtained from mushrooms. Twenty-four hours after mice received one of these drugs, nerve cells in their brains had an increased density of extensions from their dendrites. This growth was accompanied by an increased frequency of activity in individual nerve cells. Running the same tests in mice that lacked the gene for the specific serotonin receptor that these drugs target blocked both of these effects, confirming that serotonin signaling is central to the changes.

The researchers then started testing close chemical relatives of the drugs and saw a clear pattern: Making the drug less likely to interact with water boosted their effects on neurons. This suggested that the ability to cross membranes, which are very water-repellant, might be needed to promote changes in dendrites. To confirm this, the researchers poked holes in the membranes, which boosted the activity of water-friendly drug variants that wouldn't readily cross the membrane. This is all a bit confusing because the serotonin receptors sit inside the membrane and interact with the cell's exterior. They have to -- that's where the serotonin is. So why would anything that interacted with those receptors need to cross a membrane to the cell's interior? The receptors on the cell's surface are definitely key to the cell's response to serotonin. But the receptors don't just magically appear on the cell's surface -- they're made elsewhere in the cell and take a while to be processed and transported to the surface. The researchers found a population of serotonin receptors sitting inside a structure called the Golgi. It's not clear whether this population is simply on its way to the cell surface or whether it's retained there by some specific biological activity. Normally, these receptors wouldn't come into contact with serotonin, so they wouldn't signal from this location. But the researchers modified a protein to make it pump serotonin inside of cells and showed that it had the same effect the psychedelics had, suggesting the receptors could be activated and that this activation was key to altering neural connectivity. The study has been published in the journal Science.

In 2017 the New York Times covered research co-authored by John Griffin, a finance professor at the University of Texas, into Hong Kong-based Bitfinex, "one of the largest and least regulated exchanges in the industry." Mr. Griffin looked at the flow of digital tokens going in and out of Bitfinex and identified several distinct patterns that suggest that someone or some people at the exchange successfully worked to push up prices when they sagged at other exchanges. To do that, the person or people used a secondary virtual currency, known as Tether, which was created and sold by the owners of Bitfinex, to buy up those other cryptocurrencies.
To reach this conclusion, the paper's two authors "sifted through an incredible 200 gigabytes of trading data, equal to the troves that the Smithsonian Institution collects in two years," according to a new article in Fortune, "and followed sales and purchases from 2.5 million separate wallets."

The researchers ultimately concluded that a single, still unidentified, Bitcoin "whale" triggered nearly 60% of Bitcoin's one-year rise in 2017 from under $1,000 to over $19,000. But more importantly, Fortune now reports that Griffin "suspects that a similar dynamic is operating today." Toward the end of 2022, another mystifying trend caught Griffin's eye. Despite the crypto crash and myriad other negative forces, every time Bitcoin briefly breached the $16,000 floor, it bounced above that level and kept stubbornly trading between $16,000 and $17,000. Almost unbelievably, as the crypto market has continued to unravel into 2023, Bitcoin has gone in the opposite direction, trading up 35% since Jan. 7 to $23,000.

"It's very suspicious," Griffin told Fortune. "The same mechanism we saw in 2017 could be at play now in the still unreal Bitcoin market."

For Griffin, the way normally super-volatile Bitcoin went calm and stable in the stormiest of times for crypto fits a scenario where boosters are uniting to support and juice its price. "If you're a crypto manipulator, you want to set a floor under the price of your coin," added Griffin. "In a period of highly negative sentiment, we've seen suspiciously solid floors under Bitcoin."

It's important to note that no definitive proof of chicanery has so far emerged. "The space is bigger now so it's harder to dig the data," says Griffin. "Sophisticated players may be expert at hiding their identities." We have seen credible leaks asserting that major market participants call meetings of the sector's elite when they fear a crypto leader plans to make what they consider a reckless, industry-endangering move. But no evidence has surfaced that the players are gathering to coordinate buying of Bitcoin or other cryptocurrencies.
Fortune data editor Scott DeCarlo ran a detailed analysis and found, among other things, that Bitcoin "at peak FTX-induced turmoil showed both its smallest swings ever by a wide margin, and divergence from low to high that was one-fourth to one-fifth its average over the past six years." And they're not the only ones asking questions: In a blog post on Nov. 30 titled "Bitcoin's Last Stand," European Central Bank Director General for market operations Ulrich Bindseil and ECB adviser Jürgen Schaaf dismissed Bitcoin's resurgence as "an artificially induced last gasp before the road to irrelevance." Two leading figures on Wall Street told this writer on background that Bitcoin's price action, by resisting a flood of bad news, looks phony and different from a normal free market ruled by independent buyers and sellers.
Thanks to long-time Slashdot reader wired_parrot for submitting the story.

Meta has fired or disciplined more than two dozen employees and contractors over the last year whom it accused of improperly taking over user accounts, in some cases allegedly for bribes, The Wall Street Journal reported Thursday, citing people familiar with the matter and documents. From the report: Some of those fired were contractors who worked as security guards stationed at Meta facilities and were given access to the Facebook parent's internal mechanism for employees to help users having trouble with their accounts, according to the documents and people familiar with the matter. The mechanism, known internally as "Oops," has existed since Facebook's early years as a means for employees to help users they know who have forgotten their passwords or emails, or had their accounts taken over by hackers.

As part of the alleged abuse of the system, Meta says that in some cases workers accepted thousands of dollars in bribes from outside hackers to access user accounts, the people and documents say. The disciplinary actions are part of a lengthy internal probe led by Meta executives, according to the documents and one of the people. "Individuals selling fraudulent services are always targeting online platforms, including ours, and adapting their tactics in response to the detection methods that are commonly used across the industry," said Meta spokesman Andy Stone. He added that the company "will keep taking appropriate action against those involved in these kinds of schemes."

The PC beta for Modern Warfare 2 was only online for just over a weekend, but cheat developers quickly managed to create wallhacks anyway, according to videos created by multiple cheat developers. From a report: The news highlights the constant cat and mouse game between cheat developers and the companies that make competitive video games, and shows that Modern Warfare 2 will be no different. Warzone, the massively popular free-to-play battle royale game built on top of Call of Duty's mainline games, was notoriously overrun by cheaters before publisher Activision and the development studios working on the game introduced a new anti-cheat mechanism called Ricochet. "I started developing a MW2 beta cheat right away. I was done the same day, the first day of the beta. My users got access once the cheat was complete & tested," Zebleer, the pseudonymous administrator of Phantom Overlay, a cheat provider that has a long history of selling cheats for Warzone, told Motherboard in an email.

[...] EngineOwning, another cheat developer, published a video to their Twitter account over the weekend appearing to show their own product in action, although it didn't seem to be ready for the beta. "Our MW2 cheat is now done and we're currently in close testing," the tweet read. "This means our cheat will be ready when the game launches, with all the features you'd expect." The Anti-Cheat Police Department, a researcher who has tracked the cheating ecosystem and who reports offending players, claimed in their own tweet that "Ricochet has this shitty cheat detected they are just a scam operation at this point."

An anonymous reader quotes a report from The Conversation: Five young people whose resolve was hardened by floods and wildfires recently took their governments to the European Court of Human Rights (ECHR). Their claim concerns each country's membership of an obscure treaty they argue makes climate action impossible by protecting fossil fuel investors. The energy charter treaty has 52 signatory countries which are mostly EU states but include the UK and Japan. The claimants are suing 12 of them including France, Germany and the UK -- all countries in which energy companies are using the treaty to sue governments over policies that interfere with fossil fuel extraction. For example, the German company RWE is suing the Netherlands for 1.4 billion euros because it plans to phase out coal. The claimants aim to force their countries to exit the treaty and are supported by the Global Legal Action Network, a campaign group with an ongoing case against 33 European countries they accuse of delaying action on climate change. The prospects for the current application going to a hearing at the ECHR look good. But how simple is it to prize countries from the influence of this treaty?

The energy charter treaty started as an EU agreement in 1991 which guaranteed legal safeguards for companies invested in energy projects such as offshore oil rigs. Under Article 10 (1) of the treaty, these investments must "enjoy the most constant protection and security." If government policies change in order to curtail these projects, such as Italy's 2019 decision to ban drilling for oil and gas within 12 miles of its coast, the government is obliged to compensate the relevant company for its lost future earnings. The legal mechanism which allows this is known as an investor-state dispute settlement. A letter to EU leaders signed by 76 climate scientists (PDF) argues this could keep coal power plants open or force governments into paying punishing fees for shutting them down, at a time when deep and rapid cuts to emissions are desperately needed.

Money spent compensating fossil fuel investors will deprive investment in renewable energy and other things vital to the green transition, such as public transport. While withdrawing from the energy charter treaty is possible for any country to do, losing the benefits of membership -- such as fewer duties and taxes on imports of oil and gas -- will make it a difficult decision. Furthermore, the obligations of countries that have been signatories to the treaty are not nullified upon exiting it, but instead linger for 20 years thereafter. Investors can still bring disputes against former members and, if successful, must be compensated by the state in question. Russia and Italy withdrew from the energy charter treaty in 2009 and 2016 respectively, and continue to face multiple claims.

Early last month on the London Metals Exchange, a Chinese metals producer named Tsingshan Holding Group "wagered a massive bet that the price of nickel would fall," reports CNN Business. At the peak Tsingshan's position "was equivalent to about an eighth of all of the outstanding contracts in the market."

But between Friday, March 4 and Tuesday March 8, the metal soared in value from about $29,000 to $100,000 per ton. "If prices had stood at $100,000 the company would have owed the London Metals Exchange $15 billion, according to the Wall Street Journal." The spike generated margin calls higher than the London Metals Exchange [the LME] had ever seen — and if paid, they would force multiple defaults that would ripple through the exchange and destabilize the global market. Exchange executives scrambled to respond, ultimately throwing a lifeline to the brokers representing Tsingshan and other producers. In an unprecedented move, they halted trading and retroactively canceled all 9,000 trades that occurred on Tuesday, worth about $4 billion in total. The market would remain dark for a week, unleashing a tidal wave of chaos and a mob of angry investors onto the exchange. In its wake, threats of lawsuits abound and trust has eroded. [The day it re-opened, CNN also reported the exchange "had to suspend the electronic trading of nickel shortly after it resumed due to a technical problem."]

Now, the 145 year-old British giant is teetering on a nickel. Over the past century-and-a-half the LME, known for its ring of red couches and barking brokers, has successfully trudged its way through world wars, meltdowns and defaults. But nickel, the metal used in stainless steel and the lithium-ion battery cells in most electric vehicles, might be what finally brings the world's largest market for base metals contracts to its knees."The world's pricing mechanism for nickel is failing," said Daniel Ghali, the director of commodities strategy at TD Securities. "The question is, will it continue to fail?" Others weren't as diplomatic. "The LME is now very likely going to die a slow self-inflicted death through the loss of confidence in it and its products," tweeted Mark Thompson, executive vice-chairman at Tungsten West, a mining development company....

Until 2012, the LME was owned by its members, the same people who traded on the exchange — but then it was sold to Hong Kong Exchanges and Clearing (HKEX) for $2.2 billion....

The LME's lack of transparency allows two or three big names to throw around vast sums of money and "hijack" a relatively illiquid market, said Adrian Gardner, principal analyst of nickel markets at Wood Mackenzie.... Sitting on the other side of the short were hedge funds, who had bet that nickel supply would decrease because of Russia's invasion of Ukraine (Russia provides about 20% of all top-grade nickel). When the LME decided to retroactively cancel those $4 billion in gains on March 8, it was hedge funds who lost giant sums of money. Global investment management firm AQR, which has $124 billion in assets under management, was among those that lost money when trades were canceled. "The winners were commodity producers and their banks, and the losers are the various clients that AQR and other large asset managers represent: firefighters, municipal workers, and university endowments," said Jordan Brooks, principal at AQR Capital Management. AQR is considering legal action against the exchange. Investors, said Brooks, "acted in good faith and provided liquidity, but the LME just decided to shift their trading gains to commodities producers and their banks...."

Volume in trading has yet to recover, raising questions about the LME's ability to accurately benchmark the price of the metal. Fewer than 210 contracts were traded in the first hour after the market opened on Tuesday. That's down about 60% from the 90-day average before the trading halt. Other metals on the LME, like copper and aluminum, have also seen a decrease in trade volume....

The Chicago Mercantile Exchange doesn't currently trade nickel, but perhaps it soon will. "[The LME] did something that was egregious and a betrayal of trust," said Brooks. "I'd be shocked if the strategic plans of other exchanges haven't changed in the past three weeks."

An intelligence panel investigating the cause of a spate of mysterious incidents that have struck dozens of US officials across the globe has said that some of the episodes could "plausibly" have been caused by "pulsed electromagnetic energy" emitted by an external source, according to an executive summary of the panel's findings released Wednesday. CNN reports: But the panel stopped short of making a definitive determination, saying only that both electromagnetic energy and, in limited circumstances, ultrasound could explain the key symptoms -- highlighting the degree to which the murky illness known colloquially as "Havana Syndrome" has remained one of the intelligence community's most stubborn mysteries. "We've learned a lot," an intelligence official familiar with the panel's work told reporters, speaking on anonymity under terms set by the Office of the Director of National Intelligence. "While we don't have the specific mechanism for each case, what we do know is if you report quickly and promptly get medical care, most people are getting well."

The scientific panel emphasized that the cases it studied were "genuine and compelling," noting that some incidents have affected multiple people in the same space and clinical samples from a few victims have shown signs of "cellular injury to the nervous system." An executive summary of the panel's work provided new details about how the government is categorizing cases as possible Havana Syndrome, a clinically vague illness that has long frustrated firm diagnosis because victims have suffered from such a diverse array of symptoms. Although officials declined to say how many cases the panel examined as part of its inquiry, they said they studied cases that met four "core characteristics": the acute onset of sounds or pressure, sometimes in only one ear or on one side of the head; simultaneous symptoms of vertigo, loss of balance and ear pain; "a strong sense of locality or directionality"; and the absence of any known environmental or medical conditions that could have caused the other symptoms.

Both pulsed electromagnetic energy, "particularly in the radiofrequency range," and ultrasonic arrays could feasibly cause the four core symptoms, the panel found. Both could originate from "a concealable source." But ultrasound can't travel through walls, the panel found, "restricting its applicability to scenarios in which the source is near the target." Sources of radiofrequency energy, on the other hand, are known to exist, "could generate the required stimulus, are concealable, and have moderate power requirements," the panel said. "Using nonstandard antennas and techniques, the signals could be propagated with low loss through air for tens to hundreds of meters, and with some loss, through most building materials." But intelligence officials familiar with the panel's work emphasized that important information gaps remained, forestalling them from reaching firmer conclusions. The experts panel also ruled out so-called psycho-social factors. They also ruled out "ionizing radiation, chemical and biological agents, infrasound, audible sound, ultrasound propagated over large distances, and bulk heating from electromagnetic energy."

"The panel made seven recommendations, including developing better biomarkers that are 'more specific and more sensitive for diagnosis and triage' of cases," reports CNN. "It also recommended utilizing 'detectors' and obtaining 'devices to aid research.' Finally, officials urged swift action by medical officials whenever a case is reported, emphasizing that individuals who have been treated immediately after an event have improved."

IEEE Spectrum reports on the progress being made to develop a "smart artificial pancreas" that senses blood glucose and administers insulin accordingly. An anonymous reader shares an excerpt from the report: The artificial pancreas is finally at hand. This is a machine that senses any change in blood glucose and directs a pump to administer either more or less insulin, a task that may be compared to the way a thermostat coupled to an HVAC system controls the temperature of a house. All commercial artificial pancreas systems are still "hybrid," meaning that users are required to estimate the carbohydrates in a meal they're about to consume and thus assist the system with glucose control. Nevertheless, the artificial pancreas is a triumph of biotechnology.

It is a triumph of hope, as well. We well remember a morning in late December of 2005, when experts in diabetes technology and bioengineering gathered in the Lister Hill Auditorium at the National Institutes of Health in Bethesda, Md. By that point, existing technology enabled people with diabetes to track their blood glucose levels and use those readings to estimate the amount of insulin they needed. The problem was how to remove human intervention from the equation. A distinguished scientist took the podium and explained that biology's glucose-regulation mechanism was far too complex to be artificially replicated. [Boris Kovatchev, a scientist at the University of Virginia, director of the UVA Center for Diabetes Technology, and a principal investigator of the JDRF Artificial Pancreas Project] and his colleagues disagreed, and after 14 years of work they were able to prove the scientist wrong.

It was yet another confirmation of Arthur Clarke's First Law: "When a distinguished but elderly scientist states that something is possible, he is almost certainly right. When he states that something is impossible, he is very probably wrong." [...] Progress toward better automatic control will be gradual; we anticipate a smooth transition from hybrid to full autonomy, when the patient never intervenes. Work is underway on using faster-acting insulins that are now in clinical trials. Perhaps one day it will make sense to implant the artificial pancreas within the abdominal cavity, where the insulin can be fed directly into the bloodstream, for still faster action. What comes next? Well, what else seems impossible today?

Epic Games keeps piling up lawsuits with app store owners. This time, Google is countersuing Epic for breach of contract. From a report: Epic signed contracts with both Google and Apple, pledging to use the default payment systems for in-app purchases. As part of its push for more open payment systems, though (and to dodge each platform's 30 percent fee), Epic boldly pushed out updates to the Android and iOS apps that switched the payment processing from the platforms' in-app purchases to Epic's in-house system. Google and Apple both allege this action was a breach of their app store contracts with Epic.

Apple sued and got its ruling last month. Epic was ordered to pay $3.65 million in damages, covering Apple's lost revenue from Epic's three months of self-powered payments. Following that ruling, Google wants its missing money, too, and now it's countersuing Epic, hoping for a similar ruling. Google's suit reads, "Epic willfully breached the DDA [Developer Distribution Agreement] by submitting a version of Fortnite for publication on Google Play with a payment method other than Google Play Billing for purchases of in-app content. By doing this, Epic denied Google its service fee under the DDA for any purchases made through the app outside of Google Play Billing." Google continues: "The users that downloaded the non-compliant version of Fortnite before its removal from Google Play are still able to use Epic's hotfixed external payment mechanism to make in-app purchases -- allowing Epic to evade its contractually agreed service fee to Google for those purchases." Google argues that "Epic has alternatively been unjustly enriched at Google's expense" and is seeking restitution of its missing earnings and damages.