Daily Archives: January 11, 2026

Tea – a way to secure FOSS by offering financial incentives – brews massive token farming campaigns (and dissolves them)

Posted on by

No good idea – like rewarding open source software developers and maintainers for their contributions – goes unabused by cybercriminals, and this was the case with the Tea Protocol and two token farming campaigns.

Both incidents gave the project’s founders a real-time view into how far – and fast – attackers will go to chase financial gain, and they helped shape “radical changes” that will roll out in the Tea network’s mainnet launch early next year, co-founder and CEO Tim Lewis told The Register.

The Tea Protocol was founded by Max Howell, who created open source package manager Homebrew, and Lewis, who established DEVxDAO, a non-profit that distributes grants to support decentralized computing projects, to reward open source developers and help secure software supply chains via financial incentives.

“When you think about the different package management ecosystems, they all have different gates in front of them, and none of them have been a financial gate,” Lewis said in an interview.

“There’s a human that sits in the front who has to be this gate, but it takes a toll on the human to go through all the data, and that’s only getting worse,” he said. “There’s the proliferation of the AI-induced pull requests, which are great, but that’s become like a DDoS attack.”

Last year, the duo rolled out the Tea Protocol testnet – essentially a test run for the incentives program that allows open source developers to earn cryptocurrency – specifically Tea tokens – for valuable code and fixes, while users can stake Tea to support specific projects and also earn rewards. A portion of the protocol rewards is shared with project maintainers and users who stake their tokens.

“Again, this was on a test network for fake internet points that could eventually potentially have some value,” Lewis said. “Our incentive for that period only lasted about three weeks.”

We got to watch this happen in real time, and we recognized how fast, how far people had gone to create scripts that have a worm-like behavior

In April 2024, the Tea team shut down the incentive program’s rewards after about 15,000 spammy packages flooded the npm registry to farm Tea points. These contained little or zero useful functionality, and were instrumented with “tea.yaml” metadata that linked back to Tea accounts in an attempt to inflate developers’ reputation and earn payouts.

“We got to watch this happen in real time, and we recognized how fast, how far people had gone to create scripts that have a worm-like behavior,” Lewis said.

Then it got worse. In 2025, the earlier Tea farming campaign grew into the IndonesianFoods and Indonesian Tea campaigns that polluted more than 1 percent of npm with spam packages. And in November, Amazon uncovered more than 150,000 malicious npm packages, all linked to another Tea token farming campaign, that the cloud giant described as “one of the largest package flooding incidents in open source registry history.”

“I view this as a canary in the coal mine,” Lewis said.

In these token farming campaigns, the fraudsters flooded registries with spam, as opposed to cryptocurrency- and other secret-stealing laced code –  and neither of the latter two is hypothetical. North Korea’s Lazarus Group and other sophisticated attackers have previously targeted npm for these illicit purposes.

“When you are a destructive organization like Lazarus Group, there’s incentive to use this same techniques to attack [supply chains],” Lewis said. “So we need to fix the core.”

How to reward secure code and penalize spam

To this end, Tea’s founders are working to fix the protocol’s design to ensure that the incentives program can’t be abused when the mainnet launches in early 2026.

This involves requiring packages and projects to pass ownership and provenance checks, and ensuring contributions aren’t just automated spam. The Tea team is also designing monitoring features that will check for Sybil attacks and flag surges in low-quality package creation and suspicious identities.

If malicious-looking patterns are detected, the developer won’t receive rewards and their registrations will be quarantined, pending further review.

Additional key quality and security improvements will happen via integration with PKGX, which Howell wrote. It’s a package runner that creates a containerized environment for projects and manages developer tools across environments. PKGX verifies maintainers using cryptographic signatures and identity checks, and also evaluates their contributions to various projects for quality, along with security posture and dependencies.

This registry will integrate directly with Tea upon the protocol’s mainnet launch, and will auto-detect and penalize, if needed, spammy packages at the point of registration – not after – while rewarding maintainers for their legit contributions.

Automated SBOMs, bug bounties

In the future, Lewis says that this design will also allow enterprises to automate bug bounties, and SBOMs (software bills of materials) that provide an inventory of all the components found in a piece of software. This will make it easier for large companies to map out their dependencies, and then reward developers for fixing any critical security issues they find.

[…]

“Some CISO, somewhere, every day is looking at his tens of thousands of packages that he approved for use, and now he’s responsible for whether or not these things are secure,” Lewis said. “He can’t have all the people that work within his department spend all of their time trying to get some guy in Nebraska to review a pull request and get the critical bug for his architecture solved en masse. We’re hoping this creates a tool that allows that value distribution without impermanent loss en masse.”

Lewis’ goal, he says, is to see upwards of “millions of dollars a day, retrieved for issue completion.”

Project developers and maintainers write the fixes, and chief security officers can confirm to their boards of directors that their dependencies and critical code is secure. “Plus, the meantime for resolution for these issues comes down – and they are not funding groups like North Korea’s Lazarus,” he added.

In other words: Tea’s goal reaches fruition. Open source project maintainers get paid for their valuable work, code becomes more secure, financially motivated crews can’t game the system, and the world becomes a better place. ®

Source: CEO spills the Tea about massive token farming campaigns • The Register

Mass hacking of IP cameras leave Koreans feeling vulnerable in homes, businesses

Posted on by

[…]hackers recently breached approximately 120,000 IP cameras across Korea — often found inside private homes like Kim’s — has left her and many others seething, prompting the government to take action.

As shocking the scale of the intrusions was the alleged motive behind them. Videos captured by the hacked cameras were allegedly sold to an overseas pornography website, exposing some of the most intimate moments of unsuspecting victims to anonymous viewers abroad.

Only 1,193 videos from the hacked cameras have been uncovered so far on overseas websites, raising concerns that many more remain undiscovered.

In response, an interagency task force comprising officials from the Ministry of Science and ICT, the Personal Information Protection Commission and the National Police Agency announced on Dec. 7 that it would pursue a multilayered reform package. The measures aim to shift responsibility beyond individuals and camera manufacturers to include installation companies and telecommunications providers.

Yet as policymakers scramble to overhaul regulations and reinforce technical safeguards, interviews with everyday users of IP cameras reveal a gap between how these devices are used and understood and the level of risk they actually pose.

[…]

any hacked cameras were protected by simple or widely known passwords that were rarely changed. A government survey found that only 59 percent of installation companies consistently carried out mandatory security measures, such as changing default password settings.

[…]

What sets the current case apart — and prompted the government’s unusually forceful response — is the nature of the harm involved.

Police believe one suspect hacked 63,000 IP cameras, producing 545 videos that he sold to an overseas website for 35 million won ($24,000) in cryptocurrency. Another suspect allegedly hacked 70,000 devices, creating 648 videos that he later sold to the same website for 18 million won.

The two individuals, whom police say are not accomplices, sourced most of their footage from IP cameras installed in ordinary homes, gynecology offices, breastfeeding rooms, massage parlors, Pilates studios and waxing salons. They often accessed the same compromised devices repeatedly. The videos accounted for 62 percent of all content on the website, which includes a separate “Korean” category.

Two additional suspects are accused of hacking 15,000 cameras and 136 devices, respectively, to collect footage for private possession.

Unlike leaked phone numbers or delivery addresses, compromised IP camera footage can expose faces, bodies, children and private spaces. Prof. Kim emphasized that hacked cameras can reveal “an individual’s movements, daily life and relationships,” making the potential for privacy violations “extremely high.”

[…]

Source: Mass hacking of IP cameras leave Koreans feeling vulnerable in homes, businesses

New Jolla Phone Pre-orders hit target quickly. Shows people are fed up with iOS-Android monopoly

Posted on by

After successful crowdfunding, the latest release of the original handheld Linux distro will power a new handset coming in mid-2026.

The initial crowdfunding drive for the new Jolla Phone seems to have gone well: at the time of writing, the new device has comfortably passed double the number of orders needed to go into production. Finnish vendor Jolla set a goal of 2,000 €99 pre-order deposits by January 4th, but passed the goal in less than two weeks. The first batch of 2,700 units were £499. Batch 2 will ship two to four weeks later, and cost €549, but that’s now sold out too. Currently, well over 5,000 orders have been placed. With 20 days to go, the pre-order page says:

We take a maximum of 10,000 pre-orders until January 31st, 2026. Reserve your spot and lock your special total price of 579€.

The new Jolla Phone, resplendent in The Orange – or Snow White and Kaamos Black

The new Jolla Phone, resplendent in The Orange – or Snow White and Kaamos Black – Click to enlarge

The down payment will be deducted from the total price. Jolla is now taking orders for 5,200 units in batch 3, which will cost €579 and ship three to six weeks later. After the first few production runs, totalling 10,000 units, the price of the handset will go up to €599 to €699.

The phone specs were set by a survey the company ran, with a first stage in August followed by November update. To our eyes it looks decent if not outstanding: 5G connectivity, a 6.36 inch AMOLED screen, an indicator LED, 12 GB of RAM plus 256 GB of storage expandable via microSDXC. Some of the details are welcome: a user-replaceable 5,500 mAh battery, plus a software-based privacy switch which can disable the microphone, or Bluetooth, or Android apps, or other programmable options. For this vulture, a sad absence is a headphone socket.

An added incentive, if the device sells 10,000 units, is the return of smart back covers called The Other Half, which even included a keyboard.

[…]

Sailfish is distinct from any other mobile OS today. Its origins at Nokia predate the January 2007 launch of the iPhone, by whose prospects The Reg was not enthralled. That, of course, also means it was out long before Android, which as Daring Fireball described in 2010 was originally designed to rival Blackberry. (The Internet Archive still has some of Engadget’s screenshots.) After Android was remodeled to take on Apple, both OSes look a lot like each other: the home screen is a grid of app icons, and both lean heavily on tapping on-screen buttons. (Before that, of course, they relied on physical buttons.)

[…]

Sailfish 5 feels very different, with little visible influence from anything else. You flip between its two home screens by swiping left and right. One holds a list of messages and notifications, and the other is a full-screen app switcher, with tiles for each open app. Dragging up from the bottom reveals the app launcher. Uniquely, it distinguishes between long and short drags down from the top of the screen: a long fast swipe down opens a settings panel, but in native Salfish apps, a short slow drag opens a full-screen-width menu; you scroll up and down until the desired option is highlighted, then select it by lifting your thumb. It shows whether options are turned on or off with a large, bright white dot, or a smaller dimmer dot. A different white dot at top left is also the Back button, where one makes sense.

Like the overloaded white-dot symbol, some aspects of the OS are a little confusing. In addition to the official Jolla Store, there are two different tools for managing third-party native apps: StoreMan manages software from the collection on OpenRepos, and Chum GUI manages RPM packages from Chum. Then there’s the built-in AppSupport compatibility layer, which lets you run Android apps. We installed both F-Droid and the Aurora store, and had no problems installing any typical tools such as Signal, Whatsapp, or YouTube Kids.

There are built-in apps for all the things you’d expect a smartphone to do, and these connect to the usual suspects such as Google’s email, calendar, and contacts. There’s a browser based on Mozilla tech, as well, which works fine – as did Android browsers such as Vivaldi. Like its very distant relative Symbian, though, this is a local-first sort of device which can sync, rather than a pocket cloud client.

Maps are a particular weak point: we tried Google Maps and Nokia spin-off Here, which both literally drew a blank. The OpenStreetMap-based Mapy.com ran and could be searched, but couldn’t detect our location. There aren’t many cloud-storage clients, either. The stock keyboard doesn’t support swipe-style text entry, which we found frustrating.

Overall, Sailfish is arguably the most complete independent mobile OS. It’s totally separate from anything from Google, or Apple, or desktop Linux, and the app catalog is impressive. We did regularly get lost in its slightly idiosyncratic UI, but it was always possible to get out again. If you want a total break from the mainstream mobile duopoly, this is a viable alternative. Although you might need a standalone sat-nav too.

[…]

Source: New Jolla, Sailfish 5, offer break from iOS-Android monopoly • The Register

Devs say Apple still flouting EU’s DMA six months on, but cutting fees in US

Posted on by
Six months after EU regulators found Apple’s App Store rules

The Coalition for App Fairness, a nonprofit organization of app developers and consumer groups, has accused Apple of persistent non-compliance with the DMA, warning that the company’s revised App Store terms continue to impose fees which the legislation prohibits.

In an open letter addressed to European Commission President Ursula von der Leyen and senior commissioners, the coalition argues that Apple has failed to deliver “any meaningful changes or proposals” despite an April 2025 non-compliance decision that found its App Store policies illegal and harmful to both developers and consumers.

At the heart of the complaint is money. The DMA requires so-called gatekeepers to allow developers to offer and conduct transactions outside their app stores without charge. Apple, the coalition claims, is seeking to charge commissions of up to 20 percent on those very transactions.

“This is a blatant disregard for the law with the potential to vanquish years of meaningful work by the Commission,” the letter states, accusing Apple of preserving the economics of its App Store while nominally claiming compliance.

Apple has said it will roll out new App Store terms in January 2026, but developers say the company has provided no clarity on what those changes will involve or whether they will actually comply with the DMA.

“We have seen this playbook before in Europe and beyond,” the signatories warn, adding that they suspect any new terms will continue to impose fees that would violate the law.

The letter argues that this uncertainty is already doing damage. Six months after Apple’s last App Store terms update, developers still do not know which rules will govern their businesses or what their costs will look like in the near term.

Apple’s “lack of transparency in tandem with its rushed timelines,” the coalition says, is freezing investment and innovation, effectively allowing the company to “exploit its gatekeeper position by holding the entire industry hostage.”

The group also points to a growing transatlantic contrast that makes Europe look like the tougher regulator with the weaker results. While Apple continues to fight DMA enforcement in the EU, US courts have moved to curb its ability to extract fees from external transactions. Following litigation brought by Epic Games, developers in the US can now communicate freely with customers about pricing and offer payment options outside Apple’s ecosystem without paying commission.

That raises what the coalition calls a “simple and urgent question.” Why should European developers and consumers get a worse deal than their US counterparts, especially when the EU was first to pass a landmark law aimed at fixing digital markets?

[…]

Source: Devs say Apple still flouting EU’s DMA six months on • The Register