Negotiators disbanded on Friday without a plan for the basin supplying water to 40m people, thrusting the region into uncertainty

The future of the American west hung in the balance after seven states remained at a stalemate over who should bear the brunt of the enormous water cuts needed to pull the imperiled Colorado River back from the brink.

Negotiators, who have spent years trying to iron out thorny disagreements, ended their talks on Friday without a deal – one day before a critical deadline to form a plan that had been set for Saturday.

Continue reading...

© Photograph: Étienne Laurent/EPA

© Photograph: Étienne Laurent/EPA

© Photograph: Étienne Laurent/EPA

We explore the cosy world-building spin-off with Game Freak’s Shigeru Ohmori and his fellow developers – and learn how it began with a Pokémon-hunting dream

Pokémon is celebrating its 30th anniversary this month, and everybody knows what to expect from these games by now. The concept is simple: head into a cartoonish paradise full of whimsical creatures, capture them in red-and-white balls and assemble a team of warriors from them, before battling other aspiring Pokémon masters. But the latest entry in the series is different – a game that’s more about building than battling.

In Pokopia, a refreshingly pacific twist on the series, players are dropped into a virtual world where Pokémon are freed from their spherical prisons and happily roam their natural habitats. There’s one minor caveat – you have to create those habitats by hand, building them from what you can find.

Continue reading...

© Photograph: Game Freak/The Pokémon Company/Koei Tecmo

© Photograph: Game Freak/The Pokémon Company/Koei Tecmo

© Photograph: Game Freak/The Pokémon Company/Koei Tecmo

A portrait of the company whose ‘toymaker philosophy’ stands in contrast to the tech giants that rule our lives

What is the highest-grossing entertainment franchise of all time? You might be tempted to think of Star Wars, or perhaps the Marvel Cinematic Universe. Maybe even Harry Potter? But no: it’s Pokémon – the others don’t come close. The Japanese “pocket monsters”, which star in video games, TV series and tradable playing cards, have made an estimated $115bn since 1996. Is this a sign of the lamentable infantilisation of postmodern society?

Not a bit of it, argues Keza MacDonald, the Guardian’s video games editor, in her winsomely enthusiastic biography of Nintendo, the company that had become an eponym for electronic entertainment long before anyone had heard the words “PlayStation” or “Xbox”. Yes, Pokémon is mostly a children’s pursuit, but a sophisticated one: “Like Harry Potter, the Famous Five and Narnia,” she observes, “it offers a powerful fantasy of self-determination, set in a world almost totally free of adult supervision.” And in its complicated scoring system, “it got millions of kids voluntarily doing a kind of algebra”.

Continue reading...

© Photograph: MasaPhoto/Getty Images

© Photograph: MasaPhoto/Getty Images

© Photograph: MasaPhoto/Getty Images

The states, all led by Democrats, claim the cuts were intended as retribution and will harm efforts to control H.I.V. and other sexually transmitted infections.

© Dustin Chambers for The New York Times

Vishing as the Front Door to MFA Bypass

Threat reporting tied to ShinyHunters and Scattered Spider-linked activity shows voice phishing (vishing) being operationalized as a coordinated access vector against enterprise identity systems.

Rather than relying solely on email-based phishing, attackers now call employees directly, impersonating IT support, security teams, or identity administrators. These calls are not random — they are tightly coupled with live phishing infrastructure and identity workflows.

The goal is not to “steal a password”; it is to walk the victim through a legitimate authentication event while the attacker intercepts the outcome.

This is why legacy MFA continues to “work,” yet organizations are still getting breached.

The post How to Prevent Vishing Attacks Targeting Okta and other IDPs appeared first on Security Boulevard.

Trading social media for Pokémon battles and evolutions in Kanto on a Game Boy Advance has been surprisingly serene

Cutting back on doomscrolling must be one of the hardest new year resolutions to keep. Instinctively tapping on the usual suspects on your phone’s home screen becomes a reflex, and vast quantities of money and user data have been specifically employed to keep you reaching for the phone, ingraining it into our work, leisure and social lives. You’ll get no shame from me if you love your phone and have a healthy relationship with your apps, but I’ve found myself struggling lately.

This year, I’m attempting to cut back on screen time – sort of. I’m replacing the sleek oblong of my smartphone with something a little more fuzzy and nostalgic. In an attempt to dismantle my bad habit, I’m closing the feeds of instant updates and instead carrying around a Game Boy Advance. I’ve been playing Pokémon FireRed, a remake of the very first Pokémon games, which turn 30 this month. Even this refreshed version is more than two decades old.

Continue reading...

© Photograph: Martin Godwin/The Guardian

© Photograph: Martin Godwin/The Guardian

© Photograph: Martin Godwin/The Guardian

After writing two November stories analyzing price expectations for Valve's upcoming Steam Machine, I really didn't think we'd be offering more informed speculation before the official price was revealed. Then Valve wrote a blog post this week noting that the "growing price of... critical components" like RAM and storage meant that "we must revisit our exact shipping schedule and pricing" for the living room-focused PC gaming box.

We don't know exactly what form that "revisiting" will take at the moment. Analysts who spoke to Ars were somewhat divided on how much of its quickly increasing component costs Valve would be willing (or forced) to pass on to consumers.

"We knew the component issue was bad," DFC Intelligence analyst David Cole told Ars. "It has just gotten worse. "

Read full article

Comments

© Getty Images

In 2018, we lamented as Nintendo officially replaced the Virtual Console—its long-running line of downloadable classic games on the Wii and Wii U—with time-limited access to a set of games through a paid Nintendo Switch Online subscription. Now, Hamster Corporation is doing what Nintendo no longer will by offering downloadable versions of retro console games for direct individual purchase on the Switch 2.

As part of today's Nintendo Direct Partner Showcase, Hamster announced a new Console Archives line of emulated classics available for download starting today on the Switch 2 and next week on the PlayStation 5 (sorry, Xbox and OG Switch fans). So far that lineup only includes the original PlayStation snowboarding title Cool Boarders for $12 and the NES action platformer Ninja Gaiden II: The Dark Sword of Chaos for $8, but Hamster promises more obscure games, including Doraemon and Sonic Wings Special, will be available in the future.

If the name Hamster Corporation sounds familiar, it's because the company is behind the Arcade Archive series, which has repackaged individual arcade games for purchase and emulated play on modern consoles since 2014. That effort, which celebrated its 500th release in December, even includes some of Nintendo's classic arcade titles, which the Switch-maker never officially released on the original Virtual Console.

Read full article

Comments

© Hamster Corp.

Although it was finally replaced last year by the new Switch 2, the orginal switch isn't done just yet. Many recent Switch games (and a handful of major updates, like the one for Animal Crossing) have been released in both Switch and Switch 2 editions, and Nintendo continues to sell all editions of the original console as entry-level systems for those who can't pay $450 for a Switch 2.

The 9-year-old Switch's continued availability has helped it clear a milestone, according to the company's third-quarter financial results (PDF). As of December 31, 2025, Nintendo says the Switch "has reached the highest sales volume of any Nintendo hardware" with a total of 155.37 million units sold, surpassing the original DS's lifetime total of 154.02 million units. The console has sold 3.25 million units in Nintendo's fiscal 2026 so far, including 1.36 million units over the holidays. Those consoles have sold despite price hikes that Nintendo introduced in August of 2025, citing "market conditions."

That makes the Switch the second-bestselling game console of all time, just three years after it became the third-bestselling game console of all time. The only frontier left for the Switch to conquer is Sony's PlayStation 2, which Sony says sold "over 160 million units" over its long life. At its current sales rate (Nintendo predicts it will sell roughly 750,000 Switches in the next quarter), it would take the Switch another couple of years to cross that line, but those numbers are likely to taper off as we get deeper into the Switch 2 era.

Read full article

Comments

© Nintendo

The original Switch is officially Nintendo's best-selling console of all time after surpassing the DS handheld in lifetime sales. From a report: In its latest earnings release, Nintendo reports that the Nintendo Switch has, as of December 31, 2025, sold 155.37 million units since its launch in 2017, compared to 154.02 million units for the 2004 Nintendo DS. In November, Nintendo reported that the Switch and DS were neck and neck. We expected the holiday sales period would see the Switch surpass the DS, even with Nintendo announcing that primary development would focus on the Switch 2. Nintendo previously said that it would continue to sell the original Switch "while taking consumer demand and the business environment into consideration." Nintendo has to keep selling the Switch if it wants to dethrone Sony's PlayStation 2 as the best-selling video game console of all time. The PlayStation 2, discontinued in January 2013, sold more than 160 million units over its 13-year lifespan.

Read more of this story at Slashdot.

Psilocybin-assisted therapy is legal in three states, but access has so far been limited and expensive.

© Mason Trinca for The New York Times

How some of the world’s most precise clocks missed a very small beat.

© R. Eskalis/National Institute of Standards and Technology

Do Kwon, who designed the virtual currencies Luna and TerraUSD, which plunged in 2022, had pleaded guilty to fraud.

© Risto Bozovic/Associated Press

At least 187 code packages made available through the JavaScript repository NPM have been infected with a self-replicating worm that steals credentials from developers and publishes those secrets on GitHub, experts warn. The malware, which briefly infected multiple code packages from the security vendor CrowdStrike, steals and publishes even more credentials every time an infected package is installed.

The novel malware strain is being dubbed Shai-Hulud — after the name for the giant sandworms in Frank Herbert’s Dune novel series — because it publishes any stolen credentials in a new public GitHub repository that includes the name “Shai-Hulud.”

“When a developer installs a compromised package, the malware will look for a npm token in the environment,” said Charlie Eriksen, a researcher for the Belgian security firm Aikido. “If it finds it, it will modify the 20 most popular packages that the npm token has access to, copying itself into the package, and publishing a new version.”

At the center of this developing maelstrom are code libraries available on NPM (short for “Node Package Manager”), which acts as a central hub for JavaScript development and provides the latest updates to widely-used JavaScript components.

The Shai-Hulud worm emerged just days after unknown attackers launched a broad phishing campaign that spoofed NPM and asked developers to “update” their multi-factor authentication login options. That attack led to malware being inserted into at least two-dozen NPM code packages, but the outbreak was quickly contained and was narrowly focused on siphoning cryptocurrency payments.

In late August, another compromise of an NPM developer resulted in malware being added to “nx,” an open-source code development toolkit with as many as six million weekly downloads. In the nx compromise, the attackers introduced code that scoured the user’s device for authentication tokens from programmer destinations like GitHub and NPM, as well as SSH and API keys. But instead of sending those stolen credentials to a central server controlled by the attackers, the malicious nx code created a new public repository in the victim’s GitHub account, and published the stolen data there for all the world to see and download.

Last month’s attack on nx did not self-propagate like a worm, but this Shai-Hulud malware does and bundles reconnaissance tools to assist in its spread. Namely, it uses the open-source tool TruffleHog to search for exposed credentials and access tokens on the developer’s machine. It then attempts to create new GitHub actions and publish any stolen secrets.

“Once the first person got compromised, there was no stopping it,” Aikido’s Eriksen told KrebsOnSecurity. He said the first NPM package compromised by this worm appears to have been altered on Sept. 14, around 17:58 UTC.

The security-focused code development platform socket.dev reports the Shai-Halud attack briefly compromised at least 25 NPM code packages managed by CrowdStrike. Socket.dev said the affected packages were quickly removed by the NPM registry.

In a written statement shared with KrebsOnSecurity, CrowdStrike said that after detecting several malicious packages in the public NPM registry, the company swiftly removed them and rotated its keys in public registries.

“These packages are not used in the Falcon sensor, the platform is not impacted and customers remain protected,” the statement reads, referring to the company’s widely-used endpoint threat detection service. “We are working with NPM and conducting a thorough investigation.”

A writeup on the attack from StepSecurity found that for cloud-specific operations, the malware enumerates AWS, Azure and Google Cloud Platform secrets. It also found the entire attack design assumes the victim is working in a Linux or macOS environment, and that it deliberately skips Windows systems.

StepSecurity said Shai-Hulud spreads by using stolen NPM authentication tokens, adding its code to the top 20 packages in the victim’s account.

“This creates a cascading effect where an infected package leads to compromised maintainer credentials, which in turn infects all other packages maintained by that user,” StepSecurity’s Ashish Kurmi wrote.

Eriksen said Shai-Hulud is still propagating, although its spread seems to have waned in recent hours.

“I still see package versions popping up once in a while, but no new packages have been compromised in the last ~6 hours,” Eriksen said. “But that could change now as the east coast starts working. I would think of this attack as a ‘living’ thing almost, like a virus. Because it can lay dormant for a while, and if just one person is suddenly infected by accident, they could restart the spread. Especially if there’s a super-spreader attack.”

For now, it appears that the web address the attackers were using to exfiltrate collected data was disabled due to rate limits, Eriksen said.

Nicholas Weaver is a researcher with the International Computer Science Institute, a nonprofit in Berkeley, Calif. Weaver called the Shai-Hulud worm “a supply chain attack that conducts a supply chain attack.” Weaver said NPM (and all other similar package repositories) need to immediately switch to a publication model that requires explicit human consent for every publication request using a phish-proof 2FA method.

“Anything less means attacks like this are going to continue and become far more common, but switching to a 2FA method would effectively throttle these attacks before they can spread,” Weaver said. “Allowing purely automated processes to update the published packages is now a proven recipe for disaster.”

At least 18 popular JavaScript code packages that are collectively downloaded more than two billion times each week were briefly compromised with malicious software today, after a developer involved in maintaining the projects was phished. The attack appears to have been quickly contained and was narrowly focused on stealing cryptocurrency. But experts warn that a similar attack with a slightly more nefarious payload could lead to a disruptive malware outbreak that is far more difficult to detect and restrain.

Aikido is a security firm in Belgium that monitors new code updates to major open-source code repositories, scanning any code updates for suspicious and malicious code. In a blog post published today, Aikido said its systems found malicious code had been added to at least 18 widely-used code libraries available on NPM (short for) “Node Package Manager,” which acts as a central hub for JavaScript development and the latest updates to widely-used JavaScript components.

JavaScript is a powerful web-based scripting language used by countless websites to build a more interactive experience with users, such as entering data into a form. But there’s no need for each website developer to build a program from scratch for entering data into a form when they can just reuse already existing packages of code at NPM that are specifically designed for that purpose.

Unfortunately, if cybercriminals manage to phish NPM credentials from developers, they can introduce malicious code that allows attackers to fundamentally control what people see in their web browser when they visit a website that uses one of the affected code libraries.

According to Aikido, the attackers injected a piece of code that silently intercepts cryptocurrency activity in the browser, “manipulates wallet interactions, and rewrites payment destinations so that funds and approvals are redirected to attacker-controlled accounts without any obvious signs to the user.”

“This malware is essentially a browser-based interceptor that hijacks both network traffic and application APIs,” Aikido researcher Charlie Eriksen wrote. “What makes it dangerous is that it operates at multiple layers: Altering content shown on websites, tampering with API calls, and manipulating what users’ apps believe they are signing. Even if the interface looks correct, the underlying transaction can be redirected in the background.”

Aikido said it used the social network Bsky to notify the affected developer, Josh Junon, who quickly replied that he was aware of having just been phished. The phishing email that Junon fell for was part of a larger campaign that spoofed NPM and told recipients they were required to update their two-factor authentication (2FA) credentials. The phishing site mimicked NPM’s login page, and intercepted Junon’s credentials and 2FA token. Once logged in, the phishers then changed the email address on file for Junon’s NPM account, temporarily locking him out.

Junon also issued a mea culpa on HackerNews, telling the community’s coder-heavy readership, “Hi, yep I got pwned.”

“It looks and feels a bit like a targeted attack,” Junon wrote. “Sorry everyone, very embarrassing.”

Philippe Caturegli, “chief hacking officer” at the security consultancy Seralys, observed that the attackers appear to have registered their spoofed website — npmjs[.]help — just two days before sending the phishing email. The spoofed website used services from dnsexit[.]com, a “dynamic DNS” company that also offers “100% free” domain names that can instantly be pointed at any IP address controlled by the user.

Caturegli said it’s remarkable that the attackers in this case were not more ambitious or malicious with their code modifications.

“The crazy part is they compromised billions of websites and apps just to target a couple of cryptocurrency things,” he said. “This was a supply chain attack, and it could easily have been something much worse than crypto harvesting.”

Aikido’s Eriksen agreed, saying countless websites dodged a bullet because this incident was handled in a matter of hours. As an example of how these supply-chain attacks can escalate quickly, Eriksen pointed to another compromise of an NPM developer in late August that added malware to “nx,” an open-source code development toolkit with as many as six million weekly downloads.

In the nx compromise, the attackers introduced code that scoured the user’s device for authentication tokens from programmer destinations like GitHub and NPM, as well as SSH and API keys. But instead of sending those stolen credentials to a central server controlled by the attackers, the malicious code created a new public repository in the victim’s GitHub account, and published the stolen data there for all the world to see and download.

Eriksen said coding platforms like GitHub and NPM should be doing more to ensure that any new code commits for broadly-used packages require a higher level of attestation that confirms the code in question was in fact submitted by the person who owns the account, and not just by that person’s account.

“More popular packages should require attestation that it came through trusted provenance and not just randomly from some location on the Internet,” Eriksen said. “Where does the package get uploaded from, by GitHub in response to a new pull request into the main branch, or somewhere else? In this case, they didn’t compromise the target’s GitHub account. They didn’t touch that. They just uploaded a modified version that didn’t come where it’s expected to come from.”

Eriksen said code repository compromises can be devastating for developers, many of whom end up abandoning their projects entirely after such an incident.

“It’s unfortunate because one thing we’ve seen is people have their projects get compromised and they say, ‘You know what, I don’t have the energy for this and I’m just going to deprecate the whole package,'” Eriksen said.

Kevin Beaumont, a frequently quoted security expert who writes about security incidents at the blog doublepulsar.com, has been following this story closely today in frequent updates to his account on Mastodon. Beaumont said the incident is a reminder that much of the planet still depends on code that is ultimately maintained by an exceedingly small number of people who are mostly overburdened and under-resourced.

“For about the past 15 years every business has been developing apps by pulling in 178 interconnected libraries written by 24 people in a shed in Skegness,” Beaumont wrote on Mastodon. “For about the past 2 years orgs have been buying AI vibe coding tools, where some exec screams ‘make online shop’ into a computer and 389 libraries are added and an app is farted out. The output = if you want to own the world’s companies, just phish one guy in Skegness.”

Aikido recently launched a product that aims to help development teams ensure that every code library used is checked for malware before it can be used or installed. Nicholas Weaver, a researcher with the International Computer Science Institute, a nonprofit in Berkeley, Calif., said Aikido’s new offering exists because many organizations are still one successful phishing attack away from a supply-chain nightmare.

Weaver said these types of supply-chain compromises will continue as long as people responsible for maintaining widely-used code continue to rely on phishable forms of 2FA.

“NPM should only support phish-proof authentication,” Weaver said, referring to physical security keys that are phish-proof — meaning that even if phishers manage to steal your username and password, they still can’t log in to your account without also possessing that physical key.

“All critical infrastructure needs to use phish-proof 2FA, and given the dependencies in modern software, archives such as NPM are absolutely critical infrastructure,” Weaver said. “That NPM does not require that all contributor accounts use security keys or similar 2FA methods should be considered negligence.”