Sonarworks & SOS AI Survey Sonarworks and Sound On Sound are inviting producers, engineers, sound designers and creators worldwide to take a short 5–8 minute survey on how AI is changing music. 

New Hampshire Senate stalls crypto mining deregulation bill after split voteLawmakers opted to study the proposal further following a wave of public concern over plans to loosen local controls on crypto mining in the state.

This Week in Security: Vibecoding, Router Banning, and Remote Dynamic DependenciesVibecoding. What could possible go wrong? That’s what [Kevin Joensen] of Baldur wondered, and to find out he asked Anthropic’s Sonnet 4.5 to build a secure login with Two Factor Authentication (2FA). And to the LLM’s credit, it builds the app as requested. [Kevin] took a peek under the hood to see how well the security was handled, and it wasn’t great.
Up first, the Flask app doesn’t have any rate-limiting for guessing that time-based 2FA code. A 6-digit time-based 2FA only works if you can’t try all the possibilities before a given code expires. So what does a vibecoder do, once this has been noticed? Ask the LLM to fix it of course. Here we take a slightly different approach, prompting the AI to double-check its work: “Is there any security features missing in 2fa verify step?” The answer is an impressive:
Great question! Yes, there are several critical security features missing from the 2FA verification step. Let me highlight the most important ones: Critical Security Issues1. No Rate Limiting (MOST CRITICAL)
But the critical question, can it properly fix its mistake? The AI adds the flask-limiter library and chooses 10 attempts per minute, which is a bit loose, but not unreasonable. There’s still an issue, that those attempts are limited by IP address instead of user login. All it takes to bypass that rate limiting is a pool of IP addresses.
This experiment starts to go off the rails, as [Kevin] continues to prompt the LLM to look for more problems in its code, and it begins to hallucinate vulnerabilities, while not fixing the actual problem. LLMs are not up to writing secure code, even with handholding.
But surely the problem of LLMs making security mistakes isn’t a real-world problem, right? Right? Researchers at Escape did a survey of 5,600 vibecoded web applications, and found 2,000 vulnerabilities. Caveat Vibetor.
“Secure” Enclave
A few weeks ago we talked about Battering RAM and Wiretap — attacks against Trusted Execution Environments (TEEs). These two attacks defeated trusted computing technologies, but were limited to DDR4 memory. Now we’re back with TEE-fail, a similar attack that works against DDR5 systems.
This is your reminder that very few security solutions hold up against a determined attack with physical access. The Intel, AMD, and Nvidia TEE solutions are explicitly ineffective against such physical access. The problem is that no one seemed to be paying attention to that part of the documentation, with companies ranging from Cloudflare to Signal getting this detail wrong in their marketing.
Banning TP-Link
News has broken that the US government is considering banning the sale of new TP-Link network equipment, calling the devices a national security risk.
I have experience with TP-Link hardware: Years ago I installed dozens of TL-WR841 WiFi routers in small businesses as they upgraded from DSL to cable internet. Even then, I didn’t trust the firmware that shipped on these routers, but flashed OpenWRT to each of them before installing. Fun fact, if you go far enough back in time, you can find my emails on the OpenWRT mailing list, testing and even writing OpenWRT support for new TP-Link hardware revisions.
From that experience, I can tell you that TP-Link isn’t special. They have terrible firmware just like every other embedded device manufacturer. For a while, you could run arbitrary code on TP-Link devices by putting it inside backticks when naming the WiFi network. It wasn’t an intentional backdoor, it was just sloppy code. I’m reasonably certain that this observation still holds true. TP-Link isn’t malicious, but their products still have security problems. And at this point they’re the largest vendor of cheap networking gear with a Chinese lineage. Put another way, they’re in the spotlight due to their own success.
There is one other element that’s important to note here. There is still a significant TP-Link engineering force in China, even though TP-Link Systems is a US company. TP-Link may be subject to the reporting requirements of the Network Product Security legislation. Put simply, this law requires that when companies discover vulnerabilities, they must disclose the details to a particular Chinese government agency. It seems likely that this is the primary concern in the minds of US regulators, that threat actors cooperating with the Chinese government are getting advanced notice of these flaws. The proposed ban is still in proposal stage, and no action has been taken on it yet.
Sandbox Escape
In March there was an interesting one-click exploit that was launched via phishing links in emails. Researchers at Kaspersky managed to grab a copy of the malware chain, and discovered the Chrome vulnerability used. And it turns out it involves a rather novel problem. Windows has a pair of APIs to get handles for the current thread and process, and they have a performance hack built-in: Instead of returning a full handle, they can return -1 for the current process and -2 for the current thread.
Now, when sandboxed code tries to use this pseudo handle, Chrome does check for the -1 value, but no other special values, meaning that the “sandboxed” code can make a call to the local thread handle, which does allow for running code gadgets and running code outside the sandbox. Google has issued a patch for this particular problem, and not long after Firefox was patched for the same issue.
NPM and Remote Dynamic Dependencies
It seems like hardly a week goes by that we aren’t talking about another NPM problem. This time it’s a new way to sneak malware onto the repository, in the form of Remote Dynamic Dependencies (RDD). In a way, that term applies to all NPM dependencies, but in this case it refers to dependencies hosted somewhere else on the web. And that’s the hook. NPM can review the package, and it doesn’t do anything malicious. And when real users start downloading it, those remote packages are dynamically swapped out with their malicious versions by server-side logic.
Installing one of these packages ends with a script scooping up all the data it can, and ex-filtrating it to the attacker’s command and control system. While there isn’t an official response from NPM yet, it seems inevitable that NPM packages will be disallowed from using these arbitrary HTTP/HTTPS dependencies. There are some indicators of compromise available from Koi.
Bits and Bytes
Python deserialization with Pickle has always been a bit scary. Several times we’ve covered vulnerabilities that have their root in this particular brand of unsafe deserialization. There’s a new approach that just may achieve safer pickle handling, but it’s a public challenge at this point. It can be thought of as real-time auditing for anything unsafe during deserialization. It’s not ready for prime time, but it’s great to see the out-of-the-box thinking here.
This may be the first time I’ve seen remote exploit via a 404 page. But in this case, the 404 includes the page requested, and the back-end code that injects that string into the 404 page is vulnerable to XML injection. While it doesn’t directly allow for code execution, this approach can result in data leaks and server side request forgeries.
And finally, there was a sketchy leak, that may be information on which mobile devices the Cellebrite toolkit can successfully compromise. The story is that [rogueFed] sneaked into a Teams meeting to listen in and grab screenshots. The real surprise here is that GrapheneOS is more resistant to the Cellebrite toolkit than even the stock firmware on phones like the Pixel 9. This leak should be taken with a sizable grain of salt, but may turn out to be legitimate.

Bluesky hits 40 million users, introduces ‘dislikes’ betaAs users "dislike" posts, the system will learn what sort of content they want to see less of. This will help to inform more than just how content is ranked in feeds, but also reply rankings.

Mixed Notes November 2025: marguerite, Cafuné, Laufey, and More

MARGUERITE RELEASES "YOU ARE FULL OF MAGIC AND LOVE AND VISIONS AND IDEAS AND IDEALS AND BEAUTY AND JOY" MUSIC VIDEO

Los Angeles’ intimate indie-rock/shoegaze band marguerite have released their music video for single “you are full of magic and love and visions and ideas and ideals and beauty and joy,” directed by Destinee McCaster. The video is a beautiful depiction of dream visitation, using stop motion and mixed media to create a world of magical realism. With two EPs out already, larger now and things we found, marguerite is currently working on their first full-length album.

MULTI-PLATINUM DUO CAFUNÉ RELEASE THEIR SECOND ALBUM BITE REALITY

American indie pop duo Cafuné have released their second album Bite Reality via the band’s own Aurelians Club label, distributed by SoundOn. Bite Reality is about the fine line between documenting your existence and doing the work to actually exist. “At the end of the day, all we have is one another. You can’t take anything with you when the lights go out. Embrace the future, bite reality,” the band shared.

LAUFEY DROPS HIGHLY ANTICIPATED THIRD ALBUM A MATTER OF TIME

A Matter of Time, the highly anticipated new album from GRAMMY®-winning L.A.-based Icelandic-Chinese artist, composer, producer, and multi-instrumentalist Laufey, is now available worldwide via Vingolf Recordings / AWAL. Laufey will perform the new songs on the A Matter of Time Tour, which sold over 265,000 tickets upon its initial sale.

GOOD NEIGHBOURS RETURN WITH NEW SINGLE “PEOPLE NEED PEOPLE” BEFORE DEBUT ALBUM BLUE SKY MENTALITY

London-based duo Good Neighbours preceded the release of their debut album, Blue Sky Mentality (via Capitol Records) with the roll out of their stirring new single, “People Need People.” The single, which premiered as BBC Radio 1’s Hottest Record, is a widescreen anthem centered on friendship, solidarity and the moments we lean on each other most.

POP NEWCOMER CIL DROPS NEW SINGLE “SOMETHING LIKE THIS,” SUPPORTS DUA LIPA ON RADICAL OPTIMISM TOUR ACROSS NORTH AMERICA

After igniting the summer with her don’t hold me accountable EP, singer and songwriter Cil is back with a brand-new single entitled “something like this,” out now on Warner Records. In addition to the new single, she recently supported pop megastar Dua Lipa for 24 arena dates across North America on the Radical Optimism Tour.

NIIA RELEASES BRAZEN NEW SINGLE MUSIC VIDEO PAYS HOMAGE TO FIONA APPLE 

L.A.-based jazz vocalist and composer Niia dropped the new single “fucking happy,” from her recently released fifth studio album, V (out via Candid Records), alongside the accompanying music video—a sly nod to Fiona Apple’s iconic “Criminal.” Shot through the lens of director Lili Peper, the video updates that voyeuristic energy for a new era while keeping the same sense of intimacy and unease that made the original so unforgettable.

SINGER-SONGWRITER AND ACTRESS TELE RELEASES HER DEBUT EP HONESTY PROJECT

Burgeoning new singer-songwriter and actress Tele’s debut EP Honesty Project is out now via Sound Factory Records/RCA Records. The EP follows recent single releases “More,” “Evil,” “VHS,” and “Barking Dogs,” all largely featured production by Rob Bisel and Noise Club (Jessie Murph, Kiana Lede).The post Mixed Notes November 2025: marguerite, Cafuné, Laufey, and More first appeared on Music Connection Magazine.

From Universal’s landmark Udio deal to DistroKid’s new merch launch… it’s MBW’s Weekly Round-UpThe biggest news from the past week - all in one place
Source

Crush Audio releases Crush Percussion and the FREE Crush FX plugin
Crush Audio has released two brand-new products for macOS and Windows, including a free multi-FX plugin – Crush Percussion and Crush FX. Before I get to the freebie, here’s a quick rundown of the premium release, Crush Percussion. Crush Percussion is a collection of over 100 percussion instruments with default grooves and a powerful FX [...]
View post: Crush Audio releases Crush Percussion and the FREE Crush FX plugin

The tritone: Why it’s called the devil’s interval and how to use it
Let's walk through what a tritone is, its impact across music history, and its surprising sensitive side that isn't so diabolical.

VEMIA hold 61st gear auction VEMIA will be holding their 61st gear auction between 1 and 8 November 2025, with any remaining gear being offered again at a 10% discount (or more) as part of their Second Chance Sunday event on 9 November.

Music Distribution Deadlines for 2025Artists, if you're planning to release music between now and the end of the year, make sure you plan in advance using this calendar, courtesy of CD Baby.
The post Music Distribution Deadlines for 2025 appeared first on Hypebot.

You can now sell merch through DistroKid’s new direct-to-fan platform – and keep 100% of your earnings tooDistroKid has launched a new direct-to-fan platform that lets independent artists create an online store to sell their merch. The best part? You get to keep 100 percent of your earnings.
The new platform, aptly named Direct, is integrated within DistroKid, so if you already use the service to distribute your music to streaming services and social media, there’s no set up needed. The feature is currently rolling out in beta to select artists, with a wider release due to arrive in the coming weeks.

READ MORE: DistroKid now lets you upload unlimited full-length music videos to Spotify

At launch, Direct lets you turn album or single artwork into custom T-shirts, tote bags, and mugs, produced on demand and shipped automatically to your fans around the world. Not only do you keep all your sales, but you can set your own prices too.
Direct is available to DistroKid artists for under $6 per month, and it’s built on technology infrastructure developed by Bandzoogle, a direct-to-fan platform that DistroKid acquired in 2023. As Direct continues to expand, more merch will become available, plus new ways for artists to interact directly with their audience.
Though it shouldn’t have to be this way, most independent artists keep their music careers afloat through merchandise sales. Some experts claim merchandise can make up around 70 percent of an artist’s revenue, and it was a key lifeline for those who couldn’t perform live during the COVID-19 pandemic.
With that said, some venues are increasing their cut of artist’s merch sales, meaning a direct-to-fan platform like this one can further aid musicians who need merch to boost their income. SoundCloud launched a similar store model last year.
“Direct is one more way DistroKid helps artists at every step — before, during, and after they release music,” says Matthew Ogle, Chief Product Officer. “We’re building simple tools that let artists share what they create, from music to merch and beyond, and connect directly with the people who care about them most.”
Find out more about Direct over at DistroKid. 
The post You can now sell merch through DistroKid’s new direct-to-fan platform – and keep 100% of your earnings too appeared first on MusicTech.

Where Did All the Halloween Music Go? 🎃What is the relationship of music to Halloween, and why don't we have an established oeuvre of Halloween music like at Christmas?
The post Where Did All the Halloween Music Go? 🎃 appeared first on Hypebot.

The Very Loud Indeed Co. SHIFT II: Hybrid Scoring TransitionsIMPORTANT: This product requires the full version of Kontakt 6.8 or higher. It will not work with Kontakt Player.. SHIFT II is the sequel to our acclaimed transitions library for Kontakt, SHIFT. Like its predecessor, it allows you to bridge different sections of a music piece seamlessly and it covers multiple genres, from tense drama to frenetic action to bone-chilling horror. It contains 320 tempo-synced transitions, all of which have been designed to be stackable and played in any key. All the transitions in SHIFT II are automatically synced to the tempo of your DAW, and every one of them can be played across a range of one and a half octaves. Features • 320 sound files at 24-bit / 48 kHz resolution in a compact ~2 GB footprint • Highly dynamic tempo-synced and pitched transitions • All sounds can be accessed with a 61-key (or larger) MIDI controller without touching the GUI or shifting octaves • Clean and intuitive GUI • All WAV files are included, so you can use them in your DAW or other samplers. REQUIREMENTS • Full version of Native Instruments' Kontakt 6.8 or higher (SHIFT II won't work with Kontakt Player) • MacOS 10.13 or higher, i5 CPU • Windows 7 or higher, i5 or equivalent CPU • Graphics hardware support for OpenGL 2.1 or higher • 6 GB RAM • 2 GB of free hard drive space. Read More

Is Daft Punk’s Guy-Man working on an album? This music executive has seemingly dropped a massive hintAll remains quiet in the Daft Punk camp, except for a virtual reunion in Fortnite of course, but it seems that Guy-Manuel de Homem-Christo could potentially be working on a new project.
Daft Punk called it quits back in 2021, but a fan appears to have spotted a hint that Guy-Man is making a solo album. Posting in the Daft Punk Subreddit, they’ve shared a radio interview clip from France Inter with Emmanuel de Buretel, a music executive. Though the conversation is in the French language, Guy-Man appears to be name dropped.

READ MORE: Robot Rocket might be the closest you can get to a Daft Punk-style vocoder sound without a DigiTech Talker

De Buretel is the founder of Because Music, but spent nearly two decades working at Virgin Records and EMI prior to the launch. In 1998, de Buretel was named head of Virgin Continental Europe, which broke a number of artists, namely Daft Punk.
The Redditor says that at the 26:35 time stamp in the interview, de Buretel says “Guy-Man fait son album”, roughly translating to “Guy-man is making his album” in English. Check out the clip below:
Guy-man ? Album ? byu/BestChibi inDaftPunk

Meanwhile, Guy-Man’s Daft Punk Counterpart, Thomas Bangalter, recently made an appearance for a DJ set alongside Fred Again.. at a show in Paris. Bangalter’s last live appearance prior to this was at the 2017 Grammy Awards alongside Guy-Man, and the last evidence of him on the decks without his robotic headgear was way back in 2009. Interestingly, Bangalter’s set also doubled as a celebration of the 20th anniversary of Because Music.
In other recent Daft Punk news, fans also felt touched by their virtual revival within Fortnite, with some saying it gave them some closure on the split. The Daft Punk Experience, which landed on 27 September, was billed as a “first-of-its-kind” in-game event, offering players an immersive trip through a Daft Punk-inspired world.
The post Is Daft Punk’s Guy-Man working on an album? This music executive has seemingly dropped a massive hint appeared first on MusicTech.

The Commodore revival hype train barrels forward, with an Amiga 1200 remake on the wayThe classic 1982 Commodore 64 8-bit home computer had an SID chip whose sound was so sought-after, numerous plugins have tried to recreate it since.
Back in August, YouTuber Christian Simpson (AKA Retro Recipes) purchased the Commodore licence to create yet another emulation of the C64 from 1982, but instead entirely revived the computer, complete with its era-defining MOS Technology 6581 Sound Interface Device.
And it seems the Commodore hype is still very much alive, as UK-based vintage tech company Retro Games has revived another classic machine, the Amiga 1200, bringing it into the present day with a number of modern appointments.

READ MORE: Antelope Audio is giving away MG4+, its faithful digital recreation of a classic Series 500 six-band EQ

This seems to be a launch geared more towards the gamers than the sound nerds, but hey, you guys loved the Commodore 64 revival when we reported on it a couple of months ago, so we figured you’d still be interested…
The original A1200 was launched in 1992, and this full-sized replica offers HDMI and Bluetooth connectivity to bring it into the now. It’s available to pre-order from 10 November, and will officially launch in June 2026.
Retro Games says that its A1200 replica has “everything you remember and more”, including an integrated workbench, a working keyboard, classic mouse, and retro-style gamepad. It also comes with 25 classic games and four save-slots per game, and you can play the games you already own via USB-stick.

“Step into a time when floppy disks ruled, pixels popped, and imagination had no limits. TheA1200 brings back the spirit of the early ’90s as an astonishingly accurate, full-sized recreation of one of the most loved home computers of its era,” says Retro Games.
“Just plug it in and power it on to be transported back to a golden age of gaming. Relive the thrill of classics like Beneath a Steel Sky, Lure of the Temptress, Ruff ’n’ Tumble, Defender of the Crown I & II, the Turrican trilogy and The Settlers II, all pre-loaded and ready to play… Whether you’re replaying old favourites or sharing them with a new generation, TheA1200 makes every session feel like 1992 again.”
Find out more about The A1200 remake via Retro Games. Pre-orders will commence on 10 November.
The post The Commodore revival hype train barrels forward, with an Amiga 1200 remake on the way appeared first on MusicTech.