frontpage.
newsnewestaskshowjobs

Made with ♥ by @iamnishanth

Open Source @Github

fp.

Discuss – Do AI agents deserve all the hype they are getting?

4•MicroWagie•3h ago•1 comments

Ask HN: Anyone Using a Mac Studio for Local AI/LLM?

48•UmYeahNo•1d ago•30 comments

LLMs are powerful, but enterprises are deterministic by nature

3•prateekdalal•7h ago•5 comments

Ask HN: Non AI-obsessed tech forums

28•nanocat•18h ago•25 comments

Ask HN: Ideas for small ways to make the world a better place

18•jlmcgraw•21h ago•21 comments

Ask HN: 10 months since the Llama-4 release: what happened to Meta AI?

44•Invictus0•1d ago•11 comments

Ask HN: Who wants to be hired? (February 2026)

139•whoishiring•5d ago•520 comments

Ask HN: Who is hiring? (February 2026)

313•whoishiring•5d ago•514 comments

Ask HN: Non-profit, volunteers run org needs CRM. Is Odoo Community a good sol.?

2•netfortius•16h ago•1 comments

AI Regex Scientist: A self-improving regex solver

7•PranoyP•22h ago•1 comments

Tell HN: Another round of Zendesk email spam

104•Philpax•2d ago•54 comments

Ask HN: Is Connecting via SSH Risky?

19•atrevbot•2d ago•37 comments

Ask HN: Has your whole engineering team gone big into AI coding? How's it going?

18•jchung•2d ago•13 comments

Ask HN: Why LLM providers sell access instead of consulting services?

5•pera•1d ago•13 comments

Ask HN: How does ChatGPT decide which websites to recommend?

5•nworley•1d ago•11 comments

Ask HN: What is the most complicated Algorithm you came up with yourself?

3•meffmadd•1d ago•7 comments

Ask HN: Is it just me or are most businesses insane?

8•justenough•1d ago•7 comments

Ask HN: Mem0 stores memories, but doesn't learn user patterns

9•fliellerjulian•2d ago•6 comments

Ask HN: Is there anyone here who still uses slide rules?

123•blenderob•4d ago•122 comments

Kernighan on Programming

170•chrisjj•5d ago•61 comments

Ask HN: Anyone Seeing YT ads related to chats on ChatGPT?

2•guhsnamih•1d ago•4 comments

Ask HN: Does global decoupling from the USA signal comeback of the desktop app?

5•wewewedxfgdf•1d ago•3 comments

Ask HN: Any International Job Boards for International Workers?

2•15charslong•18h ago•2 comments

We built a serverless GPU inference platform with predictable latency

5•QubridAI•2d ago•1 comments

Ask HN: Does a good "read it later" app exist?

8•buchanae•3d ago•18 comments

Ask HN: Have you been fired because of AI?

17•s-stude•4d ago•15 comments

Ask HN: Anyone have a "sovereign" solution for phone calls?

12•kldg•4d ago•1 comments

Ask HN: Cheap laptop for Linux without GUI (for writing)

15•locusofself•3d ago•16 comments

Ask HN: How Did You Validate?

4•haute_cuisine•2d ago•6 comments

Ask HN: OpenClaw users, what is your token spend?

14•8cvor6j844qw_d6•4d ago•6 comments
Open in hackernews

Ask HN: Who else got pwned by the Next.js RCE?

12•whycombinetor•2mo ago
I'm a little embarrassed, but not sure what I could have done differently other than reading the Saturday email from GCP with the nondescript subject "New Advisory Notification". Ten hours later, GCP instance suspended due to crypto mining. Now looking at the disk image, it installed something at ~/nxt/ , installed a monero miner at ~/c3pool/ , and added several systemctl services to run these on startup. BRB, killing this machine with fire... This makes me think I should be running everything in Docker, even simple small stuff that "shouldn't" have any potential security issues.

Fortunately this machine wasn't anything important for me and there was no sensitive data to exfil beyond AI API keys. But I imagine there's other orgs that just got catastrophically, irrecoverably pwned.

What's your story?

(RCE context: https://news.ycombinator.com/item?id=46136026 )

Comments

samdoesnothing•2mo ago
I'm sure a lot of people and companies got pwned and they aren't going to disclose it. There are chrome extensions that passively polls sites for the vulnerability, and since the vulnerability is so simple to exploit and leaves virtually no trace...

My gut feeling is that we are going to be feeling the consequences of simultaneous enshittification of software, the mounting complexity of our systems, and AI enslopification combine to create far more vulnerabilities in the future. The only defence is to adopt simple systems and software.

yellow_lead•2mo ago
I don't use Next.js but I'm curious as well. My impression was that most people run it under Vercel who patches quickly, but maybe that's not the case.
aosaigh•2mo ago
You had to patch manually
aosaigh•2mo ago
This might be a hot take, but I feel like the blurring of lines between back-end and front-end apps with platforms like Vercel will lead to more and more of these exploits. I’m an experienced full-stack dev and I’m constantly confused as to “where I am” in a Next code base. Server? Client? Edge? Proponents might say “that’s the point - you don’t have to worry about there you are, it’s one code base” but these sort of issues indicate otherwise.

All platforms can be exploited I guess, but I still wonder at the complexity of the platforms we now rely on and whether it’s justified.

codingdave•2mo ago
That touches on why I never pursued server-side React in any form. It seemed to twist what was a clean break between layers into spaghetti. I totally get that it solves other problems, but it always felt to me more like trying to force React to be something it was not. The better strategy seemed to me to use React on sites where users can handle the bulk of a front-end React app, and don't use it elsewhere.

Specific to security, keeping React 100% client-side keeps things simple: Don't trust the front-end.

brazukadev•1mo ago
> All platforms can be exploited I gues

React did not have this kind of security vulnerability in 10 years. The Vercel/NextJS/RSC rugpull is responsible for that and the people that made those changes should be named. The lack of shared governance is abysmal.