frontpage.
newsnewestaskshowjobs

Made with ♥ by @iamnishanth

Open Source @Github

Climate simulator 'brings weather into the lab'

https://www.bbc.com/news/articles/cqjq2e5gd8wo
1•Bluestein•1m ago•0 comments

Autocoder.cc – The first full stack vibe coding tool

https://www.autocoder.cc/
1•Sharon_Q•2m ago•1 comments

Elon Musk's Tesla to open first India store in Mumbai on July 15

https://www.thehindu.com/business/elon-musks-tesla-to-open-first-india-store-in-mumbai-on-july-15/article69798935.ece
1•Bluestein•2m ago•0 comments

METR's AI productivity study is good

https://www.seangoedecke.com/impact-of-ai-study/
1•ingve•4m ago•0 comments

Transition to using 16 KB page sizes for Android apps and games

https://android-developers.googleblog.com/2025/07/transition-to-16-kb-page-sizes-android-apps-games-android-studio.html
1•ingve•7m ago•0 comments

The remarkable rise of an Australian deputy mayor to a plum job

https://www.smh.com.au/national/the-remarkable-rise-of-an-australian-deputy-mayor-to-a-plum-trump-job-20250711-p5me60.html
1•KnuthIsGod•7m ago•0 comments

Sipgate discovers null-pointer-dereference in Mediatek VoLTE stack firmware

https://www.sipgate.de/blog/sipgate-discovers-null-pointer-dereference-in-mediatek-volte-stack-firmware
2•todsacerdoti•11m ago•0 comments

Zero-Click Calendar Exfiltration Reveals MCP Security Risk in 11.ai

https://repello.ai/blog/zero-click-calendar-exfiltration-reveals-mcp-security-risk-in-11-ai
1•Dachande663•14m ago•0 comments

Claude Code is now a Bun single-file executable

https://twitter.com/jarredsumner/status/1943492457506697482
1•tosh•17m ago•0 comments

I built a Steam plugin for Dify (now listed on the official plugin marketplace)

https://marketplace.dify.ai/plugins/bdim/steam
1•bdim404•17m ago•1 comments

Apple vs the Law

https://formularsumo.co.uk/blog/2025/apple-vs-the-law/
2•tempodox•21m ago•0 comments

The Yellow Milkmaid Syndrome – paintings with identity problems

https://pro.europeana.eu/post/the-yellow-milkmaid-syndrome-paintings-with-identity-problems
1•thunderbong•23m ago•0 comments

Europe's first HPC ARM processor lands at TSMC

https://www.heise.de/en/news/Europe-s-first-HPC-ARM-processor-lands-at-TSMC-10483298.html
1•doener•25m ago•0 comments

Implement a robust multi-rate-limit throttling using Rails

https://www.prateekcodes.dev/implementing-api-throttling-multiple-endpoints-rails/
1•prateekkish•27m ago•0 comments

Foundation Models of Behavioral Data from Wearables Improve Health Predictions

https://arxiv.org/abs/2507.00191
1•tosh•30m ago•0 comments

Show HN: Gamified AI Tutor for School Students

https://www.edzy.ai/
1•gparashar•31m ago•0 comments

Are LLMs starting to become sentient?

https://garymarcus.substack.com/p/are-llms-starting-to-become-a-sentient
3•Duanemclemore•32m ago•2 comments

Gut microbes could protect us from toxic 'forever chemicals'

https://www.cam.ac.uk/research/news/gut-microbes-could-protect-us-from-toxic-forever-chemicals
1•timthorn•32m ago•0 comments

Mastering Postgres Replication Slots

https://www.morling.dev/blog/mastering-postgres-replication-slots/
1•gunnarmorling•33m ago•0 comments

Local Hole

https://en.wikipedia.org/wiki/Local_Hole
1•benbreen•34m ago•0 comments

GenAI Processors: Build powerful and flexible Gemini applications

https://developers.googleblog.com/en/genai-processors/
27•tzury•39m ago•0 comments

Show HN: Send RSS Feeds to Kobo E-reader

https://my.kobuddy.app/feeds
1•No-Arugula5818•39m ago•0 comments

Solar is EU’s biggest power source for the first time ever in June 2025

https://ember-energy.org/latest-updates/solar-is-eus-biggest-power-source-for-the-first-time-ever-in-june-2025/
4•pentacent_hq•40m ago•3 comments

OpenFront: Realtime Risk-like multiplayer game in the browser

https://openfront.io/
4•thombles•43m ago•0 comments

Ask HN: How to Create Data Flow Diagrams?

2•shivajikobardan•51m ago•0 comments

An almost catastrophic OpenZFS bug and the humans that made it

https://despairlabs.com/blog/posts/2025-07-10-an-openzfs-bug-and-the-humans-that-made-it/
4•r4um•1h ago•0 comments

Unusual USAF and Space Force Drills Near Taiwan

https://www.newsweek.com/us-air-force-department-level-exercise-indo-pacific-china-war-2097031
1•burnt-resistor•1h ago•1 comments

Ask HN: I built what I feel is a great API, but I'm stuck figuring out GTM

1•jdbohrman•1h ago•0 comments

GPS Accuracy Comparison

https://old.reddit.com/r/bicycling/comments/1lwqzcj/epic_gps_accuracy_comparison/
2•dkga•1h ago•1 comments

A Postgres Mystery: The SIGTERMs do nothing!

https://clickhouse.com/blog/sigterm-postgres-mystery
7•pradeepchhetri•1h ago•0 comments
Open in hackernews

Offical XRP NPM package has been compromised and key stealing malware introduced

https://www.aikido.dev/blog/xrp-supplychain-attack-official-npm-package-infected-with-crypto-stealing-backdoor
55•flxga•2mo ago

Comments

MichealCodes•2mo ago
Cryptocurrency packages used at scale should have wallet decoys setup for early detection of vulnerabilities like this.
nailer•2mo ago
Red teaming this, you’d delay exfiltration of the private key until the balance passes beyond a certain amount and you’re on mainnet.
ohgr•2mo ago
I see the model of "download any old shit off the internet and run it in production" is working out so well.
nailer•2mo ago
I don’t have much opinion of XRP but this is their official package, not a community package.
tobyhinloopen•2mo ago
Fun fact: installing some common starter packages will explode to install over a 1000 npm packages, each of them can inject malware, even if the package isn’t used, and you’ll never know.

Many packages will have over a 100 dependencies if you include the dev dependencies, so you can easily break a 1000.

mouse_•2mo ago
That is a very fun fact.
nailer•2mo ago
Yes that is how dependencies work.
poincaredisk•2mo ago
The crazy part here is that in most other ecosystems 100 dependencies is "crazy high" territory, and in JS it's apparently "we're just getting started". It's known for its approach to micropackaging everything in a separate library.
greatgib•2mo ago
The crazy thing is more that multiple versions of the same package could be installed as dependencies of dependencies...

They were thinking to be the cool kids supporting multiple versions and that the old way to do packaging, like debian and co that expects everyone to use the same version, was the old legacy fart way to do things.

Just, developers before were engineers first and so designed things well especially to avoid this situation of dependency hell and supply chain injection. But the web dev crowd decided to do "better" and now to have old problems as new problems...

nailer•2mo ago
npm design allows multiple versions of the same package if required, but deduplicates otherwise. It’s a smart design that more package managers should and will follow.

Smart developers spend their time working on original code rather than rewriting the wheel.

nailer•2mo ago
Yes. It’s an engineering failure to have multiple copies of the same logic. That isn’t specific to JavaScript.
tough•2mo ago
does the postinstall script step has anything to do with this?

i noticed bun doesn't run them by default unless you whitelist them

koolba•2mo ago
That fetch(…) is sending the mnemonic of the private key out to that remote server.

Interestingly if this is happening in a long running process and that exploit server is offline, the promise for the fetch will reject. And the default behavior for unhandled promise rejections would be for the node process to crash.

So if anybody tried testing this version of the library in a net gapped environment, it would crash and fail out in CI.

The attacker should have silenced the error with a .catch(_ => {}).

mschuster91•2mo ago
> Previously only the packed JavaScript code had been modified.

Honestly it's time for the npm ecosystem to move to a model where only build agents running on npm's own infrastructure can upload binary artifacts, or to mandate reproducible builds.

And for a select set of highly used packages, someone from NPM should be paid to look over each release's changeset.

Both would have massively impeded the attacker.

mindcrash•2mo ago
Official and thorough support for SBOM* within major package repositories can not come sooner.

* https://en.wikipedia.org/wiki/Software_supply_chain

abhisek•2mo ago
We run similar npm package monitors. The use of exotic tld domains such as 0x9c.xyz kind of gave it away because YARA Forge rules have native signatures to detect such domains.

It will be interesting t explore how the project got compromised and malicious packages published to the registry.

nailer•2mo ago
.xyz isn’t exotic for blockchains.