frontpage.
newsnewestaskshowjobs

Open Source @Github

fp.

NASA's request to the private sector for plans for commercial space stations

https://sam.gov/workspace/contract/opp/19a8a55c066441ef891e33bac770dd9d/view
1•ohjeez•1m ago•0 comments

Vessel

https://claude.ai/public/artifacts/2c647671-3f94-4d22-b3c1-f2b5a0e17b6e
1•schwarzarno•6m ago•0 comments

Proton now using 100% Chinese LLM's – drops European and US

https://old.reddit.com/r/BuyFromEU/comments/1up518w/proton_now_using_100_chinese_llms_drops_europ...
3•doener•8m ago•0 comments

Speechify's Simba 3.2 API takes the #1 spot on Artificial Analysis Speech Arena

https://artificialanalysis.ai/text-to-speech/leaderboard/selected-voice
2•lukeocodes•8m ago•0 comments

Joseph Brant

https://en.wikipedia.org/wiki/Joseph_Brant
1•vinnyglennon•9m ago•0 comments

Commits · antirez/ds4 glm5.2 branch

https://github.com/antirez/ds4/commits/glm5.2/
1•tingletech•11m ago•0 comments

Generating Dynamic Open Graph Images on Cloudflare Workers

https://vinayakkulkarni.dev/articles/dynamic-og-images-on-cloudflare-workers/
1•vinayakkulkarni•12m ago•0 comments

Not everything should cost a token: the case for deterministic AI

https://www.vybe.build/blog/learn-what-not-to-tokenize
1•marwann•18m ago•0 comments

Show HN: L9gpu – GPU telemetry that ties each GPU to the K8s pod or Slurm job

https://github.com/last9/gpu-telemetry
2•nishantmodak•20m ago•0 comments

OpenSSH 10.4/10.4p1 Released

https://www.openssh.org/txt/release-10.4
3•throw0101a•21m ago•2 comments

Elon Musk promotes 'anti-migrant' Armie Hammer film with free download on X

https://www.theguardian.com/film/2026/jun/30/elon-musk-anti-migrant-armie-hammer-film-free-downlo...
3•croes•22m ago•1 comments

Claude and Codex and Grok: my current workflow and its friction

https://www.nativesoul.dev/
1•fillipecordeiro•23m ago•0 comments

X509-limbo: testvectors and tooling for evaluating X.509 path validation

https://x509-limbo.com/
2•sscaryterry•23m ago•0 comments

Acronym Fatigue Series Introduction: why I'm wary of acronyms

https://devz.cl/posts/acryonym-fatigue-series-why-i-m-wary-of-engineering-acronyms/
1•DanielVZ•24m ago•0 comments

I'm adding QR Codes on my cables

https://old.reddit.com/r/homelab/comments/1upbg07/im_adding_qr_codes_on_my_cables/
2•andresribeiro•25m ago•1 comments

Poly/ML – A Standard ML Implementation

https://github.com/polyml/polyml
2•Lyngbakr•26m ago•0 comments

What is the oldest American object ever launched into space?

https://arstechnica.com/space/2026/07/whats-the-oldest-americana-flown-in-space/
2•Bender•30m ago•0 comments

Kremlin suspected of flying drones over Europe using Russian shadow fleet

https://arstechnica.com/gadgets/2026/07/kremlin-suspected-of-flying-drones-over-europe-using-russ...
2•Bender•30m ago•0 comments

FCC to end Biden-era rule that forces ISPs to list all their fees

https://arstechnica.com/tech-policy/2026/07/fcc-to-end-biden-era-rule-that-forces-isps-to-list-al...
5•Bender•31m ago•0 comments

The White Crip - Tyler Corcoran (video)

https://www.youtube.com/watch?v=IbHiO5s7_1w
1•mellosouls•32m ago•0 comments

A Stargate for Data: What do we do after we run out of internet to train on?

https://twitter.com/willdepue/status/2074178395462848800
1•fredrickd•35m ago•0 comments

Agency and Sphexishness

https://www.lesswrong.com/posts/Ctkm5YXzdhKK3kdXs/agency-and-sphexishness-a-second-glance
1•CGMthrowaway•36m ago•0 comments

Microsoft device telemetry key to unmasking alleged Scattered Spider hacker

https://www.itnews.com.au/news/microsoft-device-telemetry-key-to-unmasking-alleged-scattered-spid...
3•CGMthrowaway•36m ago•0 comments

Show HN: Schwifty – quickly find and reuse previously executed commands

https://github.com/vanesterik/schwifty
1•bakkerinho•41m ago•0 comments

The Day Cryptography Changed Forever

https://21ideas.org/en/gf/genesis-intro/
1•kehiy•44m ago•0 comments

How little exercise can you get away with?

https://www.economist.com/science-and-technology/2026/07/03/how-little-exercise-can-you-get-away-...
25•vinni2•45m ago•9 comments

What Is Project Aion? Inside Microsoft's Agentic Copilot OS

https://www.windowscentral.com/microsoft/windows-11/project-aion-copilot-os-faq
1•atan2•48m ago•0 comments

Is 'The College Board' a Nonprofit or a $1.6B Testing Monopoly?

https://www.forbes.com/sites/scottwhite/2025/05/26/the-college-board-exposed-nonprofit-or-16-bill...
3•Baljhin•50m ago•2 comments

Matrix Multiplication on Blackwell

https://www.modular.com/blog/matrix-multiplication-on-nvidias-blackwell-part-1-introduction
1•skidrow•51m ago•0 comments

Toward Better Hip Kernel Generation for AMD GPUs

https://scalingintelligence.stanford.edu/blogs/hipkernels/
1•skidrow•52m ago•0 comments
Open in hackernews

Offical XRP NPM package has been compromised and key stealing malware introduced

https://www.aikido.dev/blog/xrp-supplychain-attack-official-npm-package-infected-with-crypto-stealing-backdoor
55•flxga•1y ago

Comments

MichealCodes•1y ago
Cryptocurrency packages used at scale should have wallet decoys setup for early detection of vulnerabilities like this.
nailer•1y ago
Red teaming this, you’d delay exfiltration of the private key until the balance passes beyond a certain amount and you’re on mainnet.
ohgr•1y ago
I see the model of "download any old shit off the internet and run it in production" is working out so well.
nailer•1y ago
I don’t have much opinion of XRP but this is their official package, not a community package.
tobyhinloopen•1y ago
Fun fact: installing some common starter packages will explode to install over a 1000 npm packages, each of them can inject malware, even if the package isn’t used, and you’ll never know.

Many packages will have over a 100 dependencies if you include the dev dependencies, so you can easily break a 1000.

mouse_•1y ago
That is a very fun fact.
nailer•1y ago
Yes that is how dependencies work.
poincaredisk•1y ago
The crazy part here is that in most other ecosystems 100 dependencies is "crazy high" territory, and in JS it's apparently "we're just getting started". It's known for its approach to micropackaging everything in a separate library.
greatgib•1y ago
The crazy thing is more that multiple versions of the same package could be installed as dependencies of dependencies...

They were thinking to be the cool kids supporting multiple versions and that the old way to do packaging, like debian and co that expects everyone to use the same version, was the old legacy fart way to do things.

Just, developers before were engineers first and so designed things well especially to avoid this situation of dependency hell and supply chain injection. But the web dev crowd decided to do "better" and now to have old problems as new problems...

koolba•1y ago
That fetch(…) is sending the mnemonic of the private key out to that remote server.

Interestingly if this is happening in a long running process and that exploit server is offline, the promise for the fetch will reject. And the default behavior for unhandled promise rejections would be for the node process to crash.

So if anybody tried testing this version of the library in a net gapped environment, it would crash and fail out in CI.

The attacker should have silenced the error with a .catch(_ => {}).

mschuster91•1y ago
> Previously only the packed JavaScript code had been modified.

Honestly it's time for the npm ecosystem to move to a model where only build agents running on npm's own infrastructure can upload binary artifacts, or to mandate reproducible builds.

And for a select set of highly used packages, someone from NPM should be paid to look over each release's changeset.

Both would have massively impeded the attacker.

mindcrash•1y ago
Official and thorough support for SBOM* within major package repositories can not come sooner.

* https://en.wikipedia.org/wiki/Software_supply_chain

abhisek•1y ago
We run similar npm package monitors. The use of exotic tld domains such as 0x9c.xyz kind of gave it away because YARA Forge rules have native signatures to detect such domains.

It will be interesting t explore how the project got compromised and malicious packages published to the registry.

nailer•1y ago
.xyz isn’t exotic for blockchains.
nailer•1y ago
npm design allows multiple versions of the same package if required, but deduplicates otherwise. It’s a smart design that more package managers should and will follow.

Smart developers spend their time working on original code rather than rewriting the wheel.

nailer•1y ago
Yes. It’s an engineering failure to have multiple copies of the same logic. That isn’t specific to JavaScript.
tough•1y ago
does the postinstall script step has anything to do with this?

i noticed bun doesn't run them by default unless you whitelist them