news newest ask show jobs

Made with ♥ by @iamnishanth

Open Source @Github

fp.

Hardship, hashtags combined to fuel Nepal's violent response to social media ban

https://theconversation.com/how-hardships-and-hashtags-combined-to-fuel-nepals-violent-response-t...

1•rntn•2m ago•0 comments

Exposing the Dark Side of America's AI Data Center Explosion [video]

https://www.youtube.com/watch?v=t-8TDOFqkQA

1•mgh2•3m ago•0 comments

Breaking down the breathtaking visual effects of Chrono Trigger [video]

https://www.youtube.com/watch?v=JLONKDud51k

1•marc_omorain•5m ago•0 comments

Measuring the environmental impact of delivering AI at Google Scale [pdf]

https://services.google.com/fh/files/misc/measuring_the_environmental_impact_of_delivering_ai_at_...

1•doener•6m ago•0 comments

How to Burst the Israeli Bubble

https://www.theguardian.com/us-news/ng-interactive/2025/sep/14/how-to-burst-the-israeli-bubble

3•NomDePlum•7m ago•0 comments

The West is buried under red tape

https://www.ft.com/content/484d8c2a-b61d-42f1-9d57-5d2d8c83c6d3

1•arbuge•8m ago•1 comments

Eye drops could replace glasses or surgery for longsightedness, study says

https://www.theguardian.com/society/2025/sep/14/eye-drops-could-replace-glasses-surgery-longsight...

1•giuliomagnifico•8m ago•0 comments

What Caused Democrats' No-Show Problem in 2024?

https://www.thenation.com/article/politics/democratic-nonvoters-policy-preferences/

2•rawgabbit•9m ago•1 comments

The AI Doomers Are Losing the Argument

https://www.bloomberg.com/news/articles/2025-09-12/the-ai-doomers-are-losing-the-argument

1•thm•10m ago•0 comments

The teens behind RedSnapper: a smart Arduino-powered prosthetic arm

https://blog.arduino.cc/2025/08/21/meet-the-teens-behind-redsnapper-a-smart-arduino-powered-prost...

2•PaulHoule•10m ago•0 comments

Library of Time

https://libraryoftime.xyz/

2•japaget•11m ago•0 comments

A U.S.-China tech tie is a big win for China because of its population advantage

https://gabrielweinberg.com/p/a-us-china-tech-tie-is-a-big-win

1•paulpauper•12m ago•0 comments

Meh Superpowers, or Not?

https://jovex.substack.com/p/meh-superpowers-or-not

1•paulpauper•12m ago•0 comments

Howl, after Allen Ginsberg (for the AI-headed hipsters)

https://statmodeling.stat.columbia.edu/2025/09/10/howl-after-allen-ginsberg-for-the-ai-headed-hip...

1•paulpauper•13m ago•0 comments

Ask HN: Is there a easy connector between MongoDB and Postgres?

2•singlepaynews•13m ago•0 comments

The Day-Long, Repeating GRB 250702B: A Unique Extragalactic Transient

https://iopscience.iop.org/article/10.3847/2041-8213/adf8e1

1•Stratoscope•14m ago•1 comments

Defending Amateur Radio Spectrum: The AST SpaceMobile Battle Continues

https://www.openresearch.institute/2025/09/12/defending-amateur-radio-spectrum-the-ast-spacemobil...

2•upofadown•14m ago•0 comments

Machines of Loving Grace

https://www.darioamodei.com/essay/machines-of-loving-grace

1•ibobev•14m ago•0 comments

Norway, the Capital of Electric Cars, Is Turning to Electric Planes

https://www.nytimes.com/2025/09/14/business/energy-environment/norway-electric-plane-green-energy...

1•bookofjoe•16m ago•1 comments

South Africa 'aims to be self-sufficient across nuclear value chain'

https://world-nuclear-news.org/articles/south-africa-aims-self-sufficient-across-nuclear-value-chain

1•mpweiher•19m ago•0 comments

The Perl Programming Language in 2025 (FOSS book)

https://github.com/cloudstreet-dev/The-PERL-Programming-Language/blob/main/01-why-perl-still-matt...

2•DavidCanHelp•23m ago•0 comments

Medics in southern Gaza sound alarm over wave of newly displaced Palestinians

https://www.theguardian.com/world/2025/sep/14/southern-gaza-nasser-medics-displaced-palestinians-...

5•hebelehubele•25m ago•0 comments

Where did DNSSEC go wrong?

https://blog.apnic.net/2024/07/05/where-did-dnssec-go-wrong/

2•fanf2•25m ago•0 comments

Musicolour.art

https://musicolour.art/

1•gdss•29m ago•1 comments

AI Use Is Being Driven by People Who Understand It the Least

https://www.wsj.com/tech/ai/ai-adoption-study-7219d0a1

1•jonbaer•31m ago•1 comments

Show HN: I made an app that solves movie discovery

https://movieloop.eu/

1•AljazHisoft•37m ago•1 comments

Oklch()

https://developer.mozilla.org/en-US/docs/Web/CSS/color_value/oklch

3•redbell•38m ago•0 comments

Search for organizations and people that have paid Supreme Court justices

https://projects.propublica.org/supreme-connections/

3•mooreds•39m ago•0 comments

LM Studio subreddit has been hacked

https://old.reddit.com/r/LMStudio/

1•aquir•39m ago•1 comments

Tag2upload in the first month of Debian forky

https://diziet.dreamwidth.org/20143.html

2•Bogdanp•40m ago•0 comments

Open in hackernews

PyPI mirror proxy that injects code and bypasses pip hash verification

https://github.com/dtmsecurity/badpie

1•gzer0•2h ago

Comments

zahlman•1h ago

Yes, if you control the index, you can lie to pip about what the package's hash should be. This is why you have to opt in to using a different index, and why the connection to PyPI has been properly secured since forever (https://github.com/pypa/pip/issues/425 ; note the date).

Once pip supports installation from a PEP 751 lockfile (should be very soon, by my understanding), presumably this won't work, unless the lockfile is already compromised.

The clearly AI-generated README is also confused about how this works. It claims:

> Intercepts package index requests and rewrites URLs to point to the malicious mirror

but it's actually implementing a malicious mirror by forwarding requests to PyPI and then serving a modified version of the PyPI result. "Preserves and updates SHA256 hashes for modified packages" is also an incoherent description; preserving something and modifying it are mutually incompatible.