frontpage.
newsnewestaskshowjobs

Made with ♥ by @iamnishanth

Open Source @Github

fp.

Building Interactive C/C++ workflows in Jupyter through Clang-REPL [video]

https://fosdem.org/2026/schedule/event/QX3RPH-building_interactive_cc_workflows_in_jupyter_throug...
1•stabbles•35s ago•0 comments

Tactical tornado is the new default

https://olano.dev/blog/tactical-tornado/
1•facundo_olano•2m ago•0 comments

Full-Circle Test-Driven Firmware Development with OpenClaw

https://blog.adafruit.com/2026/02/07/full-circle-test-driven-firmware-development-with-openclaw/
1•ptorrone•2m ago•0 comments

Automating Myself Out of My Job – Part 2

https://blog.dsa.club/automation-series/automating-myself-out-of-my-job-part-2/
1•funnyfoobar•2m ago•0 comments

Google staff call for firm to cut ties with ICE

https://www.bbc.com/news/articles/cvgjg98vmzjo
2•tartoran•3m ago•0 comments

Dependency Resolution Methods

https://nesbitt.io/2026/02/06/dependency-resolution-methods.html
1•zdw•3m ago•0 comments

Crypto firm apologises for sending Bitcoin users $40B by mistake

https://www.msn.com/en-ie/money/other/crypto-firm-apologises-for-sending-bitcoin-users-40-billion...
1•Someone•4m ago•0 comments

Show HN: iPlotCSV: CSV Data, Visualized Beautifully for Free

https://www.iplotcsv.com/demo
1•maxmoq•5m ago•0 comments

There's no such thing as "tech" (Ten years later)

https://www.anildash.com/2026/02/06/no-such-thing-as-tech/
1•headalgorithm•5m ago•0 comments

List of unproven and disproven cancer treatments

https://en.wikipedia.org/wiki/List_of_unproven_and_disproven_cancer_treatments
1•brightbeige•5m ago•0 comments

Me/CFS: The blind spot in proactive medicine (Open Letter)

https://github.com/debugmeplease/debug-ME
1•debugmeplease•6m ago•1 comments

Ask HN: What are the word games do you play everyday?

1•gogo61•9m ago•1 comments

Show HN: Paper Arena – A social trading feed where only AI agents can post

https://paperinvest.io/arena
1•andrenorman•10m ago•0 comments

TOSTracker – The AI Training Asymmetry

https://tostracker.app/analysis/ai-training
1•tldrthelaw•14m ago•0 comments

The Devil Inside GitHub

https://blog.melashri.net/micro/github-devil/
2•elashri•14m ago•0 comments

Show HN: Distill – Migrate LLM agents from expensive to cheap models

https://github.com/ricardomoratomateos/distill
1•ricardomorato•14m ago•0 comments

Show HN: Sigma Runtime – Maintaining 100% Fact Integrity over 120 LLM Cycles

https://github.com/sigmastratum/documentation/tree/main/sigma-runtime/SR-053
1•teugent•15m ago•0 comments

Make a local open-source AI chatbot with access to Fedora documentation

https://fedoramagazine.org/how-to-make-a-local-open-source-ai-chatbot-who-has-access-to-fedora-do...
1•jadedtuna•16m ago•0 comments

Introduce the Vouch/Denouncement Contribution Model by Mitchellh

https://github.com/ghostty-org/ghostty/pull/10559
1•samtrack2019•17m ago•0 comments

Software Factories and the Agentic Moment

https://factory.strongdm.ai/
1•mellosouls•17m ago•1 comments

The Neuroscience Behind Nutrition for Developers and Founders

https://comuniq.xyz/post?t=797
1•01-_-•17m ago•0 comments

Bang bang he murdered math {the musical } (2024)

https://taylor.town/bang-bang
1•surprisetalk•17m ago•0 comments

A Night Without the Nerds – Claude Opus 4.6, Field-Tested

https://konfuzio.com/en/a-night-without-the-nerds-claude-opus-4-6-in-the-field-test/
1•konfuzio•20m ago•0 comments

Could ionospheric disturbances influence earthquakes?

https://www.kyoto-u.ac.jp/en/research-news/2026-02-06-0
2•geox•21m ago•1 comments

SpaceX's next astronaut launch for NASA is officially on for Feb. 11 as FAA clea

https://www.space.com/space-exploration/launches-spacecraft/spacexs-next-astronaut-launch-for-nas...
1•bookmtn•22m ago•0 comments

Show HN: One-click AI employee with its own cloud desktop

https://cloudbot-ai.com
2•fainir•25m ago•0 comments

Show HN: Poddley – Search podcasts by who's speaking

https://poddley.com
1•onesandofgrain•25m ago•0 comments

Same Surface, Different Weight

https://www.robpanico.com/articles/display/?entry_short=same-surface-different-weight
1•retrocog•28m ago•0 comments

The Rise of Spec Driven Development

https://www.dbreunig.com/2026/02/06/the-rise-of-spec-driven-development.html
2•Brajeshwar•32m ago•0 comments

The first good Raspberry Pi Laptop

https://www.jeffgeerling.com/blog/2026/the-first-good-raspberry-pi-laptop/
3•Brajeshwar•32m ago•0 comments
Open in hackernews

Technical Analysis of SAP Exploit Script Used in JLR, Harrods Hacks

https://detect.fyi/technical-analysis-of-sap-exploit-script-visual-composer-metadata-uploader-exploit-7b4a01b38548
8•incogitomode•4mo ago

Comments

jmclnx•4mo ago
Interesting, I worked on SAP for a few years and I expect this is just the tip of the iceberg on SAP systems :(

In recent years, we got patches (OSS Notes) almost daily.

dylan604•4mo ago
To be honest, I've never heard anyone with SAP experience that has anything good to say about it. My N value is pretty low to be fair, but it definitely has the air of being widely disliked
bayesnet•4mo ago
In college, I worked for a small team in a large organization that used SAP. My team tracked everything in an Excel dashboard, and I was tasked with automating data ingestion from SAP into Excel. The only tool I had available was the SAP GUI input emulation API for VBA. It was extraordinarily painful to set up and would break every time the SAP team would change the GUI to add or remove a button. Lots of fun.
Arwill•4mo ago
The only tool you knew about.
jmclnx•4mo ago
To be fair, it is almost impossible to get data out of SAP. Their "security" is all there to prevent users from doing anything useful. You have no access to the underlying database (like DB/2, oracle), you have to use their GUI or write a custom ABAP program.

But in most cases, the functions you need to call to write data to disk are usually closed off to developers due to "security". If you have access to the database (almost impossible to get), the data for the important tables are spread throughout multiple tables with names that look like names created from /dev/urandom.

Arwill•4mo ago
I am familiar with SAP, all that you say is only true if you don't know how to do it. I see this a lot, people that are familiar with "normal" technology, try to invent ways to do things in SAP. What is wrong with writing an ABAP program, or using a provided communication/interfacing method to transfer data? If you are stuck on GUI/files/DB level, sure you wont be able to do anything. You can for example generate complete excel files on the server, no need for the GUI. There is a running joke on SAP forums about how many times excel file generation was invented.

Some of the cryptic table names date back to R/2, sure, but they are the de-facto standard data model for those business data. If you have business systems communicating, for example product, business partner or financial data, it will have a mark on it of how those data are handled by SAP.

But then there are CDS views (for some time now) that have long descriptive names, and metadata to help you make database queries. You are not meant to read or write database tables directly (as of some time).

jmclnx•4mo ago
Again, I will say, where I worked, due to "security" lots of items were disabled, even for developers. The only item that you could use to get data was SE17, some people (a few) were allowed to have SE16. But due to memory, getting data that way was very slow.

Also, SE16 did and may still have security issues. That was the reason for it being disabled for 99% of the users.

nneonneo•4mo ago
This is just a really bad AI summary of the script.

You may as well just pop the script (mirrored here: https://gist.github.com/nneonneo/9caabf7c9d2f94711bce005e144...) into your own AI of choice and tweak the analysis to your liking.

(Note the giveaway "likely via argparse in Python" and similar constructs; the script obviously does use argparse so there's no need for hedging)

hlieberman•4mo ago
100%, this is definitely slop.
nneonneo•4mo ago
What's extremely saddening is that I had to examine three pages of search results for the CVE number before finding a non-slop explanation of the bug. In the race to "explain" vulnerabilities and bugs (and sell their security solution), a whole ecosystem of slop sites citing other slop sites has appeared, and accurate, careful (and often slow!) technical analysis is being lost in the noise.
nneonneo•4mo ago
As far as I can tell, the exploit works like this:

`metadataupload` takes a .zip file as POST input. This endpoint can be trivially reached on any SAP instance without authentication. The .zip file can contain a .properties file, which is deserialized into a java.util.Properties instance.

Since they're using Java deserialization, it is possible to deserialize arbitrary objects. The actual exploit uses a payload generated by ysoserial (https://github.com/frohoff/ysoserial) to either execute a command directly or drop a file on the filesystem. The basic idea behind a deserialization attack is to construct an object graph such that, when deserialized, functions that run normally as part of the deserialization process end up calling arbitrary code.

Deserialization attacks are well-known in the Java world, and are very common thanks to the fact that the serializer is both easy to use and baked into the language. With a large enough codebase (or the right dependencies) you're practically guaranteed to have enough serializable types to string together an RCE.

As an example, one of the classes used in this exploit is org.apache.xalan.xsltc.trax.TemplatesImpl (https://xalan.apache.org/xalan-j/apidocs/org/apache/xalan/xs...). This class contains a serializable array of Java .class bytecodes which will be dynamically loaded if the `newTransformer` method is called; note that merely loading a Java `.class` will be enough to run arbitrary code via static constructors. Other serializable classes are used to get the `newTransformer` method to be called on the object during deserialization.

The OP post is full of nonsensical and outright incorrect fluff. This is a straightforward deserialization-to-RCE bug; the RCE is what's being used to upload arbitrary files.

Arwill•4mo ago
Who does even run Netweaver Java AS today? Apparently some do, but that was a bad idea from the start. It is an optional server component letting Java applications run in the SAP server. In my eyes it was always an unnecessary additional source of complexity, they added it to the portfolio back when Java was the hype. Now its been pwned by an unchecked upload.

But i know that HN does not have an appreciation for SAP anyhow.