frontpage.
newsnewestaskshowjobs

Made with ♥ by @iamnishanth

Open Source @Github

fp.

Study confirms experience beats youthful enthusiasm

https://www.theregister.com/2026/02/07/boomers_vs_zoomers_workplace/
1•Willingham•7m ago•0 comments

The Big Hunger by Walter J Miller, Jr. (1952)

https://lauriepenny.substack.com/p/the-big-hunger
1•shervinafshar•8m ago•0 comments

The Genus Amanita

https://www.mushroomexpert.com/amanita.html
1•rolph•13m ago•0 comments

We have broken SHA-1 in practice

https://shattered.io/
1•mooreds•13m ago•1 comments

Ask HN: Was my first management job bad, or is this what management is like?

1•Buttons840•15m ago•0 comments

Ask HN: How to Reduce Time Spent Crimping?

1•pinkmuffinere•16m ago•0 comments

KV Cache Transform Coding for Compact Storage in LLM Inference

https://arxiv.org/abs/2511.01815
1•walterbell•20m ago•0 comments

A quantitative, multimodal wearable bioelectronic device for stress assessment

https://www.nature.com/articles/s41467-025-67747-9
1•PaulHoule•22m ago•0 comments

Why Big Tech Is Throwing Cash into India in Quest for AI Supremacy

https://www.wsj.com/world/india/why-big-tech-is-throwing-cash-into-india-in-quest-for-ai-supremac...
1•saikatsg•22m ago•0 comments

How to shoot yourself in the foot – 2026 edition

https://github.com/aweussom/HowToShootYourselfInTheFoot
1•aweussom•23m ago•0 comments

Eight More Months of Agents

https://crawshaw.io/blog/eight-more-months-of-agents
3•archb•25m ago•0 comments

From Human Thought to Machine Coordination

https://www.psychologytoday.com/us/blog/the-digital-self/202602/from-human-thought-to-machine-coo...
1•walterbell•25m ago•0 comments

The new X API pricing must be a joke

https://developer.x.com/
1•danver0•26m ago•0 comments

Show HN: RMA Dashboard fast SAST results for monorepos (SARIF and triage)

https://rma-dashboard.bukhari-kibuka7.workers.dev/
1•bumahkib7•26m ago•0 comments

Show HN: Source code graphRAG for Java/Kotlin development based on jQAssistant

https://github.com/2015xli/jqassistant-graph-rag
1•artigent•31m ago•0 comments

Python Only Has One Real Competitor

https://mccue.dev/pages/2-6-26-python-competitor
3•dragandj•33m ago•0 comments

Tmux to Zellij (and Back)

https://www.mauriciopoppe.com/notes/tmux-to-zellij/
1•maurizzzio•34m ago•1 comments

Ask HN: How are you using specialized agents to accelerate your work?

1•otterley•35m ago•0 comments

Passing user_id through 6 services? OTel Baggage fixes this

https://signoz.io/blog/otel-baggage/
1•pranay01•36m ago•0 comments

DavMail Pop/IMAP/SMTP/Caldav/Carddav/LDAP Exchange Gateway

https://davmail.sourceforge.net/
1•todsacerdoti•36m ago•0 comments

Visual data modelling in the browser (open source)

https://github.com/sqlmodel/sqlmodel
1•Sean766•38m ago•0 comments

Show HN: Tharos – CLI to find and autofix security bugs using local LLMs

https://github.com/chinonsochikelue/tharos
1•fluantix•39m ago•0 comments

Oddly Simple GUI Programs

https://simonsafar.com/2024/win32_lights/
1•MaximilianEmel•39m ago•0 comments

The New Playbook for Leaders [pdf]

https://www.ibli.com/IBLI%20OnePagers%20The%20Plays%20Summarized.pdf
1•mooreds•40m ago•1 comments

Interactive Unboxing of J Dilla's Donuts

https://donuts20.vercel.app
1•sngahane•41m ago•0 comments

OneCourt helps blind and low-vision fans to track Super Bowl live

https://www.dezeen.com/2026/02/06/onecourt-tactile-device-super-bowl-blind-low-vision-fans/
1•gaws•43m ago•0 comments

Rudolf Vrba

https://en.wikipedia.org/wiki/Rudolf_Vrba
1•mooreds•43m ago•0 comments

Autism Incidence in Girls and Boys May Be Nearly Equal, Study Suggests

https://www.medpagetoday.com/neurology/autism/119747
1•paulpauper•44m ago•0 comments

Wellness Hotels Discovery Application

https://aurio.place/
1•cherrylinedev•45m ago•1 comments

NASA delays moon rocket launch by a month after fuel leaks during test

https://www.theguardian.com/science/2026/feb/03/nasa-delays-moon-rocket-launch-month-fuel-leaks-a...
2•mooreds•45m ago•0 comments
Open in hackernews

Malware in PostHog NPM packages

11•roskoalexey•2mo ago
I know many of us use a really excellent PostHog service, but it seems their latest version of `posthog-js` NPM package contains malware.

Reported to their security channel, also reported to NPM, but also wanted to raise awareness here.

Update: It seems all their NPM packages have the same problem

Update 2: https://status.posthog.com/

Comments

roskoalexey•2mo ago
Details:

In `package.json`, it has a script `"preinstall": "node setup_bun.js"` + files `setup_bun.js` and `bun_environment.js` which are apparently is the malware.

roskoalexey•2mo ago
Also:

It seems many of their other NPM packages also have the same problem. https://www.npmjs.com/~timgl (all published 5 hours ago)

rvz•2mo ago
This feels like an impending disaster about to be unraveled in lots of npm packages.

Looking forward to the post-mortem.

roskoalexey•2mo ago
Some more details:

1. Malware uses a "preinstall" NPM script, which is triggered upon you running `npm install`.

2. Malware installs `bun`.

3. Then it installs and starts `trufflehog` (a tool for scanning code for secrets, API keys, passwords, etc.).

nextaccountic•2mo ago
One more reason to run pnpm. Or better yet, deno
sakce•2mo ago
Thank you for flagging this - we are actively working on it and will be back with an update!
kothariji•2mo ago
here is the report - https://helixguard.ai/blog/malicious-sha1hulud-2025-11-24
timgl•2mo ago
co-founder of PostHog here. It looks like we were also a victim of this attack: https://helixguard.ai/blog/malicious-sha1hulud-2025-11-24

We've rotated keys and passwords, unpublished all affected packages and have pushed new versions, so make sure you're on the latest version of our SDKs.

We're still figuring out how this key got compromised, and we'll follow up with a post-mortem. We'll update status.posthog.com with more updates as well.

nycalexander•2mo ago
Made a package (that I needed personally), to easily reinstall all dependencies in a project using Aikido's safe guard for npm, pnpm, bun, and yarn. https://www.npmjs.com/package/eazypm