frontpage.

Vercel Agent just auto-patched 800K+ projects for CVE-2025-55182 (React2Shell), which is great for stopping future attacks.But I'm curious: is anyone auditing their codebases for malicious artifacts that may have been planted during the 9-day exposure window (Dec 5-9)?

The issue: Patching updates your dependencies to remove the vulnerability. But if attackers exploited it during that window, they could have:

Injected backdoors into components or middleware Added obfuscated malicious code (eval/atob patterns) Planted crypto miners or data exfiltration hooks Modified server actions to leak credentials

Patching doesn't retroactively remove this code. Our experience: We patched immediately on Dec 9. Then spent 6 hours manually auditing our Next.js codebase and found 2 suspicious modifications we didn't write (obfuscated eval calls in middleware). What we built: An AST-based scanner to automate this. It checks for 80+ Indicators of Compromise:

Code obfuscation patterns Unauthorized network calls Modified Next.js internals Crypto mining signatures CVE-2025-55182-specific exploit artifacts

Runs in 30 seconds vs. our 6-hour manual audit. Questions for HN:

Are companies doing post-patch audits, or assuming they're clean? Is there existing tooling for this that we missed? For high-value targets (fintech, healthcare), what's the recommended approach?

We open-sourced the scanner here: [https://github.com/Alcatecablee/Neurolint-CLI/] Curious how others are approaching this, seems like a blind spot in the patching narrative.

Discrete Bayesian Sample Inference for Graph Generation

I Tried the New Android XR Smart Glasses from Google and XReal

Toggle the "Light" Switch

New benchmark shows top LLMs struggle in real mental health care

Apple Faces Scrutiny as Sanctioned Entities Slip Through App Store Controls

2025 Cacowards

EU welcomes seamless data transfer between iPhone and Android

If Dr. Seuss Danced with Nietzche – The Sneetches on the Nietzches

The boundary of copyrightability in AI-generated code under Japan and US Law

I Wish People Were More Public

"Empire of AI" is wildly misleading about AI water use

Operation Bluebird to relaunch "Twitter," says Musk abandoned the name and logo

Ask HN: Is 13" MacBook good enough without an external monitor?

Show HN: Fastest way for analysts to ship data pipelines – safely

Suno Is Changing Music's Future: Thoughts on the AI Music Generator

Publishing KOReader Highlights

Show HN: Calamari – single-host restrictive proxy (with squid)

Google Maps on iOS now remembers where you parked

Building a Self-Hosted CDN for BSD Cafe Media

"restart on excessive memory usage" experiment: discordapp

Can NASA Bring Mars Rocks Back to Earth?

Vix dev Auto-reload and rebuild loop for C++ applications

Ask HN: Outstanding packets calculation in Go-Back-N ARQ when ACK lost?

Ask HN: How can I learn smartphone repair online?

Boom Superpower: The Supersonic Tech Powering AI Data Centers

Show HN: AI that writes reports while your Team codes

Show HN: WireTyped – typed, error-first HTTP client for fetch

Interactive Network Learning Platform

Warner Bros Bidding War: Lessons on Aggregator Theory and Hostile Deal Mechanics

Font of 'wasteful' diversity: State Department orders return to Times New Roman

Ask HN: Post-CVE-2025-55182 – should we be auditing for backdoors?