frontpage.
newsnewestaskshowjobs

Made with ♥ by @iamnishanth

Open Source @Github

fp.

Scientists reverse Alzheimer's in mice and restore memory (2025)

https://www.sciencedaily.com/releases/2025/12/251224032354.htm
1•walterbell•2m ago•0 comments

Compiling Prolog to Forth [pdf]

https://vfxforth.com/flag/jfar/vol4/no4/article4.pdf
1•todsacerdoti•3m ago•0 comments

Show HN: Cymatica – an experimental, meditative audiovisual app

https://apps.apple.com/us/app/cymatica-sounds-visualizer/id6748863721
1•_august•4m ago•0 comments

GitBlack: Tracing America's Foundation

https://gitblack.vercel.app/
1•martialg•4m ago•0 comments

Horizon-LM: A RAM-Centric Architecture for LLM Training

https://arxiv.org/abs/2602.04816
1•chrsw•5m ago•0 comments

We just ordered shawarma and fries from Cursor [video]

https://www.youtube.com/shorts/WALQOiugbWc
1•jeffreyjin•6m ago•1 comments

Correctio

https://rhetoric.byu.edu/Figures/C/correctio.htm
1•grantpitt•6m ago•0 comments

Trying to make an Automated Ecologist: A first pass through the Biotime dataset

https://chillphysicsenjoyer.substack.com/p/trying-to-make-an-automated-ecologist
1•crescit_eundo•10m ago•0 comments

Watch Ukraine's Minigun-Firing, Drone-Hunting Turboprop in Action

https://www.twz.com/air/watch-ukraines-minigun-firing-drone-hunting-turboprop-in-action
1•breve•11m ago•0 comments

Free Trial: AI Interviewer

https://ai-interviewer.nuvoice.ai/
1•sijain2•11m ago•0 comments

FDA Intends to Take Action Against Non-FDA-Approved GLP-1 Drugs

https://www.fda.gov/news-events/press-announcements/fda-intends-take-action-against-non-fda-appro...
6•randycupertino•12m ago•1 comments

Supernote e-ink devices for writing like paper

https://supernote.eu/choose-your-product/
3•janandonly•14m ago•0 comments

We are QA Engineers now

https://serce.me/posts/2026-02-05-we-are-qa-engineers-now
1•SerCe•15m ago•0 comments

Show HN: Measuring how AI agent teams improve issue resolution on SWE-Verified

https://arxiv.org/abs/2602.01465
2•NBenkovich•15m ago•0 comments

Adversarial Reasoning: Multiagent World Models for Closing the Simulation Gap

https://www.latent.space/p/adversarial-reasoning
1•swyx•15m ago•0 comments

Show HN: Poddley.com – Follow people, not podcasts

https://poddley.com/guests/ana-kasparian/episodes
1•onesandofgrain•23m ago•0 comments

Layoffs Surge 118% in January – The Highest Since 2009

https://www.cnbc.com/2026/02/05/layoff-and-hiring-announcements-hit-their-worst-january-levels-si...
7•karakoram•24m ago•0 comments

Papyrus 114: Homer's Iliad

https://p114.homemade.systems/
1•mwenge•24m ago•1 comments

DicePit – Real-time multiplayer Knucklebones in the browser

https://dicepit.pages.dev/
1•r1z4•24m ago•1 comments

Turn-Based Structural Triggers: Prompt-Free Backdoors in Multi-Turn LLMs

https://arxiv.org/abs/2601.14340
2•PaulHoule•25m ago•0 comments

Show HN: AI Agent Tool That Keeps You in the Loop

https://github.com/dshearer/misatay
2•dshearer•27m ago•0 comments

Why Every R Package Wrapping External Tools Needs a Sitrep() Function

https://drmowinckels.io/blog/2026/sitrep-functions/
1•todsacerdoti•27m ago•0 comments

Achieving Ultra-Fast AI Chat Widgets

https://www.cjroth.com/blog/2026-02-06-chat-widgets
1•thoughtfulchris•29m ago•0 comments

Show HN: Runtime Fence – Kill switch for AI agents

https://github.com/RunTimeAdmin/ai-agent-killswitch
1•ccie14019•31m ago•1 comments

Researchers surprised by the brain benefits of cannabis usage in adults over 40

https://nypost.com/2026/02/07/health/cannabis-may-benefit-aging-brains-study-finds/
2•SirLJ•33m ago•0 comments

Peter Thiel warns the Antichrist, apocalypse linked to the 'end of modernity'

https://fortune.com/2026/02/04/peter-thiel-antichrist-greta-thunberg-end-of-modernity-billionaires/
4•randycupertino•34m ago•2 comments

USS Preble Used Helios Laser to Zap Four Drones in Expanding Testing

https://www.twz.com/sea/uss-preble-used-helios-laser-to-zap-four-drones-in-expanding-testing
3•breve•39m ago•0 comments

Show HN: Animated beach scene, made with CSS

https://ahmed-machine.github.io/beach-scene/
1•ahmedoo•40m ago•0 comments

An update on unredacting select Epstein files – DBC12.pdf liberated

https://neosmart.net/blog/efta00400459-has-been-cracked-dbc12-pdf-liberated/
3•ks2048•40m ago•0 comments

Was going to share my work

1•hiddenarchitect•43m ago•0 comments
Open in hackernews

How to hack Discord, Vercel and more with one easy trick

https://kibty.town/blog/mintlify/
178•todsacerdoti•1mo ago

Comments

ddtaylor•1mo ago
See also https://news.ycombinator.com/item?id=46317098
llmslave2•1mo ago
This feels so emblematic of our current era. VC funded vibe coded AI documentation startup somehow gets big name customers who don't properly vet the security of the platform, ship a massive vulnerability that could pwn millions of users and the person who reports the vulnerability gets...$5k.

If I recall last week Mintlify wrote a blog post showcasing their impressive(ly complicated) caching architecture. Pretending like they were doing real engineering, when it turns out nobody there seems to know what they're doing, but they've managed to convince some big names to use them.

Man, it's like everything I hate about modern tech. Good job Eva for finding this one. Starting to think that every AI startup or company that is heavily using gen-ai for coding is probably extremely vulnerable to the simplest of attacks. Might be a way to make some extra spending money lol.

subscribed•1mo ago
You bet not all THW vulnerabilities are reported to the vendors. Not with 5k bounty for THAT.
guizadillas•1mo ago
Yeah it made me re-evaluate how much I can trust those platforms
llmslave2•1mo ago
Yeah thats the scary thing. I know it's a bit of a meme about how as programmers we don't trust other programmers or software, but it's becoming more and more true and necessary. I want to use as little software as possible these days.
dfc•1mo ago
THW?
gruez•1mo ago
> This feels so emblematic of our current era. VC funded vibe coded AI documentation startup somehow ...

Is there any indication Mintify was "vibe coded"?

llmslave2•1mo ago
I'm giving them the benefit of the doubt, as the alternative would be that their developers are completely incompetent. The vulnerability is the equivalent to letting a user save HTML to a database and then injecting it into every page completely unsanitized.
agosta•1mo ago
Mintlify had a blacklist in place to not allow them to do this with most file types. Someone failed to add SVG to it. It's not like they weren't thinking about security. The challenge with security, as you know, is it's only as strong as it's weakest link. It only takes one ignorant/incompetent person in an entire organization to jeopordize the org. But even a competent person can make a crucial mistake.
anonymous908213•1mo ago

  The challenge with security, as you know, is it's only as strong as it's weakest link. It only takes one ignorant/incompetent person in an entire organization to jeopordize the org.
This statement could not be further from the truth. Your organization itself is completely incompetent if one ignorant employee can compromise it. The "swiss cheese" safety memetic is widely understood and basically common sense; in an actually competent organization, no single person has sole responsibility for success or failure of a process, and it takes individual failures at multiple levels to result in process failure.
esseph•1mo ago
I agree with you in theory.

In practice, I've never known a single organization to hit that bar. Ever.

pmontra•1mo ago
A whitelist is safer than a blacklist. Unfortunately you risk losing those customers that won't be able to load their media, won't contact support, will use a different service.
sofixa•1mo ago
> It's not like they weren't thinking about security

https://kibty.town/blog/mintlify/

The first CVE here definitely sounds like they absolutely weren't thinking care security.

agosta•1mo ago
Chill - just because someone got hacked doesn't mean their product is trash. Easily every mass adopted product created prior to 2023 has been hacked at some point.
fao_•1mo ago
That makes it worse, not better. Because for those applications the code was audited and not hallucinated.
sofixa•1mo ago
> Chill - just because someone got hacked doesn't mean their product is trash

Yes, but the vulnerabilities reported in this collection of articles really smell like trash. Allowing untrusted code from your customers to be executed in a shared environment with no isolation is like, extremely amateurish.

scratchee•1mo ago
A similar comment was posted on the PostHog post yesterday. Claiming everything is vibe coded without any proof is pure rage bait.
tptacek•1mo ago
This is identical to a comment you wrote on the other story about these vulnerabilities that's higher up on the front page, which isn't great.
brazukadev•1mo ago
Why did you post the same comment twice? This is not Reddit, my friend.
sans_souse•1mo ago
$5k is such a small payout for this sort of finding.
arcwhite•1mo ago
It's actually pretty on-par for most bug bounties. They used the same exploit on a few programs and got $11k total which ain't bad return on time.
sans_souse•1mo ago
No I know it's on par I guess better rephrasing would be the par is still too low
arcwhite•1mo ago
Compared to what? What's your baseline for how much a user-interaction-required XSS vulnerability should be worth?
sans_souse•1mo ago
I'm not basing it on math.

Are you saying tho that 2.5k wouldhave been adequate in 2019? I expect 5k would have been on par then too. But idk

ChrisArchitect•1mo ago
Related:

We pwned X, Vercel, Cursor, and Discord through a supply-chain attack

https://news.ycombinator.com/item?id=46317098

ollybee•1mo ago
How is a company like mintlify getting so many big name customers for what appears to be a static site generator + hosting? Is there some secret sauce I'm missing, what is the value proposition?
tommica•1mo ago
Convenience and developer uncertainty. I fall pray to the "it's paid, so it must be better" fallacy, and the "they know what they are doing, they are pros" illogicality.
josegonzalez•1mo ago
Lots of these companies are YC companies, and they tend to use other YC products. For those that aren't, its easier to just use what other big names are using, and having YC as a backing name is quite useful in that regard.
zeroq•1mo ago
fun fact: last BigCo I worked in had an elaborate architecture/security bar for new applications/features but offered a clever workaround - you could use a pre-approved solution and skip numerous quality checks and approvals, so every single PO was pushing for that specific solution.

The result? A static html with 500 ppl audience was billing a whooping 2k EUR a month, because that was the cost of that pre-approved architecture.

Best part - I was championing a company wide solution for that problem for over a year, which resulted in board level special operation with 100k budget only to get that budget snugged by people couple steps above the ladder.

sofixa•1mo ago
I genuinely don't know, especially for Vercel to be using them. Vercel themselves can easily be used to host static-ish documentation.

But it looks like Mintlify are using Vercel on the backend: https://vercel.com/blog/mintlify-scaling-a-powerful-document...

So it's just a Vercel wrapper?

frandroid•1mo ago
> alongside, we can poison the nextjs cache for everyone for any site,

What??

sigseg1v•1mo ago
isn't this actually XSRF and worse than XSS?

Also, if users can run arbitrary JS on someone else's server then what stops them from doing CPU-bound work such as crypto miners?

sigseg1v•1mo ago
SSRF* sorry typo
vjay15•1mo ago
wow it felt like they were playing around lol
rampatra•1mo ago
Wow this is interesting, however, the reward seems way too less to me.