frontpage.
newsnewestaskshowjobs

Made with ♥ by @iamnishanth

Open Source @Github

fp.

Open in hackernews

Hackerbot-Claw: AI Bot Exploiting GitHub Actions – Microsoft, Datadog Hit So Far

https://www.stepsecurity.io/blog/hackerbot-claw-github-actions-exploitation
9•varunsharma07•1h ago

Comments

varunsharma07•1h ago
We analyzed an autonomous bot (hackerbot-claw) that's actively scanning GitHub repos for exploitable Actions workflows. It hit Microsoft, DataDog, a CNCF project, and awesome-go (140k stars) achieving RCE in 4 out of 5 targets and exfiltrating a GITHUB_TOKEN. Full breakdown of the 5 attack techniques with evidence.
aperi•1h ago
safe to say the root cause is bad PRs (untrusted)?
varunsharma07•1h ago
The root cause is workflows that grant trust to untrusted inputs: pull_request_target that checks out and executes fork code with repo secrets, ${{ }} expressions that interpolate branch names/filenames into shell commands unsanitized, and issue_comment triggers with no author_association check.

These attacks only work when maintainers opt into dangerous patterns without guardrails.

Biggest day of Claude app downloads in history, by far

https://xcancel.com/SashaKaletsky/status/2027987508500316571
1•doener•26s ago•0 comments

Show HN: Free tool to see what keywords any website ranks for

https://champsignal.com/tools/competitor-keyword-finder
1•maximedupre•1m ago•1 comments

PHP on the Desktop: BosonPHP for Ultra-High Performance Native Applications

https://lionel-peramo.com/posts/php-desktop-native-applications-bosonphp/
1•ulrischa•3m ago•0 comments

OpenAI details layered protections in US defense department pact

https://www.reuters.com/business/media-telecom/openai-details-layered-protections-us-defense-depa...
1•giuliomagnifico•3m ago•0 comments

Welcoming Elizabeth Barron as the New Executive Director of the PHP Foundation

https://thephp.foundation/blog/2026/02/27/welcoming-elizabeth-barron-new-executive-director/
1•ulrischa•3m ago•0 comments

Who Owns Your ATProto Identity? Hint: It's Probably Not You

https://kevinak.se/blog/who-actually-owns-your-atproto-identity-hint-its-probably-not-you
1•kevinak•4m ago•0 comments

Why does C have the best file API?

https://maurycyz.com/misc/c_files/
1•ulrischa•4m ago•0 comments

Making Claude Beep: A Dive into Hooks with Claude Code

https://www.drewhyde.io/blog/claude-code-beep-hooks
1•Andrewryanhyde•8m ago•0 comments

The Cathode Ray Tube site

https://www.crtsite.com/didactic-crt.html
1•joebig•8m ago•0 comments

Giving Claude a Parent: Multi-Model Code Review via MCP

https://www.drewhyde.io/blog/codex-mcp-claude-code
1•Andrewryanhyde•8m ago•0 comments

Show HN: ParseHive – AI-powered invoice data extraction for Windows and Mac

https://parsehive.app
1•misha_dev•9m ago•0 comments

Show HN: RAG-Enterprise – 100% local RAG system for enterprise documents

https://github.com/I3K-IT/RAG-Enterprise
1•primoco•10m ago•1 comments

Wordles new number game rival

https://the67numbergame.github.io/
1•_snory•15m ago•1 comments

ChatGPT Recommends Claude

https://xcancel.com/deedydas/status/2028030521973125617?s=20
1•doener•17m ago•0 comments

Emacs is shell root but no schwag?

https://shop.fsf.org/
1•krry•17m ago•1 comments

Google Killed the Rent-a-Domain Era

https://growtika.com/blog/publisher-affiliate-collapse
1•Growtika•18m ago•1 comments

Show HN: Nummi – AI companion with memory and daily guidance

https://www.nummi.ai/download
1•ab-abg•22m ago•1 comments

Show HN: Practicing Interview with AI

https://sungatae.com/posts/interviewshark/
1•visujosh•22m ago•0 comments

Give AI agents a real browser, watch them live via WebRTC

https://github.com/lowjax-com/vscreen
1•lowjax•22m ago•1 comments

Brain's "RAM" and "Hard Drive"

1•0ut0flin3•23m ago•1 comments

Show HN: Aide – Opinionated, deterministic code editing for AI agents

https://github.com/avataristvan/a-i-d-e
1•avataristvan•24m ago•0 comments

4,500 Physicians Agree (About Bacon)

https://machielreyneke.com/blog/persuasion/
1•machielrey•26m ago•0 comments

Antarctica just saw the fastest glacier collapse ever recorded

https://www.sciencedaily.com/releases/2026/02/260226042454.htm
2•yusufaytas•30m ago•0 comments

Ws – Keep Claude Code's context visible in your terminal

https://github.com/n-filatov/ws
1•notwhalee•31m ago•1 comments

Show HN: ZcoreAI – Z-score regression channel screener

https://www.zcoreai.com/
1•tchantchov•32m ago•0 comments

Configure MCP servers once. Sync them everywhere

https://conductor-mcp.vercel.app
1•aryaabyte•33m ago•1 comments

Measuring signals buried in noise with an Oscilloscope [video]

https://www.youtube.com/watch?v=vv-xkNa1Z9s
1•joebig•34m ago•0 comments

Show HN: Cloudflared-DNS-controller: Auto-sync DNS from cloudflared ConfigMap

https://github.com/seipan/cloudflared-dns-controller
1•Seipann11•38m ago•0 comments

E2EE Back end part 3: Passkeys with the PRF Extension

https://peterspath.net/blog/dev-e2ee-backend-part-3-passkeys-with-the-prf-extension/
2•peterspath•39m ago•0 comments

Claude Has Overtaken ChatGPT in the Apple App Store

https://old.reddit.com/r/ChatGPT/comments/1rhh9p2/claude_has_overtaken_chatgpt_in_the_apple_app/
2•rvnx•40m ago•0 comments