frontpage.
newsnewestaskshowjobs

Open Source @Github

fp.

Open in hackernews

Security incident disclosure – July 2026

https://huggingface.co/blog/security-incident-july-2026
15•fdb•7h ago

Comments

fdb•7h ago
Key quote:

“When we started the log analysis, we first used frontier models behind commercial APIs. This did not work: the analysis requires submitting large volumes of real attack commands, exploit payloads, and C2 artifacts, and these requests were blocked by the providers' safety guardrails, which cannot distinguish an incident responder from an attacker.“

NitpickLawyer•4h ago
Damn! That was ... fast. Both literally during the attack and in a sense of "we knew this was coming, but we now have a real-world first public case".

Some interesting tidbits:

> The campaign was run by an autonomous agent framework (appearing to be built on an agentic security-research harness - used LLM still not known) executing many thousands of individual actions across a swarm of short-lived sandboxes, with self-migrating command-and-control staged on public services. This matches the "agentic attacker" scenario the industry has been forecasting.

Bang tokens against a wall until something works. I really hope hf goes beyond normal disclosure and makes a lot of this public, if possible (after they rotate everything, filter PII, etc)

> The attack was initially surfaced through AI-assisted detection.

Nice. Blue vs. red in real time. Noise and "alert fatigue" have been huge problems in the past, even with high-cost solutions, so glad to see this is already improving.

> LLM-driven analysis agents over the full attacker action log, comprised of more than 17,000 recorded events. This allowed us to reconstruct the timeline, extract indicators of compromise, map the credentials touched, and separate genuine impact from decoy activity

I wonder if this was true "decoy activity" or simply the agent banging its tokens against the wall w/ some hallucinations along the way. Again, hope we get some datasets out of this.

> these requests were blocked by the providers' safety guardrails, which cannot distinguish an incident responder from an attacker.

Yeah, sadly this was also been "forseen" by a lot of people. Similar to how some things can't be processed by LLMs (studies about crime / violence / PII related stuff), this was bound to happen. I guess it's good that it happened to hf, which has an incentive to be open about this. Hopefully we get past the "the enemy will use it", and realise that the enemy is already using it, and move on to "help the blue team".

I think it's clear now that not your inference, not your tokens is obvious. You need on-prem models, even if they're below SotA.

> Autonomous, AI-driven offensive tooling is no longer theoretical. It lowers the cost of running a broad, patient, multi-stage campaign, and it operates at machine speed.

Yeah, lateral movement at agentic speed is worrying. Hopefully this leads to improved postures everywhere. Zero trust and all that. Plus, it's not clear how separated the workers were from the pod itself (was it even using containers? With the amount of LPEs out there, that seems unwise, and we might see a move towards proper virtualisation for anything touching outside data).

charcircuit•2h ago
>Autonomous, AI-driven offensive tooling is no longer theoretical. It lowers the cost of running a broad, patient, multi-stage campaign, and it operates at machine speed.

AI models definitely do not operate at "machine speed." A human can definitely be faster than these trillion parameter thinking models.

Alifatisk•2h ago
> A human can definitely be faster than these trillion parameter thinking models.

I’m thinking this can be true when the steps and muscle memory is known beforehand to the human. Otherwise we also have to stop, think and experiment for a while before we can proceed.

Ask HN: Guidelines on GPT 5.6 Sol steering

1•arizen•25s ago•0 comments

Show HN: Subrust, a no_std, no alloc Subset-of-Rust interpreter

https://github.com/orbitalhigh/subrust
1•makira•35s ago•0 comments

Capacitor: Cross-platform native runtime for web apps

https://github.com/ionic-team/capacitor
1•toilet•45s ago•0 comments

Are the LLM Wars the Database Wars?

https://rruxandra.github.io/llm-wars-database-wars.html
1•rruxandra_l•3m ago•0 comments

Amazon Builder's Library – An overlooked goldmine of System Design knowledge

https://sumitgouthaman.com/posts/amazon-builders-library/
1•equinumerous•7m ago•0 comments

I built llms.txt files to make local businesses discoverable by AI agents

https://www.kloofstreet.online/
1•businesshustle•9m ago•1 comments

The Beauty of a Stone Wall

https://www.theatlantic.com/ideas/2026/07/second-career-passion-life-meaning/687952/
1•NordStreamYacht•11m ago•1 comments

Valve Reportedly Sells 12-15K Steam Machine Units per Week

https://www.techpowerup.com/350872/valve-reportedly-sells-12-15k-steam-machine-units-per-week
2•bookofjoe•13m ago•0 comments

Substack Gateway – A REST and MCP Server for Substack

https://github.com/jakub-k-slys/substack-gateway-oss
1•jakub-k-slys•15m ago•0 comments

The Attention-Span Class Divide

https://www.theatlantic.com/ideas/2026/07/attention-span-class-divide-ballet-opera-movies/687919/
2•fortran77•16m ago•0 comments

Wortlaut

https://github.com/MKRWW/wortlaut
1•hasley•20m ago•1 comments

Ask HN: How would a lab train for SVG pelicans or other creative benchmarks?

1•smusamashah•21m ago•0 comments

Can Sticky Notes Become the New Bookmarks and Favorites for the Browser

https://chromewebstore.google.com/detail/sticky-note-web-clipper-s/gniilbpapgommpalikcclpcnbcamgila
1•taskloco_nyc•21m ago•0 comments

C Craft

http://www-cs-students.stanford.edu/~blynn/c/craft.html
2•dhotson•24m ago•0 comments

Show HN: Serverload2 – sometimes all you want is a little server load monitor

https://github.com/wojtczyk/serverload2
1•wojtczyk•25m ago•0 comments

MemoryPack: Zero encoding extreme performance binary serializer for C#

https://github.com/Cysharp/MemoryPack
1•breve•27m ago•0 comments

Gemini models are not even competing anymore, why?

1•kingleopold•27m ago•0 comments

I made a random name picker where every name becomes a tiny arena fighter

https://namebrawl.com
2•magnusl•28m ago•0 comments

Silicon Valley Has Lost Its Biggest Advantage

https://www.theatlantic.com/technology/2026/07/data-center-ai-heavy-industry/687990/
1•blondie9x•28m ago•0 comments

Tate brothers arrested in US as further UK charges take total to 59

https://www.bbc.com/news/articles/cwymly9yd33o
2•Tomte•30m ago•0 comments

xkcd's What If?

https://www.youtube.com/@xkcd_whatif
2•bookofjoe•32m ago•0 comments

WIE – A Windows x86_64 Emulator for Apple Silicon in Rust Using Cranelift

1•vlad_kalinkin•38m ago•0 comments

Study: Single-crystal nanowires of niobium arsenide may replace copper wires

https://news.cornell.edu/stories/2026/07/too-thin-fail-alternative-copper-microchip-interconnects
1•giuliomagnifico•40m ago•0 comments

I burned all my tokens researching how to save tokens

https://quesma.com/blog/custom-deep-research-pipeline/
9•bkotrys•46m ago•2 comments

Aha I don't want to lose you

https://blog.rybarix.com/2026/07/19/aha-not-lost.html
1•sandruso•52m ago•0 comments

Artificial cell with a full lifecycle has been created for the first time

https://www.theregister.com/science/2026/07/01/an-artificial-cell-with-a-full-lifecycle-has-been-...
1•GrinningFool•52m ago•1 comments

Show HN: We ranked our dev tools in Google's new AI Overviews

https://zlvox.com/blog/google-ai-overviews-2026-optimize-agentic-search
2•mraadikhokhar•56m ago•0 comments

A computer-assisted 23/33 and ε bound for the binary Goldbach exceptional set

https://goldbach-nine.vercel.app/
1•lorenzosch•59m ago•0 comments

Minecraft: Java Edition now uses SDL3

https://www.minecraft.net/en-us/article/minecraft-26-3-snapshot-4
1•ObviouslyFlamer•1h ago•0 comments

Know if a Rust rewrite is worth it (forkable business idea)

https://zozo123.github.io/rust-it-up/
1•zozo123-IB-IL2•1h ago•0 comments