frontpage.
newsnewestaskshowjobs

Made with ♥ by @iamnishanth

Open Source @Github

fp.

Tiny C Compiler

https://bellard.org/tcc/
52•guerrilla•1h ago•20 comments

You Are Here

https://brooker.co.za/blog/2026/02/07/you-are-here.html
37•mltvc•1h ago•34 comments

SectorC: A C Compiler in 512 bytes

https://xorvoid.com/sectorc.html
148•valyala•5h ago•25 comments

The F Word

http://muratbuffalo.blogspot.com/2026/02/friction.html
77•zdw•3d ago•31 comments

Speed up responses with fast mode

https://code.claude.com/docs/en/fast-mode
82•surprisetalk•5h ago•89 comments

LLMs as the new high level language

https://federicopereiro.com/llm-high/
21•swah•4d ago•13 comments

Software factories and the agentic moment

https://factory.strongdm.ai/
119•mellosouls•8h ago•232 comments

Hoot: Scheme on WebAssembly

https://www.spritely.institute/hoot/
157•AlexeyBrin•11h ago•28 comments

OpenCiv3: Open-source, cross-platform reimagining of Civilization III

https://openciv3.org/
864•klaussilveira•1d ago•264 comments

Stories from 25 Years of Software Development

https://susam.net/twenty-five-years-of-computing.html
113•vinhnx•8h ago•14 comments

GitBlack: Tracing America's Foundation

https://gitblack.vercel.app/
17•martialg•51m ago•3 comments

FDA intends to take action against non-FDA-approved GLP-1 drugs

https://www.fda.gov/news-events/press-announcements/fda-intends-take-action-against-non-fda-appro...
29•randycupertino•58m ago•29 comments

Show HN: A luma dependent chroma compression algorithm (image compression)

https://www.bitsnbites.eu/a-spatial-domain-variable-block-size-luma-dependent-chroma-compression-...
21•mbitsnbites•3d ago•1 comments

Al Lowe on model trains, funny deaths and working with Disney

https://spillhistorie.no/2026/02/06/interview-with-sierra-veteran-al-lowe/
73•thelok•7h ago•13 comments

First Proof

https://arxiv.org/abs/2602.05192
75•samasblack•7h ago•57 comments

Brookhaven Lab's RHIC concludes 25-year run with final collisions

https://www.hpcwire.com/off-the-wire/brookhaven-labs-rhic-concludes-25-year-run-with-final-collis...
36•gnufx•4h ago•40 comments

Vocal Guide – belt sing without killing yourself

https://jesperordrup.github.io/vocal-guide/
253•jesperordrup•15h ago•82 comments

I write games in C (yes, C) (2016)

https://jonathanwhiting.com/writing/blog/games_in_c/
156•valyala•5h ago•136 comments

Start all of your commands with a comma (2009)

https://rhodesmill.org/brandon/2009/commands-with-comma/
533•theblazehen•3d ago•197 comments

Show HN: I saw this cool navigation reveal, so I made a simple HTML+CSS version

https://github.com/Momciloo/fun-with-clip-path
38•momciloo•5h ago•5 comments

Reinforcement Learning from Human Feedback

https://rlhfbook.com/
98•onurkanbkrc•10h ago•5 comments

Selection rather than prediction

https://voratiq.com/blog/selection-rather-than-prediction/
19•languid-photic•3d ago•5 comments

Italy Railways Sabotaged

https://www.bbc.co.uk/news/articles/czr4rx04xjpo
71•vedantnair•1h ago•55 comments

The AI boom is causing shortages everywhere else

https://www.washingtonpost.com/technology/2026/02/07/ai-spending-economy-shortages/
212•1vuio0pswjnm7•12h ago•323 comments

72M Points of Interest

https://tech.marksblogg.com/overture-places-pois.html
42•marklit•5d ago•6 comments

A Fresh Look at IBM 3270 Information Display System

https://www.rs-online.com/designspark/a-fresh-look-at-ibm-3270-information-display-system
52•rbanffy•4d ago•14 comments

Unseen Footage of Atari Battlezone Arcade Cabinet Production

https://arcadeblogger.com/2026/02/02/unseen-footage-of-atari-battlezone-cabinet-production/
129•videotopia•4d ago•40 comments

Coding agents have replaced every framework I used

https://blog.alaindichiappari.dev/p/software-engineering-is-back
273•alainrk•10h ago•452 comments

France's homegrown open source online office suite

https://github.com/suitenumerique
649•nar001•9h ago•284 comments

Microsoft account bugs locked me out of Notepad – Are thin clients ruining PCs?

https://www.windowscentral.com/microsoft/windows-11/windows-locked-me-out-of-notepad-is-the-thin-...
51•josephcsible•3h ago•67 comments
Open in hackernews

Show HN: VSCan - Detect Malicious VSCode Extensions

https://vscan.dev/
52•shadow-ninja•7mo ago
Did you know that VSCode extensions run with full access to your system—including file system, network, and credentials? Worse, dozens of malicious extensions have already made it into the marketplace, silently compromising devices.

I am a security researcher and student developer who ran into this problem myself. To help tackle this, I built a 100% free tool (no login required) that scans VSCode (and Cursor/Windsurf) extensions for:

- Hidden malware and obfuscated code

- Dangerous permissions and API misuse

- Vulnerable dependencies and suspicious network connections

Users have already found hundreds of vulnerabilities in extensions. VSCan generates a clean, developer-friendly security report to help you understand what you're installing.

Try it out: https://www.vscan.dev

I have also developed custom sandboxing security architecture to restrict extensions from malicious activity during runtime. There is no existing technology that does this, so if you would be interested in trying it out or learning more, please reach out!

I would greatly appreciate any feedback and thanks for your help!

_______________________________________________________________________________

Here are some numbers as to what I have detected from a sample of 1077 extensions that are available on the Marketplace:

- 3 extensions are marked as malicious by VirusTotal - 7 extensions use malicious network connections (verified by VirusTotal) - 33 extensions have dependencies with critical vulnerabilities - 39 extensions have sensitive information (I have seen api keys, usernames, passwords, etc.) - 204 extension have poor development practices as marked by OSSF - 71 extensions have very high permissions (while not bad can be indicator of potential malicious activity)

As an example here is the link to an extension analysis with malicious network endpoints: https://vscan.dev/?analysisId=9e6c1849-3973-402b-a4ff-3b4023...

Comments

Groxx•7mo ago
It is beyond madness and well into "intentionally negligent" to release a plugin system without a permissions model in, like, the last 20 years. Can't believe people aren't up in arms about how wide open vscode and similar things are, particularly now that docker is widespread.

Thanks for building a scanner! I wish it wasn't necessary :/

Sytten•7mo ago
IDK, I have built a plugin system myself. It is very hard to have a plugin system that is both powerful, versatile and sandboxed. Like with with anything you can pick 2. Most of the plugins I use in vscode like prettier, rust analyzer, etc all need file access and process spawn. So if you sandbox it they would all need max access anyway which kind of defeats the purpose.
airstrike•7mo ago
Sure but it would be nice to differentiate the permissions given to rust-analyzer and, say, "TODO Highlight"
Groxx•7mo ago
There is an enormous amount of space between "it must be written in lua for safety" and "leftpad can upload your entire hard drive and then ransom it back to you".

Right now we have the latter.

notnullorvoid•7mo ago
There's a big difference between max access and giving permission to run a specific binary which itself has no restrictions.

The difference does matter less when the binary and plugin are produced by the same group or individual though.

greggsy•7mo ago
It’s not entirely unreasonable for VSCode to implement and enforce the same user acceptance controls that are currently ubiquitous on mobile platforms.
sunilagrawal•7mo ago
That's concerning. What is Microsoft doing about it? Have you contacted them?
1oooqooq•7mo ago
honestly, expecting safe software from Microsoft is like expecting a private browser from an advertising company .... oh.
rafaelgoncalves•7mo ago
lol, so true, and that both are really good malware attack vectors (chrome/vscode extensions, etc.)
CGamesPlay•7mo ago
You should definitely show the vulnerabilities you found on the front page, instead of showcasing low scores given to popular extensions. Claiming that "rust-analyzer" is "High Risk" is a strong turn-off from me thinking your service is useful (why? because it contains shell commands in the form of "taskDefinitions", and because it uses a dependency to parse ANSI sequences that hasn't received a commit in the past 90 days).
shadow-ninja•7mo ago
Thanks for the feedback. I am constantly trying to refine the scoring metrics to make sure that these popular extensions that often need high permissions aren't flagged as a lower score than they should receive. It is a bit difficult though as higher permissions do indicate a higher potential for abuse so its a balancing act. As for showcasing the vulnerabilities that's a good idea I'll definitely implement.
meander_water•7mo ago
Nice work! This has actually been an open feature request since 2018 [0]. I've been wanting something like this for a while.

[0] https://github.com/microsoft/vscode/issues/52116

ruined•7mo ago
i wish the detail links on each analysis tile were real links, instead of some apparently weird javascript. seems broken in firefox

it would also be nice if i could expand all the analysis detail at once, instead of just one section at a time.

shadow-ninja•7mo ago
Hm all the links seem to work for me on chrome. Could you let me know which specific link isn't working (is it just for that extension or for all extensions?).

I restricted it to one expanded at a time since more than one felt a bit crowded but that's something I might look into.

ruined•7mo ago
the main green button on every item
whalesalad•7mo ago
Using this is kind of a pain in the butt (looking thru all installed extensions and pasting in the raw name one by one). Could this be packaged as an extension itself, that scans other extensions? Or provide a CLI command to export all of your installed extensions as a list, which you can then upload? Or better, a one liner that will export your extensions to stdin, POST them to your API, and it will return a URL that you can click and load in the browser to explore the breakdown of (potential) issues.
shadow-ninja•7mo ago
Thanks for the suggestion. I was thinking about making this into a chrome web extension that people can use on a marketplace page or even using MCP to make this tool really accessible for Cursor and Windsurf users.

As for the raw name, most extensions should work if you just put the display name. The search algorithm directly pulls from the vscode marketplace.

whalesalad•7mo ago
I have 70 extensions installed though. Turns out there is a cli flag to print them, though: "code --list-extensions"

If you update your UI to accept a "bulk analyze" mode where a list of newline extensions could be submitted and rendered out on a page, that would be pretty cool.

shadow-ninja•7mo ago
Oh yeah that's a really good idea. That would make it much easier for someone to use, though that many extensions would take a while. I would need to build up some more robust architecture before I could implement that.
tonymet•7mo ago
vscodevim got 71/100 high risk. That's a pretty common one.
dlalchandani•7mo ago
Finally we have something like this. This is very good work
staticshock•7mo ago
I'd love a version of this where I can paste my full list of extensions, instead of a box where I can only paste one. The latter is tedious, so I'm not that likely to do it.
xsc•7mo ago
A lot of directions you could take this. Free/Commercial. Thoughts?

Would be interesting to get more details on the sandbox.

bilalq•7mo ago
I applaud the idea and love that you made this freely available without bolting on a SaaS subscription on top of it.

However, I always roll my eyes when I see high severity risk in dependency chains due to ReDoS vulnerabilities. Sure, it matters for a web server maybe, but code running in a CLI tool, browser app, VSCode extension, or even a serverless lambda runtime really won't be affected much. More often than not, I find the `npm audit` risk classifications to be nonsense.

0points•7mo ago
I'm having a hard time seeing the value of this scoring. It seems to automatically give bad scores out of some heurestics involving executing shell commands?

Take for example:

streetsidesoftware.code-spell-checker, 14.5M installs,

Score 81 out of 100.

Major scoring factor is "Contributes functionality via 'terminal'."

It seems to me that this will give wildly inaccurate scores.

ensemblehq•7mo ago
This is really cool and I can see a ton of opportunities to leverage this in the enterprise. Using the scanner, does it scan what's on the marketplace as opposed to what's already installed?

I think someone had already mentioned that it would be useful to have this as an extension to scan existing installed extensions but would there be a way to scan just prior to extension installation?

gerardosuarez•7mo ago
This is awesome. I would love to prove it, but your page (vscan.dev) is broken. One qq, why is this tool closed-source? I think that to achieve the community trust in tools like this one, it would be great if this could be open-source. Maybe you can monetize it as an open-core model.