frontpage.
newsnewestaskshowjobs

Made with ♥ by @iamnishanth

Open Source @Github

fp.

Is Zig's New Writer Unsafe?

https://www.openmymind.net/Is-Zigs-New-Io-Unsafe/
54•ibobev•1h ago•25 comments

Living microbial cement supercapacitors with reactivatable energy storage

https://www.cell.com/cell-reports-physical-science/fulltext/S2666-3864(25)00409-6
24•PaulHoule•1h ago•4 comments

Images over DNS

https://dgl.cx/2025/09/images-over-dns
73•dgl•3h ago•18 comments

SCREAM CIPHER ("ǠĂȦẶAẦ ĂǍÄẴẶȦ")

https://sethmlarson.dev/scream-cipher
130•alexmolas•2d ago•66 comments

Claude Can (Sometimes) Prove It

https://www.galois.com/articles/claude-can-sometimes-prove-it
115•lairv•3d ago•25 comments

Git: Introduce Rust and announce that it will become mandatorty

https://lore.kernel.org/git/20250904-b4-pks-rust-breaking-change-v1-0-3af1d25e0be9@pks.im/
125•WhyNotHugo•3h ago•62 comments

Overcoming barriers of hydrogen storage with a low-temperature hydrogen battery

https://www.isct.ac.jp/en/news/okmktjxyrvdc
39•rustoo•3h ago•30 comments

Less is safer: How Obsidian reduces the risk of supply chain attacks

https://obsidian.md/blog/less-is-safer/
425•saeedesmaili•17h ago•202 comments

Bezier Curve as Easing Function in C++

https://asawicki.info/news_1790_bezier_curve_as_easing_function_in_c
10•ibobev•1h ago•1 comments

H-1B Jobs Direct

https://guestworkervisas.com/gwv/jobs_direct.php
6•carabiner•39m ago•0 comments

MapSCII – World Map in Terminal

https://github.com/rastapasta/mapscii
42•_august•1d ago•7 comments

The dawn of the post-literate society – and the end of civilisation

https://jmarriott.substack.com/p/the-dawn-of-the-post-literate-society-aa1
41•drankl•1h ago•16 comments

Escapee pregnancy test frogs colonised Wales for 50 years

https://www.bbc.com/news/uk-wales-44886585
57•Luc•3d ago•21 comments

If all the world were a monorepo

https://jtibs.substack.com/p/if-all-the-world-were-a-monorepo
207•sebg•4d ago•59 comments

Show HN: FocusStream – Focused, distraction-free YouTube for learners

https://focusstream.media
59•pariharAshwin•7h ago•35 comments

IG Nobel Prize Winners 2025

https://improbable.com/ig/winners/
83•JeremyTheo•4h ago•27 comments

The best YouTube downloaders, and how Google silenced the press

https://windowsread.me/p/best-youtube-downloaders
436•Leftium•1d ago•183 comments

Britain jumps into bed with Palantir in £1.5B defense pact

https://www.theregister.com/2025/09/20/uk_palantir_defense_pact/
13•rntn•46m ago•1 comments

LLM-Deflate: Extracting LLMs into Datasets

https://www.scalarlm.com/blog/llm-deflate-extracting-llms-into-datasets/
36•gdiamos•8h ago•13 comments

PyPI Blog: Token Exfiltration Campaign via GitHub Actions Workflows

https://blog.pypi.org/posts/2025-09-16-github-actions-token-exfiltration/
40•miketheman•3d ago•11 comments

What Makes System Calls Expensive: A Linux Internals Deep Dive

https://blog.codingconfessions.com/p/what-makes-system-calls-expensive
12•rbanffy•1h ago•1 comments

Ants that seem to defy biology – They lay eggs that hatch into another species

https://www.smithsonianmag.com/smart-news/these-ant-queens-seem-to-defy-biology-they-lay-eggs-tha...
428•sampo•1d ago•143 comments

Show HN: Zedis – A Redis clone I'm writing in Zig

https://github.com/barddoo/zedis
134•barddoo•17h ago•84 comments

Show HN: WeUseElixir - Elixir project directory

https://weuseelixir.com/
187•taddgiles•18h ago•40 comments

Hidden risk in Notion 3.0 AI agents: Web search tool abuse for data exfiltration

https://www.codeintegrity.ai/blog/notion
156•abirag•17h ago•40 comments

Compiling with Continuations

https://swatson555.github.io/posts/2025-09-16-compiling-with-continuations.html
68•swatson741•3d ago•19 comments

Feedmaker: URL + CSS selectors = RSS feed

https://feedmaker.fly.dev
148•mustaphah•18h ago•27 comments

Czech founding father Masaryk's message revealed in long-sealed envelope

https://www.nbcnews.com/world/europe/masaryk-message-revealed-envelope-czech-founding-father-rcna...
39•tim-kt•3h ago•2 comments

Supporting Our AI Overlords: Redesigning Data Systems to Be Agent-First

https://arxiv.org/abs/2509.00997
47•derekhecksher•11h ago•15 comments

Internet Archive's big battle with music publishers ends in settlement

https://arstechnica.com/tech-policy/2025/09/internet-archives-big-battle-with-music-publishers-en...
335•coloneltcb•4d ago•137 comments
Open in hackernews

PyPI Blog: Token Exfiltration Campaign via GitHub Actions Workflows

https://blog.pypi.org/posts/2025-09-16-github-actions-token-exfiltration/
39•miketheman•3d ago

Comments

miketheman•3d ago
Incident report of a recent attack campaign targeting GitHub Actions workflows to exfiltrate PyPI tokens, our response, and steps to protect your projects.
zahlman•3d ago
> Attackers targeted a wide variety of repositories, many of which had PyPI tokens stored as GitHub secrets, modifying their workflows to send those tokens to external servers. While the attackers successfully exfiltrated some tokens, they do not appear to have used them on PyPI.

It's wild to me that people entrust a third-party CI system with API secrets, and then also entrust that same system to run "actions" provided by other third parties.

blibble•50m ago
it's even worse that that

the CI system itself encourages you to import random third party code into your CI workflow, based on mutable tags

which then receives full privileges

the entire thing is insane

NeutralForest•49m ago
That's why I stick mostly with Github actions and pin the SHA of the commits instead of the tag version.
blibble•44m ago
yes, it supports it, but it's not the default, is a pain and fills your build file with a load of noise

so very few use it

it's not made obvious that the tag isn't immutable

although you might be happy with the contents of what you've imported right now, who says it won't be malicious in a year's time

people inadvertently give full control of their build and all their secrets to whoever controls that repository (now, and in the future)

making it easy to do the right thing is an important part of API design and building secure systems, and these CI systems fail miserably there

nodesocket•3d ago
While Python being more widely used than JS, it's interesting the majority of attacks and breaches come from NPM. The consensus seems to be that Python offering a standard library greatly reduces the attack surface over JS. I tend to agree with this, a decently large Flask python app I am working on has 15 entries in requirements.txt (many of which being Flask plugins).
Hasnep•3d ago
The large attack surface with npm is partly because of all the transitive dependencies used, which means that even if you only pull in a dozen packages directly, you're also using hundreds of other packages. Running `pip freeze` will list a lot of transitive dependencies as well, but I'm sure it'll be less than an equivalent JS project.
zahlman•2d ago
The most important packages in the Python world don't have a lot of their own dependencies. Numpy has none, for example. The bulk of Numpy is non-Python code and interfaces/wrappers for that; the standard library isn't AFAIK pulling a whole lot of weight there.
nwellnhof•1h ago
Numpy depends on BLAS and LAPACK.
milkshakes•1h ago
while those are obviously huge dependencies, i think the claim was about _python_ dependencies
darkamaul•1d ago
Huge kudos to Mike for handling this attack and appropriately contacting the maintainers.

I’m also glad to see yet another case where having Trusted Publishing configured would have prevented the attack. That’s a cheap defense that has proven effective once again!