frontpage.
newsnewestaskshowjobs

Made with ♥ by @iamnishanth

Open Source @Github

fp.

France's homegrown open source online office suite

https://github.com/suitenumerique
358•nar001•3h ago•176 comments

British drivers over 70 to face eye tests every three years

https://www.bbc.com/news/articles/c205nxy0p31o
92•bookofjoe•1h ago•79 comments

Start all of your commands with a comma (2009)

https://rhodesmill.org/brandon/2009/commands-with-comma/
411•theblazehen•2d ago•151 comments

Hoot: Scheme on WebAssembly

https://www.spritely.institute/hoot/
77•AlexeyBrin•4h ago•15 comments

Leisure Suit Larry's Al Lowe on model trains, funny deaths and Disney

https://spillhistorie.no/2026/02/06/interview-with-sierra-veteran-al-lowe/
10•thelok•1h ago•0 comments

OpenCiv3: Open-source, cross-platform reimagining of Civilization III

https://openciv3.org/
767•klaussilveira•19h ago•240 comments

First Proof

https://arxiv.org/abs/2602.05192
32•samasblack•1h ago•18 comments

Reinforcement Learning from Human Feedback

https://arxiv.org/abs/2504.12501
49•onurkanbkrc•4h ago•3 comments

Stories from 25 Years of Software Development

https://susam.net/twenty-five-years-of-computing.html
25•vinhnx•2h ago•3 comments

The Waymo World Model

https://waymo.com/blog/2026/02/the-waymo-world-model-a-new-frontier-for-autonomous-driving-simula...
1019•xnx•1d ago•580 comments

Coding agents have replaced every framework I used

https://blog.alaindichiappari.dev/p/software-engineering-is-back
155•alainrk•4h ago•189 comments

Vocal Guide – belt sing without killing yourself

https://jesperordrup.github.io/vocal-guide/
158•jesperordrup•9h ago•56 comments

72M Points of Interest

https://tech.marksblogg.com/overture-places-pois.html
8•marklit•5d ago•0 comments

A Fresh Look at IBM 3270 Information Display System

https://www.rs-online.com/designspark/a-fresh-look-at-ibm-3270-information-display-system
16•rbanffy•4d ago•0 comments

Software Factories and the Agentic Moment

https://factory.strongdm.ai/
10•mellosouls•2h ago•7 comments

Unseen Footage of Atari Battlezone Arcade Cabinet Production

https://arcadeblogger.com/2026/02/02/unseen-footage-of-atari-battlezone-cabinet-production/
102•videotopia•4d ago•26 comments

StrongDM's AI team build serious software without even looking at the code

https://simonwillison.net/2026/Feb/7/software-factory/
7•simonw•1h ago•1 comments

Making geo joins faster with H3 indexes

https://floedb.ai/blog/how-we-made-geo-joins-400-faster-with-h3-indexes
152•matheusalmeida•2d ago•41 comments

Show HN: Look Ma, No Linux: Shell, App Installer, Vi, Cc on ESP32-S3 / BreezyBox

https://github.com/valdanylchuk/breezydemo
260•isitcontent•19h ago•33 comments

Ga68, a GNU Algol 68 Compiler

https://fosdem.org/2026/schedule/event/PEXRTN-ga68-intro/
34•matt_d•4d ago•9 comments

Monty: A minimal, secure Python interpreter written in Rust for use by AI

https://github.com/pydantic/monty
273•dmpetrov•19h ago•145 comments

Show HN: Kappal – CLI to Run Docker Compose YML on Kubernetes for Local Dev

https://github.com/sandys/kappal
15•sandGorgon•2d ago•3 comments

Google staff call for firm to cut ties with ICE

https://www.bbc.com/news/articles/cvgjg98vmzjo
98•tartoran•1h ago•24 comments

Hackers (1995) Animated Experience

https://hackers-1995.vercel.app/
544•todsacerdoti•1d ago•262 comments

Sheldon Brown's Bicycle Technical Info

https://www.sheldonbrown.com/
415•ostacke•1d ago•108 comments

Show HN: I spent 4 years building a UI design tool with only the features I use

https://vecti.com
361•vecti•21h ago•161 comments

What Is Ruliology?

https://writings.stephenwolfram.com/2026/01/what-is-ruliology/
61•helloplanets•4d ago•64 comments

Show HN: If you lose your memory, how to regain access to your computer?

https://eljojo.github.io/rememory/
332•eljojo•22h ago•205 comments

An Update on Heroku

https://www.heroku.com/blog/an-update-on-heroku/
456•lstoll•1d ago•298 comments

Microsoft open-sources LiteBox, a security-focused library OS

https://github.com/microsoft/litebox
370•aktau•1d ago•194 comments
Open in hackernews

An exposed .git folder let us dox a phishing campaign

64•spirovskib•2mo ago
This past Friday afternoon, a member in our Discord server reported a phishing email pointing to a fake login page.

We took up to research it and because of clumsy decisions by the attacker we got their GitHub and their operational Telegram bot.

Screenshots: https://imgur.com/a/FTy4mrH

Sometimes the attacker incompetence can be a defender's best weapon ¯\_(ツ)_/¯

The phishing page was a standard clone of an "email", unbranded anf generic service. A bit of gobuster reconnaissance and we got the site's .git directory publicly accessible and listing its contents.

Inspecting of the requests also got us the first Telegram bot token. This is the digital equivalent of leaving the blueprints to your entire operation, including past versions and deleted files, lying on the front lawn.

We pulled the repository, found automated deployments and multiple fake pages with different hardcoded Telegram bot tokens and Chat IDs.

With the source code, repo and the active Telegram bot token, we filed detailed abuse reports:

- GitHub: We reported the repository containing the phishing kit's source code. It was taken down for violating TOS.

- Telegram: We reported the bot using the provided token and chat ID, leading to its removal.

- Hosting Provider: The malicious site was reported and taken offline.

Lesson learned? Never deploy a .git folder to production. Even if you are a criminal.

Acknowledgement: This was a collaborative effort by members of the BeyondMachines Discord community. The crowdsourced speed and collaboration helped us take this down very fast.

Comments

poly2it•2mo ago
Could've traced the attacker for a bit before burning all bridges.
throwaway290•2mo ago
Isn't this post basically service for attackers?

You take down C&C and phishing pages=great but maybe don't brag exactly what you did especially if the people are out to do it again but better?

some_random•2mo ago
Exposing a .git folder is a common error that people other than threat actors make, making a public post about it at least can help ordinary developers in addition to TAs making this mistake. If you find this disclosure frustrating, take a look at what threat intel/AV/EDR/etc companies post on their blogs.
throwaway290•2mo ago
yeah look at like Krebs, he actually tries to track down the criminals and not make their job easy by posting their mistakes halfway during the operation...
ekjhgkejhgk•2mo ago
Sounds like they got off easy.
spirovskib•2mo ago
They probably did. But it's a volunteer effort, we all contrinbute as much each individual's time permits.
some_random•2mo ago
Truth is that threat actors usually do. Much of the time they live in jurisdictions that don't care about cybercrime, and even if they don't actually cooperating with authorities is usually difficult.
ArcHound•2mo ago
It is great that they got taken down. From my experience, these sites are usually parasites on misconfigured Wordpresseses.

We're you able to get the phishing data so that you can help the victims? Is it a good idea to try and do so?

Also, can you please share some bits of the phishing kit for easier detection?

Thank you for your efforts!

spirovskib•2mo ago
Thanks for the kind words. We discussed whether to pull the data. We didn't for two reasons: 1. It's not trivial to process that data safely, and all the people in the server are volunteers that pitch in as much as they can. It won't be fair to burden them more. 2. The bots were posting to what appeared to be private or moderated channels. We didn't find an easy way in. Maybe there was a way in, but see item 1 above. So we went with "nuke it from orbit"
ArcHound•2mo ago
Yeah, that's the problem, processing the data safely. I wouldn't want to do that either without a lawyer covering my back.
CGamesPlay•2mo ago
What leads to the secret being stored in git's config file like that? None of my repositories have that, the remote URLs all just say "git@github.com:foo/bar.git".
aewens•2mo ago
The way Git computes diffs is by more or less storing all the source code in the .git directory as objects. At first glance it looks like a bunch of hashes, but tools can pull out source code from the objects tracked within the .git directory. Not least of which, the remote URL points to their username on GitHub and the author for commits can give you their email.
phyzome•2mo ago
I think you misread the question.
CGamesPlay•2mo ago
Not least of which, and even more so the URL had an auth secret in it. None of mine do, hence the question. I'm confused, because git has a credentials helper specifically designed to avoid storing secrets like that, or so I thought. So what tool is storing secrets in the git remote URL?

Yes, the git directory has all current and historical versions of the files packed into it, but that's not what the OP used to get information about the scammer.

phyzome•2mo ago
It's one of several ways to auth to the server. I guess they didn't want to use SSH. And if you use HTTPS instead, you're prompted for your username and password every time -- unless you pass a token.
xantronix•2mo ago
The URL you see in that fourth screenshot in the Imgur post is from using `git clone` on the the same URL, which was issued on GitHub.
CGamesPlay•2mo ago
How do you get Github to issue such URLs? No repository lists URLs in that format on Github for me.
KomoD•2mo ago
In reality, it wasn't the attacker's incompetence, it was the hosting provider's fault (which is a "Serverless app platform" they use to deploy their phishing pages)

When you deploy a simple page with them it exposes .git/CONFIG and the x-access-token that grants access to the repository.

wink•2mo ago
Lacking details, but people don't generally rsync a checkout of a git repo (including a .git folder) to their webspace, so you're right if the hoster did that, I find it more likely the people did that.

On the other hand just blacklisting .git/* is not great, maybe I want to publish something on that path, just like any other filename. It's prone to lead to false positives.

JakeStone•2mo ago
I agree with never deploying a .git folder to prod.

Part of our deployment script for sites has something like:

  git clone -d 1 -b $BRANCH https://blahblah.tld/project
  rm -rf .git*
So no .git directory, .gitignore, and so on.
pabs3•2mo ago
Another option for that might be `git archive | tar -C /path/to/dir -xf-`