frontpage.
newsnewestaskshowjobs

Made with ♥ by @iamnishanth

Open Source @Github

fp.

Open in hackernews

Post-mortem of Shai-Hulud attack on November 24th, 2025

https://posthog.com/blog/nov-24-shai-hulud-attack-post-mortem
12•makepanic•3d ago

Comments

hhh•25m ago
I didn’t know what Posthog was before this event but the website is so unusable on Safari on MacOS or iOS for me i’m surprised I stuck through to discover the product.
mrdosija•23m ago
So it wasn't phishing attack? Wonder how those bot access tokens got stolen.
jameskilton•13m ago
> The PR was opened, the workflow run, and the PR closed within the space of 1 minute (screenshots include timestamps in UTC+2, the author's timezone):

It's an unfortunately common problem with GitHub Actions, it's easy to set things up to where any PR that's opened against your repo runs the workflows as defined in the branch. So you fork, make a malicious change to an existing workflow, and open a PR, and your code gets executed automatically.

Frankly at this point PRs from non-contributors should never run workflows, but I don't think that's the default yet.

moi2388•13m ago
They explain how.

“ At 5:40PM on November 18th, now-deleted user brwjbowkevj opened a pull request against our posthog repository, including this commit. This PR changed the code of a script executed by a workflow we were running against external contributions, modifying it to send the secrets available during that script's execution to a webhook controlled by the attacker. These secrets included the Github Personal Access Token of one of our bots, which had broad repo write permissions across our organization.”

mrdosija•5m ago
Oh. I mist be blind. Well, that's a warning for all.
neoecos•12m ago
They do explain all the details how the got the tokens stolen.
animex•3m ago
It explains in the article under "Why did it happen?".
flunhat•5m ago
Posthog's website design feels like a joke that went a bit too far

All it takes is for one to work out

https://alearningaday.blog/2025/11/28/all-it-takes-is-for-one-to-work-out-2/
85•herbertl•1h ago•31 comments

Be Like Clippy

https://be-clippy.com/
74•Aloha•1h ago•44 comments

Show HN: Nano PDF – A CLI Tool to Edit PDFs with Gemini's Nano Banana

https://github.com/gavrielc/Nano-PDF
22•GavCo•45m ago•5 comments

Zero knowlege proof of compositeness

https://www.johndcook.com/blog/2025/11/29/zkp-composite/
57•ColinWright•3h ago•13 comments

Post-mortem of Shai-Hulud attack on November 24th, 2025

https://posthog.com/blog/nov-24-shai-hulud-attack-post-mortem
13•makepanic•3d ago•10 comments

Learning Feynman's Trick for Integrals

https://zackyzz.github.io/feynman.html
21•Zen1th•1h ago•0 comments

The Origins of Scala (2009)

https://www.artima.com/articles/the-origins-of-scala
12•todsacerdoti•1h ago•3 comments

An update on the Farphone's battery

https://far.computer/battery-update/
25•louismerlin•1d ago•28 comments

Rare X-ray images of a 4.5-ton satellite that returned intact from space

https://www.empa.ch/web/s604/eureca-satellit-mit-roentgenmethoden-untersucht
17•giuliomagnifico•3d ago•1 comments

Show HN: Network Monitor – a GUI to spot anomalous connections on your Linux

55•grigio•5d ago•18 comments

Bronze Age mega-settlement in Kazakhstan has advanced urban planning, metallurgy

https://archaeologymag.com/2025/11/bronze-age-mega-settlement-in-kazakhstan/
99•CGMthrowaway•1w ago•17 comments

Hardening the C++ Standard Library at scale

https://queue.acm.org/detail.cfm?id=3773097
85•ndesaulniers•6d ago•36 comments

Hachi: An Image Search Engine

https://eagledot.xyz/hachi.md.html
104•warangal•7h ago•13 comments

Framework Computer Now Sponsoring LVFS / Fwupd Development

https://www.phoronix.com/news/Framework-Sponsoring-LVFS
69•LorenDB•2h ago•3 comments

AccessOwl (YC S22) Is Hiring a Technical Account Manager (IAM)

https://www.ycombinator.com/companies/accessowl/jobs/dGC3pcO-technical-account-manager-identity-a...
1•philipeller•4h ago

The CRDT Dictionary: A Field Guide to Conflict-Free Replicated Data Types

https://www.iankduncan.com/engineering/2025-11-27-crdt-dictionary/
122•birdculture•9h ago•8 comments

DNS LOC Record (2014)

https://blog.cloudflare.com/the-weird-and-wonderful-world-of-dns-loc-records/
114•mikejeays•7h ago•33 comments

Electric vehicle sales are booming in South America – without Tesla

https://www.reuters.com/sustainability/climate-energy/electric-vehicle-sales-are-booming-south-am...
73•breve•2h ago•68 comments

Anthony Bourdain's Lost Li.st's

https://bourdain.greg.technology/
181•gregsadetsky•3d ago•51 comments

Baboon: Data Modeling with Automatic Evolutions and tagless binary codecs

https://github.com/7mind/baboon
3•pshirshov•1h ago•0 comments

System 7 natively boots on the Mac mini G4

https://macos9lives.com/smforum/index.php?topic=7711.0
308•ibobev•18h ago•98 comments

Iceland declares ocean-current instability a national security risk

https://edition.cnn.com/2025/11/15/climate/iceland-warming-current-amoc-collapse-threat
276•donohoe•6h ago•110 comments

Student Perceptions of AI Coding Assistants in Learning

https://arxiv.org/abs/2507.22900
41•victorbuilds•3h ago•40 comments

WinApps: Run Windows apps as if they were a part of the native Linux OS

https://github.com/winapps-org/winapps
298•klaussilveira•4d ago•150 comments

Plinko PIR Tutorial

https://vitalik.eth.limo/general/2025/11/25/plinko.html
8•sygma•3d ago•0 comments

Ported freetype, fontconfig, harfbuzz, and graphite to Fil-C

https://twitter.com/filpizlo/status/1994563191528198653
32•jhatemyjob•2h ago•8 comments

Airbus A320 – intense solar radiation may corrupt data critical for flight

https://www.airbus.com/en/newsroom/press-releases/2025-11-airbus-update-on-a320-family-precaution...
467•pyrophoenix•23h ago•156 comments

Europe's New War on Privacy

https://unherd.com/2025/11/europes-new-war-on-privacy/
7•joecobb•19m ago•0 comments

Building road signs at home using a Cricut Machine

https://annanay.dev/build-a-signboard/
29•annanay•3d ago•18 comments

WebR – R in the Browser

https://webr.sh/
90•creata•5d ago•27 comments