frontpage.
newsnewestaskshowjobs

Made with ♥ by @iamnishanth

Open Source @Github

fp.

Open in hackernews

Glassworm Is Back: A New Wave of Invisible Unicode Attacks Hits Repositories

https://www.aikido.dev/blog/glassworm-returns-unicode-attack-github-npm-vscode
57•robinhouston•3h ago

Comments

DropDead•1h ago
Why didn't some make av rule to find stuff like this, they are just plain text files
abound•1h ago
Yeah it would have been nice to end with "and here's a five-line shell script to check if your project is likely affected". But to their credit, they do have an open-source tool [1], I'm just not willing to install a big blob of JavaScript to look for vulns in my other big blobs of JavaScript

[1] https://github.com/AikidoSec/safe-chain

nine_k•22m ago
Something like this should work, assuming your encoding is Unicode (normally UTF-8), which grep would interpret:

  grep -P '[\x{200B}\x{200C}\x{200D}\x{FEFF}]' code.ts
See https://stackoverflow.com/q/78129129/223424
nine_k•46m ago
The rule must be very simple: any occurrence of `eval()` should be a BIG RED FLAG. It should be handled like a live bomb, which it is.

Then, any appearance of unprintable characters should also be flagged. There are rather few legitimate uses of some zero-width characters, like ZWJ in emoji composition. Ideally all such characters should be inserted as \xNNNN escape sequences, and not literal characters.

Simple lint rules would suffice for that, with zero AI involvement.

trollbridge•26m ago
In our repos, we have some basic stuff like ruff that runs, and that includes a hard error on any Unicode characters. We mostly did this after some un-fun times when byte order marks somehow ended up in a file and it made something fail.

I have considered allowing a short list that does not include emojis, joining characters, and so on - basically just currency symbols, accent marks, and everything else you'd find in CP-1521 but never got around to it.

gnabgib•1h ago
Small discussion yesterday (9+9 points, 9+4 comments) https://news.ycombinator.com/item?id=47374479 https://news.ycombinator.com/item?id=47385244
minus7•45m ago
The `eval` alone should be enough of a red flag
kordlessagain•34m ago
No it’s not.
SahAssar•25m ago
It really is. There are very few proper use-cases for eval.
pavel_lishin•24m ago
When is an eval not at least a security "code smell"?
btown•34m ago
IMO while the bar is high to say "it's the responsibility of the repository operator itself to guard against a certain class of attack" - I think this qualifies. The same way GitHub provides Secret Scanning [0], it should alert upon spans of zero-width characters that are not used in a linguistically standard way (don't need an LLM for this, just n-tuples).

Sure, third-party services like the OP can provide bots that can scan. But if you create an ecosystem in which PRs can be submitted by threat actors, part of your commitment to the community should be to provide visibility into attacks that cannot be seen by the naked eye, and make that protection the norm rather than the exception.

[0] https://docs.github.com/en/get-started/learning-about-github...

andrewflnr•7m ago
Regardless of the thorny question of whether it's Github's responsibility, it sure would be a good thing for them to do ASAP.
faangguyindia•15m ago
Back in time I was on hacking forums where lot of script kiddies used to make malicious code.

I am wondering how that they've LLM, are people using them for making new kind of malicious codes more sophisticated than before?

What makes Intel Optane stand out (2023)

https://blog.zuthof.nl/2023/06/02/what-makes-intel-optane-stand-out/
46•walterbell•1h ago•37 comments

UMD Scientists Create 'Smart Underwear' to Measure Human Flatulence

https://cbmg.umd.edu/news-events/news/brantley-hall-umd-scientists-create-smart-underwear-measure...
25•ohjeez•1h ago•13 comments

A Visual Introduction to Machine Learning (2015)

https://r2d3.us/visual-intro-to-machine-learning-part-1/
211•vismit2000•6h ago•14 comments

Glassworm Is Back: A New Wave of Invisible Unicode Attacks Hits Repositories

https://www.aikido.dev/blog/glassworm-returns-unicode-attack-github-npm-vscode
59•robinhouston•3h ago•13 comments

Show HN: GDSL – 800 line kernel: Lisp subset in 500, C subset in 1300

https://firthemouse.github.io/
13•FirTheMouse•1h ago•0 comments

Show HN: Signet – Autonomous wildfire tracking from satellite and weather data

https://signet.watch
67•mapldx•4h ago•19 comments

Show HN: What if your synthesizer was powered by APL (or a dumb K clone)?

https://octetta.github.io/k-synth/
39•octetta•3h ago•11 comments

Rack-mount hydroponics

https://sa.lj.am/rack-mount-hydroponics/
276•cdrnsf•12h ago•61 comments

Kniterate Notes

https://soup.agnescameron.info//2026/03/07/kniterate-notes.html
24•surprisetalk•5d ago•6 comments

IBM, sonic delay lines, and the history of the 80×24 display (2019)

https://www.righto.com/2019/11/ibm-sonic-delay-lines-and-history-of.html
47•rbanffy•5h ago•11 comments

Generating All 32-Bit Primes (Part I)

https://hnlyman.github.io/pages/prime32_I.html
48•hnlyman•5h ago•13 comments

Codegen is not productivity

https://www.antifound.com/posts/codegen-is-not-productivity/
16•donutshop•2h ago•3 comments

The Appalling Stupidity of Spotify's AI DJ

https://www.charlespetzold.com/blog/2026/02/The-Appalling-Stupidity-of-Spotifys-AI-DJ.html
327•ingve•8h ago•257 comments

$96 3D-printed rocket that recalculates its mid-air trajectory using a $5 sensor

https://github.com/novatic14/MANPADS-System-Launcher-and-Rocket
274•ZacnyLos•6h ago•226 comments

Examples for the tcpdump and dig man pages

https://jvns.ca/blog/2026/03/10/examples-for-the-tcpdump-and-dig-man-pages/
64•ibobev•4d ago•7 comments

A most elegant TCP hole punching algorithm

https://robertsdotpm.github.io/cryptography/tcp_hole_punching.html
167•Uptrenda•13h ago•61 comments

How kernel anti-cheats work

https://s4dbrd.github.io/posts/how-kernel-anti-cheats-work/
284•davikr•16h ago•235 comments

Why Mathematica does not simplify sinh(arccosh(x))

https://www.johndcook.com/blog/2026/03/10/sinh-arccosh/
114•ibobev•4d ago•42 comments

Treasure hunter freed from jail after refusing to turn over shipwreck gold

https://www.bbc.com/news/articles/cg4g7kn99q3o
148•tartoran•14h ago•197 comments

Allow me to get to know you, mistakes and all

https://sebi.io/posts/2026-03-14-allow-me-to-get-to-know-you-mistakes-and-all/
246•sebi_io•18h ago•108 comments

Pentagon expands oversight of Stars and Stripes, limits content

https://www.stripes.com/theaters/us/2026-03-13/pentagon-modernization-plan-stars-and-stripes-2105...
118•geox•4h ago•47 comments

Human Organ Atlas

https://www.science.org/doi/10.1126/sciadv.adz2240
51•bookofjoe•3d ago•3 comments

Palantir defends its role in the kill chain: "We are proud of that"

https://www.heise.de/en/news/Palantir-defends-its-role-in-the-kill-chain-We-are-very-very-proud-o...
23•botanical•36m ago•5 comments

Show HN: Han – A Korean programming language written in Rust

https://github.com/xodn348/han
199•xodn348•19h ago•106 comments

Centuries of selective breeding turned wild cabbage into different vegetables

https://www.worksinprogress.news/p/many-of-the-tastiest-vegetables-are
103•bensouthwood•4d ago•41 comments

The Official DR DOS Website

https://www.dr-dos.com/
20•Tomte•1h ago•8 comments

Trust no one: are one-way trusts one way?

https://offsec.almond.consulting/trust-no-one_are-one-way-trusts-really-one-way.html
6•notmine1337•5d ago•0 comments

SBCL Fibers – Lightweight Cooperative Threads

https://atgreen.github.io/repl-yell/posts/sbcl-fibers/
131•anonzzzies•17h ago•26 comments

100 hour gap between a vibecoded prototype and a working product

https://kanfa.macbudkowski.com/vibecoding-cryptosaurus
136•kiwieater•4h ago•164 comments

Bumblebee queens breathe underwater to survive drowning

https://www.smithsonianmag.com/science-nature/bumblebee-queens-breathe-underwater-to-survive-drow...
178•1659447091•20h ago•39 comments