frontpage.
newsnewestaskshowjobs

Made with ♥ by @iamnishanth

Open Source @Github

fp.

Open in hackernews

Trivy ecosystem supply chain briefly compromised

https://github.com/aquasecurity/trivy/security/advisories/GHSA-69fq-xp46-6x23
26•batch12•1d ago

Comments

snailmailman•2h ago
Are the spam comments all from compromised accounts, presumably compromised due to this hack?

I only clicked on a handful of accounts but several of them have plausibly real looking profiles.

bakugo•1h ago
Some of them were likely already compromised before these incidents, here's one of the accounts near the top making malicious commits to its own repository before the first hack:

https://github.com/Hancie123/mero_hostel_backend/commit/4bcb...

wswin•19m ago
what comments?
MilnerRoute•1h ago
Briefly?

"Trivy Supply Chain Attack Spreads, Triggers Self-Spreading CanisterWorm Across 47 npm Packages"

https://it.slashdot.org/story/26/03/22/0039257/trivy-supply-...

zach_vantio•21m ago
"Briefly" is doing a lot of work there. Pre-deploy scans are useless once a bad mutation is actually live. If you don't have a way to auto-revert the infrastructure state instantly, you're just watching the fire spread.
brightball•6m ago
Seriously. All credentials compromised that it can see. It's active in CI/CD pipelines and follow on attacks are happening.
RS-232•43m ago
Pretty ironic that the security tool is insecure
Shank•19m ago
This attack seems predicated on a prior security incident (https://socket.dev/blog/unauthorized-ai-agent-execution-code...) at Trivy where they failed to successfully remediate and contain the damage. I think at this time, Trivy should’ve undertaken a full reassessment of risks and clearly isolated credentials and reduced risk systemically. This did not happen, and the second compromise occurred.

Tinybox – Offline AI device 120B parameters

https://tinygrad.org/#tinybox
338•albelfio•6h ago•195 comments

Professional video editing, right in the browser with WebGPU and WASM

https://tooscut.app/
146•mohebifar•5h ago•46 comments

Chest Fridge

https://mtbest.net/chest-fridge/
18•wolfi1•1h ago•11 comments

Why craft-lovers are losing their craft

https://writings.hongminhee.org/2026/03/craft-alienation-llm/
32•vinhnx•1h ago•17 comments

Some things just take time

https://lucumr.pocoo.org/2026/3/20/some-things-just-take-time/
525•vaylian•11h ago•179 comments

The Three Pillars of JavaScript Bloat

https://43081j.com/2026/03/three-pillars-of-javascript-bloat
6•onlyspaceghost•27m ago•2 comments

Boomloom: Think with your hands

https://www.theboomloom.com
49•rasengan0•1d ago•4 comments

Do Not Turn Child Protection into Internet Access Control

https://news.dyne.org/child-protection-is-not-access-control/
507•smartmic•5h ago•265 comments

Trivy ecosystem supply chain briefly compromised

https://github.com/aquasecurity/trivy/security/advisories/GHSA-69fq-xp46-6x23
26•batch12•1d ago•8 comments

Bayesian statistics for confused data scientists

https://nchagnet.pages.dev/blog/bayesian-statistics-for-confused-data-scientists/
57•speckx•3d ago•7 comments

Floci – A free, open-source local AWS emulator

https://github.com/hectorvent/floci
71•shaicoleman•4h ago•16 comments

Grafeo – A fast, lean, embeddable graph database built in Rust

https://grafeo.dev/
191•0x1997•11h ago•63 comments

Electronics for Kids, 2nd Edition

https://nostarch.com/electronics-for-kids-2e
109•0x54MUR41•2d ago•17 comments

Show HN: Termcraft – terminal-first 2D sandbox survival in Rust

https://github.com/pagel-s/termcraft
88•sebosch•7h ago•10 comments

How Invisalign became the biggest user of 3D printers

https://www.wired.com/story/how-invisalign-became-the-worlds-biggest-3d-printing-company/
141•mikhael•2d ago•100 comments

The Impact of AI on Game Dev Jobs. Open to Work Crisis

https://darkounity.com/blog-post?id=the-impact-of-ai-on-game-dev-jobs-open-to-work-crisis--177412...
48•hacker_13•4h ago•27 comments

Common Lisp Development Tooling

https://www.creativetension.co/posts/common-lisp-development-tooling
42•0bytematt•6h ago•7 comments

The paddle wheel aircraft carriers of Lake Michigan

https://signoregalilei.com/2026/03/08/the-paddle-wheel-aircraft-carriers-of-lake-michigan/
51•surprisetalk•4d ago•6 comments

Hide macOS Tahoe's Menu Icons

https://512pixels.net/2026/03/hide-macos-tahoes-menu-icons-with-this-one-simple-trick/
118•soheilpro•8h ago•37 comments

How Ford burned $12B in Brazil (2021)

https://www.reuters.com/business/autos-transportation/how-ford-burned-12-billion-brazil-2021-05-20/
35•kaycebasques•11h ago•5 comments

A digital resource for studying the graffiti of Herculaneum and Pompeii

https://ancientgraffiti.org/Graffiti/
3•thomassmith65•4d ago•0 comments

Sandboxing: Foolproof Boundaries vs. Unbounded Foolishness (2025)

https://spawn-queue.acm.org/doi/10.1145/3733699
8•antlai•4d ago•0 comments

Show HN: Atomic – Self-hosted, semantically-connected personal knowledge base

https://github.com/kenforthewin/atomic
54•kenforthewin•6h ago•7 comments

Ubuntu 26.04 Ends 46 Years of Silent sudo Passwords

https://pbxscience.com/ubuntu-26-04-ends-46-years-of-silent-sudo-passwords/
317•akersten•21h ago•321 comments

ZJIT removes redundant object loads and stores

https://railsatscale.com/2026-03-18-how-zjit-removes-redundant-object-loads-and-stores/
76•tekknolagi•3d ago•10 comments

Meta's Omnilingual MT for 1,600 Languages

https://ai.meta.com/research/publications/omnilingual-mt-machine-translation-for-1600-languages/?...
119•j0e1•3d ago•32 comments

Books of the Century by Le Monde

https://standardebooks.org/collections/le-mondes-100-books-of-the-century
101•zlu•3d ago•62 comments

Study finds no evidence cannabis helps anxiety, depression, or PTSD

https://www.sciencedaily.com/releases/2026/03/260319044656.htm
175•nothrowaways•6h ago•155 comments

A Japanese glossary of chopsticks faux pas (2022)

https://www.nippon.com/en/japan-data/h01362/
466•cainxinth•1d ago•361 comments

SSH Certificates and Git Signing

https://codon.org.uk/~mjg59/blog/p/ssh-certificates-and-git-signing/
16•zdw•5h ago•0 comments