frontpage.
newsnewestaskshowjobs

Made with ♥ by @iamnishanth

Open Source @Github

fp.

Open in hackernews

GitHub is investigating unauthorized access to their internal repositories

https://twitter.com/github/status/2056884788179726685
75•splenditer•1h ago

Comments

jonnyasmar•1h ago
Source code exfil is embarrassing. CI signing keys or release publish creds going out the door is supply-chain. That's a long tail nobody gets to close by filing a ticket.
dogelabsvr•58m ago
Are you a bot?
homeonthemtn•53m ago
I concur
mstank•53m ago
Is it just me or is this happening way more frequently in the last 4 or 5 months? Coincidently around the same time the models got a lot more capable?
bob1029•46m ago
I think it's more about the popularity than the capability. The chances you might accidentally put a Github access token into an undesired security context goes up dramatically when you actually create and use one on a regular basis. The developers at GH are certainly using these tools just like the rest of us.
tom_•16m ago
It's more likely that it isn't coincidental at all: software development-oriented LLMs became a lot better towards the end of 2025, and so there's a non-zero chance that people are using them to find new security exploits.

(People are not sleeping on this and it is not something people have failed to notice. I don't use LLMs at all and even I have noticed it - largely because there is approximately nobody that isn't talking about it.)

vldszn•46m ago
harden your github actions!

- Use Static analysis for GHA to catch security issues: https://github.com/zizmorcore/zizmor

- set locally: pnpm config set minimum-release-age 4320 # 3 days in minutes https://pnpm.io/supply-chain-security for other package managers check: https://gist.github.com/mcollina/b294a6c39ee700d24073c0e5a4e...

- add Socket Free Firewall when installing npm packages on CI https://docs.socket.dev/docs/socket-firewall-free#github-act...

benoau•39m ago
You also need to make sure you take care using PR titles and descriptions in your GHA because if they contain `text` it will be executed lmfao.
vldszn•37m ago
Maybe zizmor could catch this https://github.com/zizmorcore/zizmor but not sure 100%
CGamesPlay•18m ago
Can you cite this? It's not YAML execution syntax, surely Github doesn't do it, the only vector I can see is if you put it unquoted into a shell script inside of a GHA yaml.
kiernanmcgowan•42m ago
Mythos has broken containment
dijksterhuis•35m ago
non-twitter link: https://xcancel.com/github/status/2056884788179726685#m
syngrog66•32m ago
between all the Linux LPEs and Claude's known security flaws, alone, I'd be shocked if Github and Microsoft hadnt gotten hacked by now. reasonable bet we mainly hear it when big shops get bit
vldszn•24m ago
GitHub: "We are investigating unauthorized access to GitHub’s internal repositories. While we currently have no evidence of impact to customer information stored outside of GitHub’s internal repositories (such as our customers’ enterprises, organizations, and repositories), we are closely monitoring our infrastructure for follow-on activity."
waynesonfire•18m ago
Are they required to announce that they're being hacked in real time?
tonetegeatinst•6m ago
Microsoft owned so many a CYA to explain why the liability insurance goes up to investors?

Gemini 3.5 Flash

https://blog.google/innovation-and-ai/models-and-research/gemini-models/gemini-3-5/
554•spectraldrift•7h ago•429 comments

I’ve built a virtual museum with nearly every operating system you can think of

https://virtualosmuseum.org/
582•andreww591•9h ago•137 comments

Railway Blocked by Google Cloud

https://status.railway.com/?date=20260519
34•aarondf•56m ago•3 comments

Google changes its search box

https://blog.google/products-and-platforms/products/search/search-io-2026/
361•berkeleyjunk•6h ago•529 comments

OpenAI Adopts Google's SynthID Watermark for AI Images with Verification Tool

https://openai.com/index/advancing-content-provenance/
181•smooke•5h ago•96 comments

Show HN: Forge – Guardrails take an 8B model from 53% to 99% on agentic tasks

https://github.com/antoinezambelli/forge
252•zambelli•12h ago•92 comments

Remove–AI–Watermarks – CLI and library for removing AI watermarks from images

https://github.com/wiltodelta/remove-ai-watermarks
98•janalsncm•2h ago•61 comments

Mistral AI Acquires Emmi AI to Create the Leading AI Stack

https://www.emmi.ai/news/mistral-ai-acquires-emmi-ai
158•doener•6h ago•38 comments

Apple unveils new accessibility features

https://www.apple.com/newsroom/2026/05/apple-unveils-new-accessibility-features-and-updates-with-...
589•interpol_p•13h ago•297 comments

GitHub is investigating unauthorized access to their internal repositories

https://twitter.com/github/status/2056884788179726685
77•splenditer•1h ago•16 comments

Minnesota becomes first state to ban prediction markets

https://www.npr.org/2026/05/19/nx-s1-5821265/minnesota-ban-prediction-markets
413•ortusdux•6h ago•140 comments

Dumb ways for an open source project to die

https://nesbitt.io/2026/05/19/dumb-ways-for-an-open-source-project-to-die.html
142•chmaynard•5h ago•77 comments

Growing Neural Cellular Automata

https://distill.pub/2020/growing-ca/
63•pulkitsh1234•2d ago•6 comments

I’ve joined Anthropic

https://twitter.com/karpathy/status/2056753169888334312
1157•dmarcos•10h ago•484 comments

Unusual uses of OEIS sequences on GitHub

https://www.jeremykun.com/shortform/2026-04-13-0700/
14•surprisetalk•1d ago•1 comments

Show HN: Gaussian Splat of a Strawberry

https://superspl.at/scene/84df8849
471•danybittel•14h ago•184 comments

Lisp in Web-Based Applications (2001)

https://sep.turbifycdn.com/ty/cdn/paulgraham/bbnexcerpts.txt
36•bschne•1d ago•3 comments

The two oldest printing presses

https://museumplantinmoretus.be/en/worlds-two-oldest-printing-presses
18•janpot•1d ago•1 comments

The Mercury logic programming system

https://github.com/Mercury-Language/mercury
4•Antibabelic•1d ago•0 comments

Tool mapping 90 companies in the photonics and CPO supply chain

https://leonardo-boquillon.com/photonic-cop-supply-chain
22•lboquillon•2d ago•2 comments

CISA Admin Leaked AWS GovCloud Keys on GitHub

https://krebsonsecurity.com/2026/05/cisa-admin-leaked-aws-govcloud-keys-on-github/
394•LelouBil•17h ago•165 comments

Why is almost everyone right-handed? A new study connects it to bipedalism

https://www.ox.ac.uk/news/2026-05-15-why-is-almost-everyone-right-handed-the-answer-may-lie-in-ho...
87•gmays•10h ago•140 comments

Copy Fail, Dirty Frag, and Fragnesia kernel vulnerabilities

https://www.gentoo.org/news/2026/05/19/copy-fail-fragnesia-vulnerabilities.html
110•akhuettel•9h ago•39 comments

Disney erased FiveThirtyEight

https://www.natesilver.net/p/disney-erased-fivethirtyeight
296•7777777phil•6h ago•182 comments

Railway Is Having a Major Outage

https://status.railway.com/#/
47•kgraves•2h ago•35 comments

The foundations of a provably secure operating system (PSOS) (1979) [pdf]

http://www.csl.sri.com/users/neumann/psos.pdf
120•rurban•1d ago•82 comments

The TTY Demystified (2008)

https://www.linusakesson.net/programming/tty/index.php
36•20after4•6h ago•8 comments

Intro to TLA+ for the LLM Era: Prompt Your Way to Victory

https://emptysqua.re/blog/intro-to-tla-plus-for-the-llm-era/
107•zdw•2d ago•25 comments

Gemini CLI will stop working from June 18, 2026

https://developers.googleblog.com/an-important-update-transitioning-gemini-cli-to-antigravity-cli/
40•primaprashant•7h ago•11 comments

Gemini Omni

https://deepmind.google/models/gemini-omni/
256•meetpateltech•7h ago•106 comments