Show HN: ShadowCat – file transfer through QR Codes in a Browser
Article URL: https://github.com/unprovable/ShadowCat
Comments URL: https://news.ycombinator.com/item?id=48234287
Points: 6
# Comments: 1 ⌘ Read more
The case against boolean logic
Article URL: https://abuseofnotation.github.io/boolean-thinking/
Comments URL: https://news.ycombinator.com/item?id=48234128
Points: 5
# Comments: 0 ⌘ Read more
Tell HN: I’m tired of AI-generated answers
I found GitHub repositories that were spreading malware. I asked AI what I should do about it, but it gave me nothing useful. So I opened a discussion on GitHub. Someone replied. It was literally the exact same text the AI had given me. I called it out and the comment was deleted. Then another person replied. Same exact AI response again.
I worked as a developer in a company. I asked the business owner a question about a business task. He sent me a ChatGPT screenshot with the an … ⌘ Read more
Gemini randomly dumped its system prompt
Article URL: https://gist.github.com/mkaramuk/44a44d83178e632ec0dd1f02186d822c
Comments URL: https://news.ycombinator.com/item?id=48221976
Points: 13
# Comments: 0 ⌘ Read more
A Hacker Group Is Poisoning Open Source Code at an Unprecedented Scale
GitHub is just the latest victim of TeamPCP, a gang that has carried out a spree of software supply chain attacks that has impacted hundreds of organizations. ⌘ Read more
GitHub 被黑:员工装了一个 VS Code 插件后,3800 个内部仓库泄漏
昨日 GitHub 在 X 上确认:一名员工安装了被植入恶意代码的 VS Code 扩展,导致 GitHub 内部约 3800 个代码仓库遭泄漏。@Appinn 感谢 vlad 的提醒。 从 GitHub 确认的情况来看,一名员工安装了恶意的 VS Code 扩展程序后,其设备被攻破,约有 3800 ⌘ Read more
GitHub’s Internal Repos Breached Via Employee’s Use of Malicious VS Code Extension
Longtime Slashdot reader Himmy32 writes: GitHub has announced on X that their internal repositories have been breached through a compromised VS Code Extension on an employee’s workstation. Bleeping Computer reported that the attack is linked to TeamPCP who have been in the news for a recent campaign affecting Checkm … ⌘ Read more
FreshRSS 1.29.1 ⌘ Read more
CISA Admin Leaked AWS GovCloud Keys On Github
An anonymous reader quotes a report from KrebsOnSecurity: Until this past weekend, a contractor for the Cybersecurity & Infrastructure Security Agency (CISA) maintained a public GitHub repository that exposed credentials to several highly privileged AWS GovCloud accounts and a large number of internal CISA systems. Security experts said the public archive included files detailing how … ⌘ Read more
pgBackRest will continue
In April, David Steele, maintainer of the popular pgBackRest backup and restore project for
PostgreSQL, announced that he had archived\
the project and it would no longer be maintained due to lack of
sponsorship. On May 18, he announced
that a number of sponsors have stepped forward to ensure its continued
development:
Over the last few weeks, a coalition of sponso … ⌘ Read more
An Entire Wikipedia That’s 100% AI Hallucinations
“Every link leads to an entry that does not exist yet,” explains the GitHub page for a Wikipedia-like site called Halupedia. “Until you click it, at which point an LLM pretends it has always existed and writes it for you, in the deadpan register of a 19th-century scholarly press…”
Every article is invented on demand. The footnotes are also lies… The hardest problem with an infi … ⌘ Read more
Three stable kernels for Thursday
Greg Kroah-Hartman has announced the release of the 7.0.7, 6.18.30, and 6.12.88 stable kernels. These kernels do
not include a patch for the Fragnesia local-privilege-escalation exploit that came to light on
May 13, but do include many other important fixes throughout the
tree. Users ar … ⌘ Read more
Yet another Dirty Frag type vulnerability: Fragnesia
Sam James has sent an announcement
to the OSS Security mailing list about another
local-privilege-escalation (LPE) exploit in the same class as Dirty Frag, called
“Fragnesia”. From the disclosure:
This is a separate bug in the ESP/XFRM from dirtyfrag which has received its own patch. However, it is in the same surface … ⌘ Read more
npm 历史上首个蠕虫式供应链攻击:会自我传播
npm 出现了新攻击方式:TanStack Router 官方 npm 包被植入恶意代码。攻击者入侵了项目发布流程,上传了带后门的官方版本。这些包会窃取开发者电脑里的各种密钥,并尝试继续感染开发者拥有权限的其他 GitHub 仓库,再借 npm 进一步传播。 令人绝望的是:它绕过了现代 npm 生态 ⌘ Read more
Call Zig or C from Go without CGO for extra performance
1 points posted by pj ⌘ Read more
Two stable kernels with Dirty Frag fixes
Greg Kroah-Hartman has released the 7.0.6 and 6.18.29 stable kernels with Hyunwoo
Kim’s patch
for the second vulnerability ( CVE-2026-43500)
reported with Dirty Frag
an … ⌘ Read more
PlayStation3 Emulator Devs Politely Ask Contributors to Stop Submitting ‘AI Slop’ Pull Requests
Open-source PS3 emulator RPCS3 “has been around since 2011,” Kotaku notes, and has made 70% of the PlayStation 3’s library fully playable, “bolstered in part by the many users who contribute to its GitHub page.” But their dev team “took to X today to very kindly and civilly request that … ⌘ Read more
FreshRSS 1.29.0 ⌘ Read more
Four stable kernels with partial fixes for Dirty Frag
Greg Kroah-Hartman has announced the release of the 7.0.5, 6.18.28, 6.12.87, and 6.6.138 stable kernels. These kernels
contain a partial fix for the Dirty\
Frag and Copy Fail 2
security flaws. Kroah-Hartman … ⌘ Read more
groupcache clone feature TTL, explicit state, and many minor improvements.
1 points posted by Everton Marques ⌘ Read more
Dirty Frag: a zero-day universal Linux LPE
Hyunwoo Kim has announced
the Dirty\
Frag security flaw, a
local-privilege-escalation (LPE) vulnerability similar to the
recently disclosed Copy Fail
flaw:
Because the embargo has now been broken, no patches or CVEs exist for
these vulnerabilities. After consultation with the linux-distros@vs.openwall.org
maintainers, and at the maintainers’ re … ⌘ Read more
Security updates for Wednesday
Security updates have been issued by AlmaLinux (corosync, dovecot, image-builder, python-tornado, resource-agents, and systemd), Debian (openjdk-11, openjdk-17, and pyjwt), Fedora (pdns, pyOpenSSL, and squid), Slackware (hunspell), SUSE (alloy, avahi, bubblewrap, cmctl, coredns, curl, dpkg, firefox, golang-github-prometheus-prometheus, grafana, libpng12, PackageKit, sed, and xen), and Ubuntu (docker.io-app, nghttp2, python-django, and python-mako). ⌘ Read more
White House App Is a Terrifying Security Mess
New submitter spazmonkey writes: From a hidden GPS tracker polling your location every 4.5 minutes to JavaScript loaded from a random GitHub account, no SSL certificate pinning, and an in-app browser that silently strips cookie consent dialogs and paywalls from every page you visit, the new White House app seems to have a little bit of everything. A security researcher pulled the APK a … ⌘ Read more
NetHack 5.0.0 released
Version 5.0.0
of the NetHack
dungeon-exploration game, a distant relative of Rogue and
Hack, has been released. NetHack’s code is now compliant with the
C99 standard, and the release includes more than 3,100
bug fixes and changes, detailed in doc/fixes5-0-0.txt
… ⌘ Read more
I like the new GitHub:

Eden: NHS goes to war against open source
Terence Eden reports
that the UK’s National\
Health Service (NHS) is preparing to close almost all of its open-source repositories as a
response to LLM tools, such as Anthropic’s Mythos, becoming more
sophisticated at finding security vulnerabilities. He does not, to put
it mildly, agree with the decision:
The majority of [code repos … ⌘ Read more
[$] Version-controlled databases using Prolly trees
Modern database and filesystems make pervasive use of
B-trees, which are tree
structures optimized for storing sorted lists of keys and values on block
devices.
Dolt is an Apache 2.0-licensed project that makes clever use of a
variant of a B-tree to support efficient version control for an entire database.
The data structure it uses could well be of interest to other projects. ⌘ Read more
@klaxzy@klaxzy.net twtstrm/0.4.0 is from Eric. The getwtxt-ng/dev seems to be this.
[$] Restartable sequences, TCMalloc, and Hyrum’s Law
Hyrum’s Law states that any
observable behavior of a system will eventually be depended upon by
somebody. The kernel community is currently contending with a clear
demonstration of that principle. The recent work to address some restartable-sequences\
performance problems in the 6.19 release maintained the documented API
in all respects, but that was not enough; Google’s [TCMalloc](https://google.github.io/tcmalloc/ … ⌘ Read more
A security bug in AEAD sockets
Security analysis firm Xint has disclosed a security bug in the Linux kernel
that allows for arbitrary 4-byte writes to the page cache, and which has been
present since 2017.
The vulnerability has
been fixed in mainline kernels. A proof-of-concept script demons … ⌘ Read more
GitHub ‘No Longer a Place For Serious Work’, Says Hashicorp Co-Founder
Hashicorp co-founder Mitchell Hashimoto says GitHub’s frequent outages have made it “no longer a place for serious work,” prompting him to move his Ghostty terminal emulator project elsewhere after 18 years on the platform. The Register reports: “I’ve been angry about it. I’ve hurt people’s feelings. I’ve been lashing out. Because GitHub … ⌘ Read more
Security review of Plasma Login Manager (SUSE Security Team Blog)
SUSE’s Security Team has published a detailed\
blog post on their recent review of the Plasma\
Login Manager version 6.6.2,
which was forked from the SDDM display\
manager.
While most of the code [remains t … ⌘ Read more
著名终端 Warp 开源,由 OpenAI 赞助
Warp 在官方博客上宣布开源:Warp is now open-source,采用 AGPL 许可。OpenAI 是新的开源 Warp 创始赞助商。目前其 GitHub 仓库已经获得了34.7K 星星。@Appinn Warp 是一款非常著名的跨平台终端工具,它结合了 AI、编辑器,用最不像终端的 ⌘ Read more
In Memoriam: Tomáš Kalibera
We have received the sad news that Tomáš Kalibera, a member of the
R Project core team, has
passed away\
after a short illness.
A friend who knew him well wrote to me: he was very happy, and
his work fulfilled him. That is, perhaps, the best thing one can
say about a life in open source — that the work mattered, that it
reached millions, and that the person who did it found meaning in it.
Kalibera was mentioned in … ⌘ Read more
pip 26.1 released
Version 26.1 of
the pip package installer for Python has been released. Richard Si
has published a blog\
post that looks at some of the highlights of 26.1 including
dependency cooldowns, experimental support for pylock ( pylock.toml)
files, and [resolver\
improvements](https://ichard26.github.io/blog/2026/04/whats-new-i … ⌘ Read more
GitHub Copilot Is Moving To Usage-Based Billing
GitHub said in a blog post today that it is moving Copilot to usage-based billing starting June 1. Base subscription prices will remain the same but premium requests will be replaced with monthly AI Credits that are consumed based on token usage.
“Instead of counting premium requests, every Copilot plan will include a monthly allotment of GitHub AI Credits, with the option … ⌘ Read more
pgBackRest is no longer maintained
David Steele, maintainer of the popular pgBackRest backup and restore project for
PostgreSQL, has archived\
the project and announced that it is no longer being maintained.
After a lot of thought, I have decided to stop working on pgBackRest. I did
not come to this decision lightly. pgBackRest has been my passion project for
the last thirteen years, and I was fortunate to have corporate sponsorship f … ⌘ Read more
Niri 26.04 released
Version 26.04
of the niri scrollable-tiling Wayland compositor has been released. The most
notable change in this release, as the “most requested niri feature by far”,
is support for the blur effect using the Wayland protocol’s ext-background-effect. This
release also features optional configuration\
includes, screencasting support enhanc … ⌘ Read more
Open source memory layer so any AI agent can do what Claude.ai and ChatGPT do written in Golang
1 points posted by Mohammed Al Ashaal ⌘ Read more
Intel Ends Open Ecosystem Community/Evangelism, Archives Other Open-Source Projects
Over the past number of months there has been a steady flow of Intel open-source projects archived on GitHub amid the corporate restructuring at the company and realigning of their open-source focus. This week another batch of Intel open-source projects were formally archived… ⌘ Read more
[$] One Sized trait does not fit all
In Rust, types either possess a constant size known at compile time, or a
dynamically calculated size known at
run time. That is fine for most purposes, but recent proposals for the language
have shown the need for a more fine-grained hierarchy.
RFC 3729 from David Wood and Rémy Rakic would add a hierarchy of
traits to describe types with sizes known under different circumstances. While
the idea has been subject … ⌘ Read more
Arch Linux now has a reproducible container image
Robin Candau has announced
the availability of a bit-for-bit reproducible container image for
Arch Linux:
The bit-for-bit reproducibility of the image is confirmed by digest
equality across builds (podman inspect --format '{{.Digest}}' <image>) and by runningdiffoci
to compare builds. We provide d … ⌘ Read more
v2.28.2 ⌘ Read more
第三方罗技鼠标驱动:Mouser,轻量,开源,离线[跨平台]
1月份时候发了一篇《罗技驱动 Logitech Options+ 精简瘦身小工具》 提供了一个可以按需开启功能的安装脚本「tjsky/logi-options-plus-mini」 。没想到大家苦罗技久矣,这项目发布后不仅大家很是捧场,还被某知名科技自媒体翻牌子引用,成了我 GitHub 上 St ⌘ Read more
Just cancelled my sponsorship of two developers on Github, sorry 😞 – I’m not going to sponsor going forward if no-one else can be bothered to. It seems silly to be the sole sponsor of another’s work or project 🤦♂️
Rust 1.95.0 released
Version\
1.95.0 of the Rust language has been released. Changes include the
addition of a cfg_select!
macro, the capability to use if let guards to allow conditionals based on pattern\
matching, and many newly stabilized APIs. See the release\
notes … ⌘ Read more
FSF clarifies its stance on AGPLv3 additional terms
OnlyOffice CEO Lev Bannov has recently\
claimed that the Euro-Office fork of the
OnlyOffice suite violates the GNU Affero General Public License
version 3 (AGPLv3). Krzysztof Siewicz of the Free Software
Foundation (FSF) has [published\
an article](https://www.fsf.org/blogs/licensing/agpl-is- … ⌘ Read more
Security updates for Wednesday
Security updates have been issued by AlmaLinux (capstone, cockpit, firefox, git-lfs, golang-github-openprinting-ipp-usb, kea, kernel, nghttp2, nodejs24, openexr, perl-XML-Parser, rsync, squid, and vim), Debian (imagemagick, systemd, and thunderbird), Slackware (libexif and xorg), SUSE (bind, clamav, firefox, freerdp2, giflib, go1.25, go1.26, helm, ignition, libpng16, libssh, oci-cli, rust1.92, strongswan, sudo, xorg-x11-server, and xwayland), and Ubuntu (rust-tar and rustc, rustc-1.7 … ⌘ Read more
离谱!西甲一开赛,Cloudflare 就被封,Docker 也跟着崩了
有西班牙当地用户在 hackernews 吐槽:每当进行足球比赛时,网络就会出现故障,包括 Docker 拉取镜像、GitHub 代码库无法访问,甚至防盗警报器、自动门也会停止工作。 当用户直接访问相关IP地址时,会弹出横幅: 根据巴塞罗那第 6 商业法院于 2024 年 12 月 18 日发布的裁 ⌘ Read more
Nix privilege escalation security advisory
The NixOS project has announced\
a critical vulnerability in many versions of the Nix package
manager’s daemon. The flaw was introduced as part of a fix for a\
prior vulnerability in 2024. According to the advisory,
a … ⌘ Read more