Latest Tech News

Stay updated with the latest in technology, AI, cybersecurity, and more

Filtered by: github Clear Filter

Tinycolor supply chain attack post-mortem

news.ycombinator.com Scott Cooper 2025-09-19 09:18:38

A malicious GitHub Actions workflow was pushed to a shared repo and exfiltrated a npm token with broad publish rights. The attacker then used that token to publish malicious versions of 20 packages, including @ctrl/tinycolor . My GitHub account, the @ctrl/tinycolor repository were not directly compromised. There was no phishing involved, and no malicious packages were installed on my machine and I already use pnpm to avoid unapproved postinstall scripts. There was no pull request involved becau

Topics: github malicious npm packages versions
Read More
Shop Amazon

Shai-Hulud malware attack: Tinycolor and over 40 NPM packages compromised

news.ycombinator.com Unknown 2025-09-21 01:22:03

Executive Summary The NPM ecosystem is facing another critical supply chain attack. The popular @ctrl/tinycolor package, which receives over 2 million weekly downloads, has been compromised along with more than 40 other packages across multiple maintainers. This attack demonstrates a concerning evolution in supply chain threats - the malware includes a self-propagating mechanism that automatically infects downstream packages, creating a cascading compromise across the ecosystem. The compromised

Topics: 20 community github npm packages
Read More
Shop Amazon

Live Updates: Shai-Hulud, the Most Dangerous NPM Breach in History

news.ycombinator.com Idan Dardikman 2025-09-21 13:26:32

We are tracking the largest and most dangerous npm supply-chain compromise in history, known as the Shai-Hulud malware campaign, which has now impacted hundreds of packages across multiple maintainers. This includes popular libraries such as @ctrl/tinycolor as well as packages maintained by CrowdStrike. Malicious versions embed a trojanized script (bundle.js) designed to steal developer credentials, exfiltrate secrets, and persist in repositories and endpoints through automated workflows. The ta

Topics: github hulud npm packages shai
Read More
Shop Amazon

Self Propagating NPM Malware Compromises over 40 Packages

news.ycombinator.com Unknown 2025-09-22 22:22:03

Executive Summary The NPM ecosystem is facing another critical supply chain attack. The popular @ctrl/tinycolor package, which receives over 2 million weekly downloads, has been compromised along with more than 40 other packages across multiple maintainers. This attack demonstrates a concerning evolution in supply chain threats - the malware includes a self-propagating mechanism that automatically infects downstream packages, creating a cascading compromise across the ecosystem. The compromised

Topics: aws github npm packages secrets
Read More
Shop Amazon

Crates.io phishing attempt

news.ycombinator.com Amos Wenger 2025-09-26 03:50:57

crates.io phishing attempt Sep 12, 2025 1 min Earlier this week, an npm supply chain attack. It’s turn for crates.io, the main public repository for Rust crates (packages). The phishing e-mail looks like this: And it leads to a GitHub login page that looks like this: Several maintainers received it — the issue is being discussed on GitHub. The crates.io team has acknowledged the attack and said they’d see if they can do something about it. No compromised packages have been identified as

Topics: 12 crates github io looks
Read More
Shop Amazon

Crates.io Phishing Attempt

news.ycombinator.com Amos Wenger 2025-09-26 08:50:57

crates.io phishing attempt Sep 12, 2025 1 min Earlier this week, an npm supply chain attack. It’s turn for crates.io, the main public repository for Rust crates (packages). The phishing e-mail looks like this: And it leads to a GitHub login page that looks like this: Several maintainers received it — the issue is being discussed on GitHub. The crates.io team has acknowledged the attack and said they’d see if they can do something about it. No compromised packages have been identified as

Topics: 12 crates github io looks
Read More
Shop Amazon

The origin story of merge queues

news.ycombinator.com Unknown 2025-09-30 05:43:43

From Bors and Homu to Bulldozer, Kodiak, Mergify, and now GitHub and GitLab, merge queues have shaped how we keep main branches green. This article traces their history, why they emerged, and how they became a standard in modern software development. If you use GitHub or GitLab today, merge queues feel like a built-in feature of modern development. But their story goes back over a decade, long before "merge queue" was a product term. It started with a simple problem: How do you keep your main

Topics: bors github main merge queue
Read More
Shop Amazon

The Origin Story of Merge Queues

news.ycombinator.com Unknown 2025-10-01 01:43:43

From Bors and Homu to Bulldozer, Kodiak, Mergify, and now GitHub and GitLab, merge queues have shaped how we keep main branches green. This article traces their history, why they emerged, and how they became a standard in modern software development. If you use GitHub or GitLab today, merge queues feel like a built-in feature of modern development. But their story goes back over a decade, long before "merge queue" was a product term. It started with a simple problem: How do you keep your main

Topics: bors github main merge queue
Read More
Shop Amazon

Some thoughts on personal Git hosting

news.ycombinator.com Terence Eden 2025-09-28 08:01:55

As part of my ongoing (and somewhat futile) efforts to ReDeCentralise, I'm looking at moving my personal projects away from GitHub. I already have accounts with GitLab and CodeBerg - but both of those sites are run by someone else. While they're lovely now, there's nothing stopping them becoming as slow or AI-infested as GitHub. So I want to host my own Git instance for my personal projects. I'm experimenting with https://git.edent.tel/ It isn't quite self-hosted; I'm paying PikaPod €2/month t

Topics: git gitea github people want
Read More
Shop Amazon

Hackers steal 3,325 secrets in GhostAction GitHub supply chain attack

bleepingcomputer.com Unknown 2025-10-05 01:53:59

A new supply chain attack on GitHub, dubbed 'GhostAction,' has compromised 3,325 secrets, including PyPI, npm, DockerHub, GitHub tokens, Cloudflare, and AWS keys. The attack was discovered by GitGuardian researchers, who report that the first signs of compromise on one of the impacted projects, FastUUID, became evident on September 2, 2025. The attack involved leveraging compromised maintainer accounts to perform commits that added a malicious GitHub Actions workflow file that triggers automat

Topics: gitguardian github malicious secrets tokens
Read More
Shop Amazon

AI-powered malware hit 2,180 GitHub accounts in “s1ngularity” attack

bleepingcomputer.com Unknown 2025-10-05 23:11:21

Investigations into the Nx "s1ngularity" NPM supply chain attack have unveiled a massive fallout, with thousands of account tokens and repository secrets leaked. According to a post-incident evaluation by Wiz researchers, the Nx compromise has resulted in the exposure of 2,180 accounts and 7,200 repositories across three distinct phases. Wiz also stressed that the incident's scope of impact remains significant, as many of the leaked secrets remain valid, and so the effect is still unfolding.

Topics: attack github nx secrets wiz
Read More
Shop Amazon

Let us git rid of it, angry GitHub users say of forced Copilot features

news.ycombinator.com Thomas Claburn 2025-10-06 00:44:07

Among the software developers who use Microsoft's GitHub, the most popular community discussion in the past 12 months has been a request for a way to block Copilot, the company's AI service, from generating issues and pull requests in code repositories. The second most popular discussion – where popularity is measured in upvotes – is a bug report that seeks a fix for the inability of users to disable Copilot code reviews. Both of these questions, the first opened in May and the second opened a

Topics: code copilot github microsoft said
Read More
Shop Amazon

Ask HN: Who is hiring? (September 2025)

news.ycombinator.com Unknown 2025-10-16 10:01:02

Please state the location and include REMOTE for remote work, REMOTE (US) or similar if the country is restricted, and ONSITE when remote work isan option. Please only post if you personally are part of the hiring company—no recruiting firms or job boards. One post per company. If it isn't a household name, explain what your company does. Please only post if you are actively filling a position and are committed to responding to applicants. Commenters: please don't reply to job posts to compla

Topics: com github https io remote
Read More
Shop Amazon

TuneD is a system tuning service for Linux

news.ycombinator.com Unknown 2025-10-16 22:03:57

Introduction TuneD is a system tuning service for Linux. It: monitors connected devices using the udev device manager device manager tunes system settings according to a selected profile supports various types of configuration like sysctl , sysfs , or kernel boot command line parameters, which are integrated in a plug-in architecture , , or kernel boot command line parameters, which are integrated in a plug-in architecture supports hot plugging of devices and can be controlled from the comm

Topics: example github profile profiles tuned
Read More
Shop Amazon

Show HN: Spart – A Rust library for fast spatial search with Python bindings

news.ycombinator.com Unknown 2025-10-20 09:33:49

Hi everyone, I've made an open-source library for fast spatial search in Rust. It's called Spart, and it currently provides the following features: - Five tree implementations: Quadtree, Octree, Kd-tree, R-tree, and R*-tree - Python bindings (`pyspart` on PyPI) - Fast k-nearest neighbor (kNN) and radius search - Bulk data loading for efficient tree construction Project's GitHub repo: https://github.com/habedi/spart

Topics: fast github search spart tree
Read More
Shop Amazon

Nx compromised: malware uses Claude code CLI to explore the filesystem

news.ycombinator.com Unknown 2025-10-24 05:18:47

At least 1.4k people are learning today that they have a new repository prefixed by s1ngularity-repository in their GitHub account. This repository was created by a malicious post-install command discovered in the popular nx build kit. That malware steals wallets and API keys (`.npmrc`, env variables, etc.) and pushes them in that repository in the results.b64 file. Interestingly, the malware checks for the presence of Claude Code CLI or Gemini CLI on the system to offload much of the fingerprin

Topics: code github home nx repository
Read More
Shop Amazon

Show HN: Async – Claude code and Linear and GitHub PRs in one opinionated tool

news.ycombinator.com Unknown 2025-10-23 17:21:19

An open-source developer tool that combines AI coding with task management and code review. Async integrates Claude Code + Linear + GitHub PRs into one opinionated workflow. async-demo.mp4 https://www.async.build/ What Async Does Automatically researches coding tasks - analyzes your codebase and asks clarifying questions before execution - analyzes your codebase and asks clarifying questions before execution Executes code changes in the cloud - runs in isolated environments without touching

Topics: cloud code github run task
Read More
Shop Amazon

Show HN: Project management system for Claude Code

news.ycombinator.com Unknown 2025-11-04 10:32:12

Claude Code PM Claude Code workflow to ship faster better using spec-driven development, GitHub issues, Git worktrees, and mutiple AI agents running in parallel. Stop losing context. Stop blocking on tasks. Stop shipping bugs. This battle-tested system turns PRDs into epics, epics into GitHub issues, and issues into production code – with full traceability at every step. Table of Contents Background Every team struggles with the same problems: Context evaporates between sessions, forcing c

Topics: epic github issue pm prd
Read More
Shop Amazon

Show HN: Claude Code workflow: PRDs → GitHub Issues → parallel execution

news.ycombinator.com Unknown 2025-11-04 16:32:12

Claude Code PM Claude Code workflow to ship faster better using spec-driven development, GitHub issues, Git worktrees, and mutiple AI agents running in parallel. Stop losing context. Stop blocking on tasks. Stop shipping bugs. This battle-tested system turns PRDs into epics, epics into GitHub issues, and issues into production code – with full traceability at every step. Table of Contents Background Every team struggles with the same problems: Context evaporates between sessions, forcing c

Topics: epic github issue pm prd
Read More
Shop Amazon

Modern CI is too complex and misdirected (2021)

news.ycombinator.com Unknown 2025-11-04 20:30:06

The state of CI platforms is much stronger than it was just a few years ago. Overall, this is a good thing: access to powerful CI platforms enables software developers and companies to ship more reliable software more frequently, which benefits its users/customers. Centralized CI platforms like GitHub Actions, GitLab Pipelines, and Bitbucket provide benefits of scale, as the Internet serves as a collective information repository for how to use them. Do a search for how to do X on CI platform Y a

Topics: build ci github like systems
Read More
Shop Amazon

Modern CI Is Too Complex and Misdirected

news.ycombinator.com Unknown 2025-11-05 02:30:06

The state of CI platforms is much stronger than it was just a few years ago. Overall, this is a good thing: access to powerful CI platforms enables software developers and companies to ship more reliable software more frequently, which benefits its users/customers. Centralized CI platforms like GitHub Actions, GitLab Pipelines, and Bitbucket provide benefits of scale, as the Internet serves as a collective information repository for how to use them. Do a search for how to do X on CI platform Y a

Topics: build ci github like systems
Read More
Shop Amazon

Fun with Finite State Transducers

news.ycombinator.com Unknown 2025-11-06 14:30:12

ENOSUCHBLOG Programming, philosophy, pedaling. Aug 14, 2025 Tags: devblog, programming, rust, zizmor I recently solved an interesting problem inside zizmor with a type of state machine/automaton I hadn’t used before: a finite state transducer (FST). This is just a quick write-up of the problem and how I solved it. It doesn’t go particularly deep into the data structures themselves. For more information on FSTs themselves, I strongly recommend burntsushi’s article on transducers (which is wha

Topics: capability context event github pull_request
Read More
Shop Amazon

Lessons learned from buying an open source repo

news.ycombinator.com Unknown 2025-11-09 10:35:07

Our tiny startup recently acquired the most popular open-source Unity MCP repo on GitHub, and things didn’t quite go as planned. Here are the lessons we learned for anyone considering buying an open source repo. Why we bought the repo First, we like open source and want Unity MCP to stay relevant and open source indefinitely. Second, there’s distribution: being the name behind the project. If you don’t want to set up MCP yourself, you can one-click install Coplay for a premium experience. Wh

Topics: github mcp open repo unity
Read More
Shop Amazon

Show HN: Zig-DbC – A design by contract library for Zig

news.ycombinator.com Unknown 2025-11-12 05:49:57

Hi everyone, I've made an open-source library for using design by contract (DbC) principles in the Zig programming language. It's called Zig-DbC, and it currently provides the following features: - A simple API to define preconditions, postconditions, and invariants. - Contracts are active in `Debug`, `ReleaseSafe`, and `ReleaseSmall` modes to catch bugs early. - All checks are removed at compile time in `ReleaseFast` mode for zero performance cost. - An optional mode to handle partial sta

Topics: dbc errors github mode zig
Read More
Shop Amazon

GitHub will be folded into Microsoft proper as CEO steps down

arstechnica.com Unknown 2025-11-22 08:06:18

Microsoft has owned GitHub since 2018, but the widely used developer platform has operated with at least a little independence from the rest of the company, with its own separate CEO and other executives. But it looks like GitHub will be more fully folded into Microsoft's org chart starting next year—GitHub CEO Thomas Dohmke announced today that he would be leaving GitHub and Microsoft "to become a founder again." "GitHub and its leadership team will continue its mission as part of Microsoft’s

Topics: billion company dohmke github microsoft
Read More
Shop Amazon
Trending Topics
Hot Now
ai 3583 apple 2975 new 2359 google 1991 content 1710
Popular
like 1476 company 1408 pro 1305 iphone 1128 app 1113 zdnet 1094 said 1043 data 1036 does 896 reviews 882
Emerging
editorial 861 amazon 854 game 800 samsung 764 phone 756 pixel 754 android 730 just 712 available 680 users 676
About GoKawiil

GoKawiil is a project by nerdhub.co that curates technology news from trusted sources. We built this site to provide a cleaner, more mobile-friendly experience without intrusive ads or heavy JavaScript.

Privacy

Your privacy matters. GoKawiil doesn't use Google Analytics or Facebook Pixel. The only tracking occurs through affiliate links to Amazon.

Advertising

Interested in advertising? Contact us at [email protected]