Latest Tech News

Stay updated with the latest in technology, AI, cybersecurity, and more

Filtered by: np Clear Filter

Pnpm has a new setting to stave off supply chain attacks

news.ycombinator.com Zoltan Kochan 2025-09-18 12:12:56

There have been several incidents recently where popular packages were successfully attacked. To reduce the risk of installing a compromised version, we are introducing a new setting that delays the installation of newly released dependencies. In most cases, such attacks are discovered quickly and the malicious versions are removed from the registry within an hour. The new setting is called minimumReleaseAge . It specifies the number of minutes that must pass after a version is published before

Topics: dependencies finder license pnpm react
Read More
Shop Amazon

Slack has raised our charges by $195k per year

news.ycombinator.com Unknown 2025-09-18 11:37:11

For nearly 11 years, Hack Club - a nonprofit that provides coding education and community to teenagers worldwide - has used Slack as the tool for communication. We weren’t freeloaders. A few years ago, when Slack transitioned us from their free nonprofit plan to a $5,000/year arrangement, we happily paid. It was reasonable, and we valued the service they provided to our community. However, two days ago, Slack reached out to us and said that if we don’t agree to pay an extra $50k this week and $

Topics: free nonprofit slack small years
Read More
Shop Amazon

Tinycolor supply chain attack post-mortem

news.ycombinator.com Scott Cooper 2025-09-19 19:18:38

A malicious GitHub Actions workflow was pushed to a shared repo and exfiltrated a npm token with broad publish rights. The attacker then used that token to publish malicious versions of 20 packages, including @ctrl/tinycolor . My GitHub account, the @ctrl/tinycolor repository were not directly compromised. There was no phishing involved, and no malicious packages were installed on my machine and I already use pnpm to avoid unapproved postinstall scripts. There was no pull request involved becau

Topics: github malicious npm packages versions
Read More
Shop Amazon

PureVPN IPv6 Leak

news.ycombinator.com Unknown 2025-09-20 23:10:14

In late August 2025, I submitted two security reports to PureVPN under their VDP. Three weeks later, I’ve received no response, so I decided to publish the findings to inform other users. The issues affect both their GUI (v2.10.0) and CLI (v2.0.1) clients on Linux (tested on Ubuntu 24.04.3 LTS, kernel 6.8.0, iptables-nft backend). Here’s what I found. 1. IPv6 Leaks Off-Tunnel After toggling Wi-Fi or resuming from suspend, the PureVPN client fails to restore IPv6 protections: CLI (IKS enabled

Topics: accept input iptables ipv6 purevpn
Read More
Shop Amazon

Oh no, not again a meditation on NPM supply chain attacks

news.ycombinator.com Unknown 2025-09-20 22:57:50

I’ve been sitting on this article for a while now – well over a year I’ve put off publishing it – but as we’ve seen this week, the time has come to lift the veil and say the quiet part out loud: It’s 2025; Microsoft should be considered a “bad actor” and a threat to all companies who develop software. Of course, if you’re old enough to remember – this is not the first time either… Time is a flat circle Here we are again – in 2025, Microsoft have fucked up so bad, they have likely created an

Topics: microsoft npm run software time
Read More
Shop Amazon

CrowdStrike Infested With "Self-Replicating Worms"

futurism.com Unknown 2025-09-21 02:00:07

A year after a glitch at cybersecurity company CrowdStrike triggered a global computer outage affecting millions of computers, the software vendor is being forced to contain a new threat: a swarm of self-replicating worms. As first reported by investigative cybersecurity journalist Brian Krebs, CrowdStrike once again became the launchpad for a potentially debilitating security hazard when some 25 code packages were compromised by a novel strand of malware. Dubbed "Shai-Hulud," the malicious so

Topics: crowdstrike infected npm packages software
Read More
Shop Amazon

Shai-Hulud malware attack: Tinycolor and over 40 NPM packages compromised

news.ycombinator.com Unknown 2025-09-21 11:22:03

Executive Summary The NPM ecosystem is facing another critical supply chain attack. The popular @ctrl/tinycolor package, which receives over 2 million weekly downloads, has been compromised along with more than 40 other packages across multiple maintainers. This attack demonstrates a concerning evolution in supply chain threats - the malware includes a self-propagating mechanism that automatically infects downstream packages, creating a cascading compromise across the ecosystem. The compromised

Topics: 20 community github npm packages
Read More
Shop Amazon

Live Updates: Shai-Hulud, the Most Dangerous NPM Breach in History

news.ycombinator.com Idan Dardikman 2025-09-21 23:26:32

We are tracking the largest and most dangerous npm supply-chain compromise in history, known as the Shai-Hulud malware campaign, which has now impacted hundreds of packages across multiple maintainers. This includes popular libraries such as @ctrl/tinycolor as well as packages maintained by CrowdStrike. Malicious versions embed a trojanized script (bundle.js) designed to steal developer credentials, exfiltrate secrets, and persist in repositories and endpoints through automated workflows. The ta

Topics: github hulud npm packages shai
Read More
Shop Amazon

Self-propagating supply chain attack hits 187 npm packages

bleepingcomputer.com Unknown 2025-09-22 07:46:43

Security researchers have identified at least 187 npm packages compromised in an ongoing supply chain attack, with a malicious self-propagating payload to infect other packages. The coordinated worm-style campaign dubbed 'Shai-Hulud' started yesterday with the compromise of the @ctrl/tinycolor npm package, which receives over 2 million weekly downloads. Since then, the campaign has expanded significantly and now includes packages published under CrowdStrike's npm namespace. From tinycolor to

Topics: attack chain compromised npm packages
Read More
Shop Amazon

Self-Replicating Worm Hits 180+ Software Packages

krebsonsecurity.com Unknown 2025-09-22 15:08:02

At least 187 code packages made available through the JavaScript repository NPM have been infected with a self-replicating worm that steals credentials from developers and publishes those secrets on GitHub, experts warn. The malware, which briefly infected multiple code packages from the security vendor CrowdStrike, steals and publishes even more credentials every time an infected package is installed. The novel malware strain is being dubbed Shai-Hulud — after the name for the giant sandworms

Topics: attack code npm packages said
Read More
Shop Amazon

Self Propagating NPM Malware Compromises over 40 Packages

news.ycombinator.com Unknown 2025-09-23 08:22:03

Executive Summary The NPM ecosystem is facing another critical supply chain attack. The popular @ctrl/tinycolor package, which receives over 2 million weekly downloads, has been compromised along with more than 40 other packages across multiple maintainers. This attack demonstrates a concerning evolution in supply chain threats - the malware includes a self-propagating mechanism that automatically infects downstream packages, creating a cascading compromise across the ecosystem. The compromised

Topics: aws github npm packages secrets
Read More
Shop Amazon

Trigger Crossbar

news.ycombinator.com Unknown 2025-09-25 13:08:13

Trigger crossbar 2025-09-14 11:00 If you have a large, well-equipped electronics lab you’re going to have a lot of instrumentation with trigger input and output ports. In my case all three oscilloscopes, the vector signal generator, and even my VNAs have trigger sync capability, and there’s probably more things I’m missing. And that doesn’t even count the ThunderScope or the two Siglent AWGs I have on loan for ThunderScope R&D. Very often, it’s handy to cascade these in order to enable compl

Topics: board fpga input power trigger
Read More
Shop Amazon

A Trick for Backpropagation of Linear Transformations

news.ycombinator.com Unknown 2025-09-22 16:05:28

Linear transformations such as sums, matrix products, dot products, Hadamard products, and many more can often be represented using an einsum (short for Einstein summation). This post explains a simple trick to backpropagate through any einsum, regardless of what operations it represents. Example Einsum For example, an einsum for matrix multiplication can be written like so: import numpy as np A = np.arange(2 * 3).reshape(2, 3) # A = [ # [0, 1, 2], # [3, 4, 5] # ] B = np.arange(3 * 4).reshap

Topics: einsum ik jnp np uses
Read More
Shop Amazon

Microsoft and OpenAI announce the 'next phase' of their partnership

engadget.com Unknown 2025-09-27 18:52:47

Microsoft and OpenAI have issued a joint statement to say that they have signed a non-binding memorandum of understanding for the "next phase" of their partnership. The companies are still finalizing the terms of agreement and haven't shared the details of what their future would look like exactly. But according to The New York Times, the deal includes hows the parties share technology and and the revenue from those technologies. The new agreement also reportedly modifies the clause in the origi

Topics: agreement microsoft nonprofit openai profit
Read More
Shop Amazon

OpenAI secures Microsoft’s blessing to transition its for-profit arm

techcrunch.com Maxwell Zeff 2025-09-27 18:18:29

OpenAI announced Thursday it reached a non-binding agreement with Microsoft, its largest investor, on a revised partnership that would allow the startup to convert its for-profit arm into a public benefit corporation (PBC). The transition, should it be cleared by state regulators, could allow OpenAI to raise additional capital from investors and, eventually, become a public company. In a blog post, OpenAI Board Chairman Bret Taylor said under the non-binding agreement with Microsoft, OpenAI’s

Topics: microsoft musk nonprofit openai startup
Read More
Shop Amazon

OpenAI says nonprofit parent will own equity stake in company of over $100 billion

cnbc.com Ashley Capoot 2025-09-28 03:49:16

Microsoft Chairman and Chief Executive Officer Satya Nadella (L), speaks with OpenAI Chief Executive Officer Sam Altman, who joined by video during the Microsoft Build 2025, conference in Seattle, Washington on May 19, 2025. OpenAI on Thursday said its nonprofit parent will continue to have oversight over the company and will own an equity stake of more than $100 billion. The artificial intelligence startup, recently valued at $500 billion, said this structure will make the nonprofit "one of t

Topics: company microsoft nonprofit openai said
Read More
Shop Amazon

Go for Bash Programmers – Part II: CLI Tools

news.ycombinator.com Unknown 2025-10-02 06:26:15

This is the second part of a series introducing Bash programmers to Go. This part is about basics of writing CLI tools in Go. See the first part for the language building blocks. Our first CLI tool Bash is often used to write small CLI tools and automation. Let's start with an example CLI tool that prints "hello" to terminal. The Bash version is pretty simple: #! /bin/bash echo hello Now, let's implement a Go version. We start by creating a directory where the first version of our program wi

Topics: count function hello input os
Read More
Shop Amazon

This 2FA phishing scam pwned a developer - and endangered billions of npm downloads

zdnet.com Charlie Osborne 2025-10-03 23:06:38

Elyse Betters Picaro / ZDNET Follow ZDNET: Add us as a preferred source on Google. ZDNET's key takeaways A phishing email was at the heart of the attack. NPM team quickly removed backdoored versions. 18 packages hit, with 2B+ downloads every week. A new digital supply chain attack has targeted popular open-source npm packages with at least two billion downloads per week. 'I've been pwned' On Sept. 8, Josh Junon, a package maintainer whose account was at the center of the attack, revealed

Topics: email junon npm packages phishing
Read More
Shop Amazon

Massive Supply Chain Attack Targets Cryptocurrencies Through NPM

gizmodo.com Lucas Ropek 2025-10-04 07:50:00

A phishing attack aimed at a particular software maintainer’s account has managed to compromise software packages that have over 2.6 billion weekly downloads. BleepingComputer, noting that the infection is being called the “largest supply chain attack in history.” The developer behind the software packages, identified as Josh Junon, was compromised via a phishing scheme targeting several blockchains, including Ethereum, Bitcoin, Solana, and Tron, The Register reports. Junon has been posting abo

Topics: account junon npm packages software
Read More
Shop Amazon

Software packages with more than 2 billion weekly downloads hit in supply-chain attack

arstechnica.com Unknown 2025-10-04 15:37:04

Hackers planted malicious code in open source software packages with more than 2 billion weekly updates in what is likely to be the world’s biggest supply-chain attack ever. The attack, which compromised nearly two dozen packages hosted on the npm repository, came to public notice on Monday in social media posts. Around the same time, Josh Junon, a maintainer or co-maintainer of the affected packages, said he had been “pwned” after falling for an email that claimed his account on the platform w

Topics: code junon npm packages time
Read More
Shop Amazon

Apple hit with patent lawsuit over ‘Hey Siri’ and virtual keyboard features

9to5mac.com Marcus Mendes 2025-10-09 01:20:08

Once part of Nuance Communications (which powered Siri‘s speech recognition in its early years), Cerence is now a subsidiary that, according to its website, works with bringing “conversational AI to the automotive world and beyond.” Today, Cerence filed a lawsuit against Apple, accusing it of infringing multiple patents. Here are the details. In its complaint, filed with the U.S. District Court for the Western District of Texas, Cerence says that it contacted Apple in 2021 regarding “the poten

Topics: apple cerence input patents word
Read More
Shop Amazon

CoreWeave acquires agent-training startup OpenPipe

techcrunch.com Maxwell Zeff 2025-10-12 03:38:36

CoreWeave, which provides cloud servers to large companies training AI models, has struck an agreement to acquire OpenPipe, a 2-year-old Y Combinator-backed startup that helps enterprises develop customized AI agents with reinforcement learning, the companies announced on Wednesday. “Reinforcement learning is emerging as a pivotal force to strengthen model performance on agentic and reasoning tasks,” said Brian Venturo, Co-founder of CoreWeave, in a statement to TechCrunch. “By combining OpenPi

Topics: ai coreweave learning openpipe reinforcement
Read More
Shop Amazon

OpenAI Gets Conspiracy-Brained, Sues Nonprofits

gizmodo.com Aj Dellinger 2025-10-14 07:15:25

Sam Altman and Elon Musk have been locked in an ongoing standoff over the fact that OpenAI has operated like a for-profit business despite its nonprofit status. The fight, which has been ongoing in the court of public opinion for years and in the actual courts for months, is starting to rack up collateral damage. According to a report from the San Francisco Standard, critics of OpenAI have started receiving subpoenas from the AI firm over what the company’s leadership seems to believe is a consp

Topics: ai company musk nonprofit openai
Read More
Shop Amazon

Meta is bringing AI-powered NPCs to the metaverse

engadget.com Unknown 2025-10-20 11:16:05

Developers building for Meta’s metaverse platform will soon be able to create AI-powered NPCs for Horizon Worlds. The company previewed the move, which is coming “very soon” as part of a developer update that adds new generative AI tools for developers. Once available, developers will be able to use Meta’s Worlds Desktop Editor to create NPCs that can hold “lifelike” conversations with players via voice chat. The company has previously experimented with NPCs for its metaverse, but the upcoming

Topics: ai create developers meta npcs
Read More
Shop Amazon

Are OpenAI and Anthropic losing money on inference?

news.ycombinator.com Unknown 2025-10-20 23:15:22

I keep hearing what a cash incinerator AI is, especially around inference. While it seems reasonable on the surface, I've often been wary of these kind of claims, so I decided to do some digging. I haven't seen anyone really try to deconstruct the costs in running inference at scale and the economics really interest me. This is really napkin math. I don't have any experience at running frontier models at scale, but I do know a lot about the costs and economics of running very high throughput s

Topics: costs input million output tokens
Read More
Shop Amazon

Are OpenAI and Anthropic Losing Money on Inference?

news.ycombinator.com Unknown 2025-10-21 19:15:22

I keep hearing what a cash incinerator AI is, especially around inference. While it seems reasonable on the surface, I've often been wary of these kind of claims, so I decided to do some digging. I haven't seen anyone really try to deconstruct the costs in running inference at scale and the economics really interest me. This is really napkin math. I don't have any experience at running frontier models at scale, but I do know a lot about the costs and economics of running very high throughput s

Topics: costs input million output tokens
Read More
Shop Amazon

Important machine learning equations

news.ycombinator.com Unknown 2025-10-22 01:38:44

Motivation Machine learning (ML) is a powerful field driven by mathematics. Whether you’re building models, optimizing algorithms, or simply trying to understand how ML works under the hood, mastering the core equations is essential. This blog post is designed to be your go-to resource, covering the most critical and “mind-breaking” ML equations—enough to grasp most of the core math behind ML. Each section includes theoretical insights, the equations themselves, and practical implementations in

Topics: array np practical probability torch
Read More
Shop Amazon

The Most Important Machine Learning Equations: A Comprehensive Guide

news.ycombinator.com Unknown 2025-10-22 16:38:44

Motivation Machine learning (ML) is a powerful field driven by mathematics. Whether you’re building models, optimizing algorithms, or simply trying to understand how ML works under the hood, mastering the core equations is essential. This blog post is designed to be your go-to resource, covering the most critical and “mind-breaking” ML equations—enough to grasp most of the core math behind ML. Each section includes theoretical insights, the equations themselves, and practical implementations in

Topics: array np practical probability torch
Read More
Shop Amazon

A lightweight TypeScript library for assertion-based runtime data validation

news.ycombinator.com Unknown 2025-10-27 08:43:34

Lightweight, zero-dependency library for validating arbitrary runtime data in TypeScript. decode-kit provides assertion-based validation that refines your types in-place — no cloning, no transformations, and minimal runtime overhead. Installation npm install decode-kit Quick Start decode-kit validates your data and narrows its type in-place. Your original values remain unchanged - only their TypeScript types are refined. The validate function runs a runtime check and, on success, asserts the

Topics: input kit number string validate
Read More
Shop Amazon

Gutenprint Discontinues macOS Support

news.ycombinator.com The Gutenprint Project 2025-10-29 03:40:09

As of July 7, 2024 the Gutenprint project has formally deprecated MacOS support. This means that no further MacOS-compatible binaries will be produced. Gutenprint has not had an active MacOS maintainer for over three years, and the remaining developers lack the technical ability to produce MacOS binaries, much less undertake the substantial amount of work necessary to produce, test, and support binaries on newer (post-Mojave/10.14) MacOS releases. For older versions (<= 10.14) of MacOS, there

Topics: 10 gutenprint os print printer
Read More
Shop Amazon
Trending Topics
Hot Now
ai 3586 apple 2977 new 2364 google 1994 content 1714
Popular
like 1480 company 1409 pro 1305 iphone 1130 app 1115 zdnet 1097 said 1044 data 1038 does 899 reviews 885
Emerging
editorial 864 amazon 854 game 801 samsung 766 phone 757 pixel 754 android 732 just 712 available 680 users 676
About GoKawiil

GoKawiil is a project by nerdhub.co that curates technology news from trusted sources. We built this site to provide a cleaner, more mobile-friendly experience without intrusive ads or heavy JavaScript.

Privacy

Your privacy matters. GoKawiil doesn't use Google Analytics or Facebook Pixel. The only tracking occurs through affiliate links to Amazon.

Advertising

Interested in advertising? Contact us at [email protected]