Hacker News: antihero

New comment by antihero in "The perils of UUID primary keys in SQLite"

antihero — Sat, 06 Jun 2026 16:34:19 +0000

Doesn't Postgres' UUID type just do this for you anyway?

Why would you store it as as str column and not the inbuilt type for this?

https://www.postgresql.org/docs/current/datatype-uuid.html

If you are using SQLite well I guess that doesn't work.

New comment by antihero in "Supply chain attack alert: .github/setup.js"

antihero — Fri, 05 Jun 2026 17:25:49 +0000

Nope, the public repos are what the on-machine payload creates. Sorry, I worded that wrong, I meant it exfiltrates to.

The main attack is using compromised repo keys to:

* Create malicious actions to JSON dump and exfiltrate all GitHub org secrets.

* Commit the payload delivering hooks/scripts to any repo/PR it has access to.

* Mimics previous commits/timestamps, however you can see the key that did it by seeing the push in activity/audit logs.

New comment by antihero in "Supply chain attack alert: .github/setup.js"

antihero — Fri, 05 Jun 2026 12:17:28 +0000

We're trying to figure this out, we've nailed it to the developer machine but not sure how that machine got infected. Possibly through GHA.

New comment by antihero in "Supply chain attack alert: .github/setup.js"

antihero — Fri, 05 Jun 2026 12:16:29 +0000

Attack is called "Hades - The End for the Damned", it exfiltrates secrets including ALL ORG GITHUB ACTIONS SECRETS via creating compromised actions, through GitHub public repos with encrypted payloads.

Supply chain attack alert: .github/setup.js

antihero — Fri, 05 Jun 2026 08:59:36 +0000

Our org GitHub just got compromised massively by a supply-chain attack. Vectors are

* Claude hooks

* Gemini hooks

* Cursor setup

* VScode tasks

It adds all of the above to execute node .github/setup.js, an obfuscated file.

Check infected: `rg --hidden --no-ignore 'node .github/setup.js`

It spreads by adding mimic'd skip-ci commits to open PRs which then get merged.

Payload is obfuscated, available on request.

If this is already a known one in the world, apologies, it hit us at around 10PM BST last night, the damage would have been incredible.

Still trying to identify the original source.

Comments URL: https://news.ycombinator.com/item?id=48409869

Points: 25

# Comments: 13

New comment by antihero in "Uber president says AI spending is getting 'harder to justify'"

antihero — Tue, 26 May 2026 17:41:52 +0000

Nah in competitive industries you need to build features and out compete people and getting AI to do that whilst architecting things well due to experience and having time to think more about the important stuff but have a lot of the more boilerplate and simple things ABs plumbing etc handled by agents is great.

When you try to replace your entire brain with AI things are going to go wrong.

New comment by antihero in "Claude for Small Business"

antihero — Thu, 14 May 2026 17:06:59 +0000

Our company started monitoring our Claude usage so I've started coding personal stuff manually again and it's...really fun!

New comment by antihero in "Postmortem: TanStack NPM supply-chain compromise"

antihero — Tue, 12 May 2026 14:35:01 +0000

Yeah, this is pretty good devex from the hackers.

New comment by antihero in "Postmortem: TanStack NPM supply-chain compromise"

antihero — Tue, 12 May 2026 12:15:12 +0000

I would prefer my builds to break than the ecosystem to be compromised.

That said, once unpublished the version should be permanently unavailable to prevent publishing over known good versions.

New comment by antihero in "Claude Opus 4.7"

antihero — Thu, 16 Apr 2026 19:46:52 +0000

Am I going to have to make it rewrite all the stuff 4.6 did?

New comment by antihero in "State of Homelab 2026"

antihero — Mon, 13 Apr 2026 06:38:22 +0000

It's free and simple and handles HTTPS termination and can be set up easily using terraform/pulumi.

Interestingly, in the early hours of this morning I switched from Cloudflare Tunnels to a rathole/traefik based solution (well, currently it's port forwarding and a low grade home-baked dyndns solution until I get paid and can afford a cheap hetzner box because I spent all of my money again).

I switched back because I didn't like the added complexity of having to manage the routes, what I'm using it for is technically against ToS, and I like the self-contained nature of my microk8s cluster.

New comment by antihero in "State of Homelab 2026"

antihero — Mon, 13 Apr 2026 06:37:41 +0000

I actually really like not having to worry if some licensing deal means my access to music I love gets shut off.

New comment by antihero in "State of Homelab 2026"

antihero — Mon, 13 Apr 2026 06:36:36 +0000

Can tailscale funnel do custom domains yet?

Personally I'm switching to rathole+traefik, weirdly something I was researching and experimenting with in the early hours of this morning (I have now not slept and have to go to work).

New comment by antihero in "State of Homelab 2026"

antihero — Mon, 13 Apr 2026 06:36:20 +0000

It is nice to download an app and then just point it at a public URL as opposed to having to rely on the device being in the same tailnet.

New comment by antihero in "Apple has removed most of the towns and villages in Lebanon from Apple maps?"

antihero — Sun, 12 Apr 2026 18:34:19 +0000

What purpose would this serve in any way?

Could it be that their data source is tied to satellite data that is now being blacked out?

New comment by antihero in "Project Glasswing: Securing critical software for the AI era"

antihero — Wed, 08 Apr 2026 07:58:12 +0000

Business idea for Anthropic: What if they provided (likely costly) audits, without providing access to the model?

New comment by antihero in "Show HN: Optio – Orchestrate AI coding agents in K8s to go from ticket to PR"

antihero — Tue, 31 Mar 2026 10:28:08 +0000

Yep, I was gastowning some draft PRs to get a prototype built quickly. The polecat FE PR managed to request a review from @claude (normal ok), and then given that in isolation the PR was fine due to having hardcoded draft schemas (though it was deliberately only ever going to work against a PR deployed version of the API that was also draft), decided to enable auto-merge, such that the PR actually merged and luckily I caught the CI/CD run and locked deployments, however, it would have taken down the site and pointed it to staging.

New comment by antihero in "Axios compromised on NPM – Malicious versions drop remote access trojan"

antihero — Tue, 31 Mar 2026 09:47:46 +0000

npm is claiming this doesn’t exist

New comment by antihero in "Show HN: Optio – Orchestrate AI coding agents in K8s to go from ticket to PR"

antihero — Wed, 25 Mar 2026 23:19:10 +0000

And what stops it making total garbage that wrecks your codebase?

New comment by antihero in "Thoughts on slowing the fuck down"

antihero — Wed, 25 Mar 2026 23:17:22 +0000

Well that's the thing, AI can mean anyone with an idea can build it, but only the people that own stuff will be able to leverage that to own more stuff.