Relevant parts for those who have cool-downs at the top of mind:

> Across Homebrew’s history far more users have been protected by shipping zero-day fixes quickly than have been exposed to npm-style token-theft or crypto-mining attacks, so a global cooldown would be a net negative for most users’ security. The deeper reason Homebrew does not need a general cooldown is that, unlike language package managers, it already separates publishing from distribution: an upstream release does not reach users until it has passed human review, CI and checksum verification, which is the very review window that language-ecosystem cooldowns are trying to recreate.

[...]

> For ecosystems with a track record of fast-moving supply-side attacks, Homebrew applies a download cooldown: a freshly-published upstream version is not adopted immediately, giving the wider community time to detect and report a malicious release before Homebrew users are exposed. Cooldowns have been added for:

    Bundler
    RubyGems livecheck
    npm and pip defaults
    PyPI resource resolution
    npm and PyPI in bump

To put it neutrally, VC partners are treating these are parts of their same portfolios, so if one team doesn't pan out on its own, it can be merged into another with somewhat similar overall goals or markets.

To put it more pointedly, it's perhaps all about who one knows and making sure that everyone gets to tell a story of successful exits.

Comments URL: https://news.ycombinator.com/item?id=48317093

Points: 272

# Comments: 150

Security researchers identified a series of exploitable vulnerabilities in github.com by using LLMs to review the compiled GitHub Enterprise Server binaries: https://www.wiz.io/blog/github-rce-vulnerability-cve-2026-38...

For better or worse, it's an acquihire.

The number of intermediaries that some customers, especially governmental agencies, go through to get just an Azure bill can be wild...

Great for summarizing a multi-step process and quick to render with simple tools.

Comments URL: https://news.ycombinator.com/item?id=47331798

Points: 5

# Comments: 0

grith.ai appears to be in the business of guiding you click a "request early access" button so they can eventually sell you software (or so they can pitch seed investors on the length of their list of prospects)

Again, I'm not criticizing. Just pointing out a pattern that's becoming pretty common on HN, especially for stories about vulnerabilities written up by companies selling cybersecurity solutions or services.

Don't get me wrong. This post is an interesting read. But the company publishing it appears to have nothing to do with the exploit or the people who discovered or patched it.

I tip my hat at their successfully marketing :)

If this were a news outline writing "Department of War" I would be concerned. But in the case of the Anthropic CEO's blog post, I can understand why they are picking their fights.

> Charged with regulating stationary sources of air pollution emissions, the Air District drafted its first two regulations in the 1950s: Regulation 1, which banned open burning at dumps and wrecking yards, and Regulation 2, which established controls on dust, droplets, and combustion gases from certain industrial sources.

> Much research and discussion went into the shaping of Regulation 2, but there was no doubt about the need for it. During a fact-finding visit to one particular facility, Air District engineers discovered that filters were used over air in-take vents to protect the plant's machinery from its own corrosive emissions! This much-debated regulation was finally adopted in 1960.

https://www.baaqmd.gov/en/about-the-air-district/history-of-...