Hacker News: exyi

New comment by exyi in "AUR packages compromised with Infostealer and Rootkit"

exyi — Fri, 12 Jun 2026 17:39:48 +0000

You know that prompt injection is a thing, right? Giving opencode access to bash and malicious input is not very far from piping it right into bash.

New comment by exyi in "Should you normalize RGB values by 255 or 256?"

exyi — Tue, 02 Jun 2026 14:22:33 +0000

Exactly. Although if you do >> 8 while working with uint8, it will be the fastest :)

New comment by exyi in "Should you normalize RGB values by 255 or 256?"

exyi — Mon, 01 Jun 2026 20:49:51 +0000

It's 3 cycles for float multiplication (and 1 for shift right):

https://uops.info/table.html?search=mulss&cb_lat=on&cb_tp=on...

https://uops.info/table.html?search=shr&cb_lat=on&cb_tp=on&c...

In throughput it's even less of a difference: 2 per cycle vs 3 per cycle.

New comment by exyi in "Blog ran on Ubuntu 16.04 for 10 years. I migrated it to FreeBSD"

exyi — Fri, 22 May 2026 09:32:10 +0000

Then you also have to auto-update the containers, if it's a public facing service. Either you'll have to build containers yourself or hope the developer pushes a new update whenever the base image has relevant security fixes.

New comment by exyi in "GitHub is investigating unauthorized access to their internal repositories"

exyi — Wed, 20 May 2026 07:24:53 +0000

VSCode extensions often contain binary blobs, so it won't catch basically anything. It would also be a bit expensive.

New comment by exyi in "Postmortem: TanStack NPM supply-chain compromise"

exyi — Tue, 12 May 2026 15:55:29 +0000

At least my password won't leak as often with yubikey, but the attacker can still hack my shell to execute fake sudo. Even if I type /bin/sudo explicitly, there is ptrace, LD_PRELOAD or just replacing the entire bash binary.

In practice yubikey sudo keeps you much safer today, as almost nobody uses it and malware won't be prepared for it

New comment by exyi in "Postmortem: TanStack NPM supply-chain compromise"

exyi — Tue, 12 May 2026 07:40:34 +0000

Ok, so the malware runs a keylogger / clipboard logger, gets the password and runs sudo on it's own. Or replaces your shell by putting exec ~/hackedbash into your bashrc

Password on sudo is only useful if you detect the infection before you run sudo

New comment by exyi in "GTFOBins"

exyi — Tue, 28 Apr 2026 16:18:51 +0000

Whitelisting also quite likely doesn't work ("of course I will allow my agent to run find, that can do no harm")

New comment by exyi in "Reaffirming our commitment to child safety in the face of EuropeanUnion inaction"

exyi — Sun, 05 Apr 2026 18:16:16 +0000

Same tool is very handy if you hypothetically wanted to control spread of anything else, like anti ice apps for instance.

Also hash matching is so easily bypassed you can be sure they really want to add some "AI" detector as well

New comment by exyi in "Axios compromised on NPM – Malicious versions drop remote access trojan"

exyi — Tue, 31 Mar 2026 20:52:32 +0000

and cross-platform UI

New comment by exyi in "Tell HN: Litellm 1.82.7 and 1.82.8 on PyPI are compromised"

exyi — Wed, 25 Mar 2026 09:30:42 +0000

Do you know if there is override this specifically when I want to install a security patch? UV just claims that package doesn't exist if I ask for new version

New comment by exyi in "Tell HN: Litellm 1.82.7 and 1.82.8 on PyPI are compromised"

exyi — Tue, 24 Mar 2026 15:00:47 +0000

Except that LiteLLM probably got pwned because they used Trivy in CI. If Trivy ran in a proper sandbox, the compromised job could not publish a compromised package.

(Yes, they should better configure which CI job has which permissions, but this should be the default or it won't always happen)

New comment by exyi in "Python 3.15's JIT is now back on track"

exyi — Wed, 18 Mar 2026 12:37:22 +0000

If you change this you break a common optimization:

https://github.com/python/cpython/blob/3.14/Lib/json/encoder...

Default value is evaluated once, and accessing parameter is much cheaper than global

New comment by exyi in "How kernel anti-cheats work"

exyi — Sun, 15 Mar 2026 10:03:24 +0000

Every sane approach to security relies on checking you are doing permitted actions on the server, not locking down the client.

New comment by exyi in "Python Type Checker Comparison: Empty Container Inference"

exyi — Sun, 01 Mar 2026 22:22:03 +0000

Python does not need that, as it has built-in type annotation support. The annotation is any expression, so you can in theory express anything a custom type-only language would allow you (although you could make it less verbose and easier to read).

However, the it IMHO just works much worse than TS because: * many libraries still lack decent annotations * other libraries are impossible to type because of too much dynamic stuff * Python semantics are multiple orders of magnitude more complex than JavaScript. Even just the simplest question: Is `1` allowed in parameter typed `float`? What about numpy float64?

New comment by exyi in "Prism"

exyi — Tue, 27 Jan 2026 21:44:25 +0000

... or they teached GPT to use em-dashes, because of their love for em-dashes :)

New comment by exyi in "cURL removes bug bounties"

exyi — Wed, 21 Jan 2026 08:58:51 +0000

Ok, run the same prompt on a legitimate bug report. The LLM will pretty much always agree with you

New comment by exyi in "Date is out, Temporal is in"

exyi — Tue, 13 Jan 2026 09:32:51 +0000

Local would imply the date is in the current machine timezone, while PlainDateTime is zoneless. It may be in the server timezone, or anything else. The main difference is that it does not make sense to convert it to Instant or ZonedDateTime without specifying the timezone or offset

New comment by exyi in "JavaScript's For-Of Loops Are Fast"

exyi — Tue, 06 Jan 2026 12:04:45 +0000

Only until you work with a type array (Int32Array, Float64Array, etc), then it becomes 10x slower: https://jsperf.app/doyeka/11

New comment by exyi in "Super-Flat ASTs"

exyi — Wed, 10 Dec 2025 19:43:42 +0000

Usually yes, but it's still a neat trick to be aware of. For interpreted scripting languages, parsing can actually be a significant slowdown. Even more so when we start going into text-based network protocols, which also need a parser (is CSS a programming language or a network protocol? :) )