Hacker News: shivasurya

New comment by shivasurya in "GitHub's Fake Star Economy"

shivasurya — Mon, 20 Apr 2026 13:47:12 +0000

Star might be the weakest signal of project usefulness and also trust is eroding I no longer trust stars for security.

New comment by shivasurya in "Deno Sandbox"

shivasurya — Thu, 05 Feb 2026 05:39:13 +0000

It replaces URL params and body too

New comment by shivasurya in "Try to take my position: The best promotion advice I ever got"

shivasurya — Tue, 06 Jan 2026 18:55:33 +0000

^this 100%

New comment by shivasurya in "Try to take my position: The best promotion advice I ever got"

shivasurya — Tue, 06 Jan 2026 02:59:50 +0000

Works for great company with amazing culture.

But what about insecure managers, jealousy managers, and managers who reward folks who are loyal to them or based on same region/country?

New comment by shivasurya in "Ask HN: What Are You Working On? (December 2025)"

shivasurya — Tue, 16 Dec 2025 05:41:09 +0000

https://codepathfinder.dev Currently working on AI-Native Static code analysis and currently it's open-source.

Some thoughts around Django SQL Injection CVE-2025-64459

shivasurya — Sat, 08 Nov 2025 03:54:27 +0000

Article URL: https://shivasurya.me/security/django/2025/11/07/django-sql-injection-CVE-2025-64459.html

Comments URL: https://news.ycombinator.com/item?id=45853994

Points: 2

# Comments: 0

New comment by shivasurya in "Pixnapping Attack"

shivasurya — Wed, 15 Oct 2025 13:55:21 +0000

I would say this is a nice & clever attack vector by calculating from rendering time aka side channeling. Kudos to the researchers though it would take lot of time and capture pixels even for Google authenticator. My worry is now how much of this could be reproduced to steal OTP from messages.

Given to rise of well defined templates (accurately vibe coding design for example: GitHub notification emails) phishing via email, I have literally stopped clicking links email and now I have stop launching apps from intent directly (say open with). Better to open manually and perform such operation + remove useless apps but people underestimate the attack surface (it can come through sdk, web page intents)

New comment by shivasurya in "Ask HN: What are you working on? (October 2025)"

shivasurya — Mon, 13 Oct 2025 00:24:49 +0000

This is why codepathfinder.dev is born. It underhood use tree-sitter to search functions, class, member variables and pulls code accurately instead of regex.

I started using it like tool call in Security scanning (think of something like claude-code for security scanning)

Give it a read if you're interested:

https://codepathfinder.dev/blog/codeql-oss-alternative/

https://codepathfinder.dev/blog/introducing-secureflow-cli-t...

Happy to discuss!

New comment by shivasurya in "Ask HN: What are you working on? (October 2025)"

shivasurya — Mon, 13 Oct 2025 00:08:48 +0000

Working on SecureFlow (https://codepathfinder.dev/secureflow-ai/) - think of claude-code style but for hunting security vulnerabilities.

The goal is to catch vulnerabilities early in the SDLC by running agentic loop that autonomously hunt for security issues in codebases.Currently available as a CLI tool, VSCode extension.I've been actively using to scan WordPress, odoo plugins and found several privilege escalation vuln. I have documented as blog post here: https://codepathfinder.dev/blog/introducing-secureflow-cli-t...

New comment by shivasurya in "Potential issues in curl found using AI assisted tools"

shivasurya — Fri, 03 Oct 2025 13:39:15 +0000

Love this take actually and have been working on this and published this way back 2023/2024. Recently, I've been inspired by Claude-code & Cline agentic flow + tool looping, I experimented the same with tools like file_read, dir_list and throwing in few sast tools, security prompts on Wordpress plugin ecosystem (say with 10k-100k active installation) and scanned around ~600 and to my surprise it yielded ~45 critical, ~120 high severity issues and accounting 20% for non-reachability vuln. Spent around 6$ and ~40 million tokens with grok-4 fast reasoning model and the results were impressive, I gave a try with claude-sonnet but significantly rate-limited despite having 50$ credits from anthropic for research.

You can read about my experience here: https://codepathfinder.dev/blog/introducing-secureflow-cli-t...

Old post: https://shivasurya.me/security-reviews/sast/2024/06/27/autom...

SecureFlow Extension to Vibe Code Securely – Codepathfinder.dev

shivasurya — Tue, 29 Jul 2025 21:05:41 +0000

Article URL: https://codepathfinder.dev/blog/introducing-secureflow-extension-to-vibe-code-securely/

Comments URL: https://news.ycombinator.com/item?id=44728257

Points: 5

# Comments: 0

Rethinking MCP or Tool Calling Through Permission Based System

shivasurya — Sun, 20 Jul 2025 13:22:21 +0000

Article URL: https://shivasurya.me/llm/ai/2025/07/19/mcp-permission-system.html

Comments URL: https://news.ycombinator.com/item?id=44624992

Points: 9

# Comments: 0

New comment by shivasurya in "Show HN: Hyperbrowser – Scalable Browser Infrastructure for AI Apps"

shivasurya — Wed, 11 Dec 2024 02:55:11 +0000

had usecase of keeping visa appointments slots and instantly blocked by cloudflare :sad:

Show HN: Open-Source CodeQL Alternative

shivasurya — Sat, 23 Nov 2024 00:18:01 +0000

Article URL: https://github.com/shivasurya/code-pathfinder

Comments URL: https://news.ycombinator.com/item?id=42218404

Points: 3

# Comments: 0

Why AntD Design framework is down?

shivasurya — Sun, 14 Feb 2021 19:06:03 +0000

There is no notice or any warnings from authors regarding antd design framework. Such a huge OSS project members should be responsible in notifying before.

Comments URL: https://news.ycombinator.com/item?id=26135110

Points: 2

# Comments: 4

New comment by shivasurya in "Ask HN: Did AntD Move to Gitee?"

shivasurya — Sun, 14 Feb 2021 19:03:40 +0000

Same here? is that security issue?

New comment by shivasurya in "Realtime Stock Quotes (Browser extension)"

shivasurya — Sat, 19 Dec 2020 23:55:38 +0000

Cool!

New comment by shivasurya in "Ask HN: Why Paul Graham’s Website Isn’t Using HTTPS?"

shivasurya — Sun, 04 Oct 2020 04:57:05 +0000

It’s not about impressing but it ensures that it’s safe for everyone and it’s clear that his website gets huge traffic.

New comment by shivasurya in "Ask HN: Why Paul Graham’s Website Isn’t Using HTTPS?"

shivasurya — Sun, 04 Oct 2020 04:53:53 +0000

Yes, I’ve experienced it personally while doing my undergrad in india

New comment by shivasurya in "Ask HN: Why Paul Graham’s Website Isn’t Using HTTPS?"

shivasurya — Sun, 04 Oct 2020 03:26:38 +0000

The intention isn’t about private information. What if essay text is modified in transit/injected with advertisements?