1. Malicious versions of Nx and some supporting plugins were published
Total comment counts : 45
Summary
An incident where malicious nx versions and related packages were published to npm, containing a postinstall script that scanned the user’s filesystem, collected credentials, and posted them to a GitHub repo tied to the user. The script also altered .zshrc/.bashrc to run a shutdown command. An npm publish token was compromised. After detection, npm removed the affected versions and tokens, and later all Nx packages were restricted to 2FA and switched to a Trusted Publisher mechanism that does not use npm tokens. Users should check if they were compromised and follow remediation steps.
Top 1 Comment Summary
Advice to periodically disable npm install scripts by running npm config set ignore-scripts true (globally or per-project). It’s quick to apply at either level, though many legitimate packages now work without install scripts. For those that require them, you can add a separate installation script in your project that cd’s into the folder and runs the package’s install script. Not a silver bullet for supply-chain attacks, but this approach has blocked many npm-based exploits. See the npm-config docs for details.
Top 2 Comment Summary
With supply-chain attacks looming, it’s wise to rethink new dependencies. The author needed a Go progress bar for eight stats and found libraries bloated (thousands of lines). They asked an LLM to generate a simple, dependency-free progress UI (~150 lines) that clears and redraws the terminal each second and is thread-safe. It took 25 minutes to implement and review. A basic 30-line progress bar suffices if complexity isn’t needed. The main message: avoiding unnecessary dependencies is prudent when resources to audit packages are limited.
2. Toyota is recycling old EV batteries to help power Mazda’s production line
Total comment counts : 5
Summary
Toyota’s Sweep Energy Storage System reuses reclaimed high-voltage EV and hybrid batteries of varying chemistries to power a factory-scale storage unit linked to the grid. Field testing is underway at Mazda’s Hiroshima plant. The system’s energy management rapidly redirects flow, prioritizing healthy batteries and bypassing weaker ones, and it reuses car inverters to cut costs. It aims to balance renewable fluctuations and advance carbon neutrality. The first Sweep, launched in 2022 with JERA, reached 485 kW peak and 1,260 kWh storage.
Top 1 Comment Summary
Used EV batteries are well-suited for stationary energy storage. In grid storage, weight-to-capacity matters far less than in cars, so even batteries at about 70% of their original capacity—often considered worn for EV use—still hold value, since they won’t be moved and can continue storing energy.
Top 2 Comment Summary
In Hiroshima, visit the Mazda Museum (Cosmo! 787B!), which includes a factory tour across a raised gantry. Admission is free, but advance booking is required. Details at Mazda’s Experience Museum page: https://www.mazda.com/en/experience/museum/
3. Areal, Are.na’s new typeface
Total comment counts : 11
Summary
The page is a Cloudflare security block explaining that access was blocked for triggering a security rule (such as submitting certain words, a SQL command, or malformed data). It instructs the user to contact the site owner with details of the action taken and the Cloudflare Ray ID (975e728e99ed3a77). The block also shows the user’s IP (107.174.253.120) and notes Cloudflare provides performance and security.
Top 1 Comment Summary
After a lot of effort, the final font turns out to be Arial. The author notes that Arial is so commonplace that, on the page, it’s hard to tell it’s actually a different font.
Top 2 Comment Summary
The piece questions the extensive effort to imitate Arial, noting that Arial is simply an alternative to Helvetica.
4. You shouldn’t salt a leech that’s sucking your blood (2019)
Total comment counts : 3
Summary
error
Top 1 Comment Summary
During a nighttime hike in southern Japan, I crossed streams and later felt unusual warmth and a sticking sensation on my socks. I looked down to find my ankles and shoes drenched in blood with ten leeches attached. The sight, and the absence of pain, left me utterly confused and terrified.
Top 2 Comment Summary
The piece critiques common leech-removal ideas, finding them unconvincing. It covers breaking the leech’s seal with a fingernail or credit card, considers salt, and mentions waiting for the leech to detach. The author rejects waiting 30+ minutes and questions the salt option, favoring quicker removal.
5. Launch HN: Bitrig (YC S25) – Build Swift apps on your iPhone
Total comment counts : 19
Summary
Bitrig lets you build native Swift iPhone apps entirely on-device by chatting with AI, aiming for the polish of Apple’s SwiftUI. It uses Claude Sonnet 4.0 to generate Swift code, and since Xcode can’t run on iPhone, Bitrig includes a custom Swift interpreter for instant previews and URL-based sharing. With a paid Apple developer account, Bitrig can compile on its servers and upload to App Store Connect for TestFlight or App Store distribution, delivering a fully optimized home-screen app. The team is gradually ingesting Apple SDKs and requests missing frameworks.
Top 1 Comment Summary
The author thanks the Hacker News community for guiding their growth as a software engineer and leader after more than 15 years of reading. They rarely post but visit daily; HN has shaped their reading and listening choices. They credit HN with helping form their projects, noting that Bitrig and SwiftUI wouldn’t exist as they are without HN.
Top 2 Comment Summary
User tried it and was pleasantly surprised by the styling: it looked sleek and lacked the purply gradient Tailwind-like look they associate with Claude. They ask whether the prompt was adjusted to achieve custom styles.
6. A failure of security systems at PayPal is causing concern for German banks
Total comment counts : 14
Summary
Der Artikel vereint Registrierungs- und Aktivierungsmitteilungen einer Website (Account-Erstellung, E‑Mail-Verifizierung, Passwortregeln, Profilangaben, Aktivierungslink- Hinweis, Pflichtfelder) mit einem PayPal-Ausfall. Letzterer betrifft Sicherheitsfehler in PayPals Filtersystemen, die zu blockierten Zahlungen und Milliardenbeträgen führten, da Direct Debits ungeprüft liefen. Banken wie Bayerische Landesbank, Hessische Landesbank und DZ-Bank hielten Transaktionen vor; Händler verfolgten ausstehende Zahlungen. PayPal sprach von temporärer Störung und Behebung; dennoch bleiben Auswirkungen und Wartungsstatus spürbar.
Top 1 Comment Summary
European banks report widespread unauthorized direct debits from PayPal accounts, according to the German Savings Banks Association (DSGV). The German paper Sueddeutsche Zeitung (SZ) says about €10 billion (roughly £8.6 billion) of payments were blocked after PayPal’s fraud-checking system failed.
Top 2 Comment Summary
PayPal profits by arbitraging fraud: it serves mainly higher-risk, small-volume sellers because onboarding, verification, underwriting, and fraud exposure costs often exceed the revenue those customers generate. Its model relies on just-enough compensating controls and liability avoidance to keep net revenue per basis point above fraud losses. When that balance holds, it works; when it doesn’t, problems arise. The problem isn’t limited to PayPal—it’s systemic across banking and payments, with AI currently aiding attackers more than defenders.
7. Beginning 1 September, we will need to geoblock Mississippi IPs
Total comment counts : 8
Summary
An instruction noting the reader was randomly selected to complete a CAPTCHA to validate requests; it tells them to finish the CAPTCHA and press the button, and includes a Dreamwidth Studios copyright notice.
Top 1 Comment Summary
The post is a very brief note in which the author signals curiosity about Dreamwidth and simply provides a link to its Wikipedia page (en.wikipedia.org/wiki/Dreamwidth) for readers to check the information.
Top 2 Comment Summary
The piece questions how state laws can bind a company with no infrastructure in that state and what mechanisms prevent the company from ignoring those laws. It asks how enforcement is possible when a company has no local presence.
8. VIM Master
Total comment counts : 19
Summary
MIT VIM Master is a lightweight in-browser game that teaches core Vim motions and editing commands through short levels. No installs needed—open index.html to practice. It features a Challenge Mode, a fast-paced sequence testing Vim command recall under time pressure, with scoring based on correctness, speed, and precision and real-time feedback. If local file access is restricted, serve it from a static server. Feedback and contributions (issues/PRs) are welcome.
Top 1 Comment Summary
The author is surprised that vimtutor isn’t mentioned, noting that vimtutor comes with Vim. They think the project is cool but should credit the original concept.
Top 2 Comment Summary
The author finds Vim tutorials and games, such as VIM Adventures, helpful but struggles with learning when to work more efficiently. They mainly use default registers and basic commands, rarely using markers or other advanced tricks. They’re trying Neovim for a systems course and wish these games would push them to adopt more advanced usage.
9. Object-oriented design patterns in C and kernel development
Total comment counts : 9
Summary
An OSHub metadata snippet aimed at kernel developers, version 0.6.0. It contains a sequence of numbers (e.g., 100, 200, 300, …, -200) and a playful emoji.
Top 1 Comment Summary
Peterpaul developed a lightweight object-oriented system for C a few years ago. It makes OO in C pleasant to use, notably removing the need to pass the object explicitly. Documentation isn’t great, but there’s a full test suite in the co2 repository (e.g., Object.test and class_decl_inheritance.test in carbon/test/pass). Links: github.com/peterpaul/co2 and the test files.
Top 2 Comment Summary
The piece argues that requiring an explicit this (or object) parameter is clunky, especially since C++ uses an implicit this. The author dislikes implicit this, saying it effectively passes a this reference around rather than tying it to a class method. They also claim explicit this helps avoid ambiguity between instance variables and global or external variables, clarifying scope.
10. Unexpected productivity boost of Rust
Total comment counts : 23
Summary
error
Top 1 Comment Summary
The piece argues that code after a line runs unless you return early, and that merely assigning a value won’t stop a script. It also criticizes a TypeScript example for lacking context and for presenting an implausible data-race scenario.
Top 2 Comment Summary
The author notes that Rust and F# type systems offer benefits beyond other features, and are especially helpful during refactoring, a process they term “fearless refactoring.”