1. Shai-Hulud malware attack: Tinycolor and over 40 NPM packages compromised
Total comment counts : 57
Summary
September 15, 2025: npm faced a major supply-chain attack affecting @ctrl/tinycolor and 40+ packages. A Webpack-bundled 3.6MB payload injected via hijacked postinstall performs reconnaissance and credential harvesting (AWS/GCP/GitHub), plus a self-propagating mechanism that force-publishes patches to a maintainer’s other packages. It dumps environment variables, runs TruffleHog, and exfiltrates data to a new public GitHub repo named Shai-Hulud via a persisted GitHub Actions workflow. The attack targets Linux/macOS (not Windows). Compromised versions were removed; StepSecurity offers a recovery office hour.
Top 1 Comment Summary
Concerned about protecting npm-hosted packages without auditing every dependency, the author notes the risk of obfuscated malware. They propose a “delayed” update mode: instead of upgrading to the absolute latest, update only to releases that have existed for a configurable minimum age (e.g., at least six weeks). The idea is that older, widely seen releases are less likely to harbor hidden issues. They concede this isn’t perfect, and the tool should offer options—e.g., updating to a recently fixed version if a vulnerability is known.
Top 2 Comment Summary
The article argues that new packages or versions aren’t audited when the maintainer is also the developer, creating risk. It advocates a Debian-style approach: a stable distro with rare, security-focused updates and no new functionality, plus a testing/unstable repo where the distro maintainer controls additions and versions to enable audits. It notes that centralized, open ecosystems like NPM, PyPI, Rust, Go, and RubyGems suffer from this lack of auditing.
2. How to make the Framework Desktop run even quieter
Total comment counts : 3
Summary
Framework’s Desktop mini-PC is the first to use the AMD Ryzen AI Max APU, delivering strong CPU/GPU and AI workloads with a large memory pool. The team tested cooling tweaks: an NF-A12x25 fan, a custom fan duct, and a redesigned Noctua-style side‑panel grill to reduce noise while preserving safe temperatures. The combo lowered noise by ~7 dB(A) at 50% fan speed and up to ~5 dB(A) at higher speeds. CAD files for the 3D-printed side panel and duct are on Printables.com. Tests with NF-A12x25 G2 and an extra 8cm exhaust showed mixed results; 3D-printed mods can meaningfully quiet the system.
Top 1 Comment Summary
It questions whether Framework will ever ship the item and criticizes the need to 3D-print your own grill, despite Noctua’s collaboration on the project.
Top 2 Comment Summary
An enthusiast has built a completely silent, fanless 7.5-liter Strix Halo system, nicknamed “Monochrome-2.” Full build details are discussed in a forum thread linked in the post.
3. Things you can do with a Software Defined Radio (2024)
Total comment counts : 28
Summary
Author attempts 50 things on the electromagnetic spectrum using a Software Defined Radio (SDR) week, inspired by Vi Hart’s Make 50 of Something. They used an RTL-SDR Blog V4 USB dongle (~$30) with an antenna kit and wire, and SDR++ on Linux to explore a wide frequency range. SDRs are largely software-defined, enabling flexible reception beyond FM. They describe dipole antennas (two equal arms, length ~72/f(MHz) per side, vertical orientation) and special setups for satellites or aircraft. They found the week creatively challenging and began by listening in Germany on a civic-frequency channel, hearing a test and a general call.
Top 1 Comment Summary
As a child with no siblings, the author got a walkie-talkie and heard a voice through the static after replying. Decades later, with the wedding approaching, that same voice is revealed to be the best man.
Top 2 Comment Summary
NOAA satellite images have become harder to obtain since NOAA-15 and NOAA-19 were decommissioned on August 19, 2025, and NOAA-18 earlier in June. Receiving images from newer satellites likely requires a much more powerful antenna. Despite this, SDR remains enjoyable, and the author notes how vast data is carried by electromagnetic waves passing through us all.
4. Denmark close to wiping out cancer-causing HPV strains after vaccine roll-out
Total comment counts : 9
Summary
Denmark’s HPV vaccination program (since 2008) has virtually eliminated infections with cancer-causing HPV types 16 and 18, offering protection even to unvaccinated women through population immunity. A Eurosurveillance study of 22–30-year-olds (2017–2024) found pre-vaccination HPV16/18 prevalence of 15–17% dropped to under 1% among the vaccinated by 2021; unvaccinated women had about 5%. About one-third of infections were from high-risk types not in earlier vaccines, with higher rates in vaccinated individuals—expected to decline as the nine-valent vaccine becomes common. Findings may inform future cervical cancer screening guidelines.
Top 1 Comment Summary
In the US, the article urges people to get the vaccine regardless of age, noting it was covered by the author’s health insurance. The regimen is 2 doses (3 for adults) and it’s recommended for both males and females.
Top 2 Comment Summary
The piece argues that HPV vaccination aims to reduce cervical cancer, not eradicate HPV strains. It asks whether Denmark has seen a decline in cervical cancer rates, noting that such a decrease would be a positive outcome.
5. Waymo has received our pilot permit allowing for commercial operations at SFO
Total comment counts : 29
Summary
Waymo is accelerating its global expansion, leveraging hundreds of thousands of weekly fully autonomous trips and 100M miles of road experience to serve more cities. Highlights include: Dallas coming in 2026; Waymo teen accounts enabling 14–17-year-olds in Metro Phoenix to ride with a parent-linked account; San Francisco International Airport pilot permitting phased commercial operations; San José Mineta International Airport authorization for fully autonomous rides with testing this fall and potential commercial service this year; Denver arrival this fall with a mixed fleet and winter-ready 6th-gen Waymo Driver. These moves aim to boost transportation options and local economies.
Top 1 Comment Summary
The piece argues Alphabet (GOOGL) is undervalued (P/E ~27) given Waymo and other assets, while Tesla (P/E ~243) is overvalued despite no near-term robotaxis and weak sales. It suggests empty promises and flashy showmanship often sell better than real, usable products.
Top 2 Comment Summary
The piece notes Waymo has received a pilot permit to operate commercially at San Francisco International Airport, likely for autonomous taxi services. It playfully questions the word “pilot,” then clarifies the permit is for self-driving car taxis serving travelers, not a prototype piloted aircraft like a helicopter. The humor hinges on the double meaning of “pilot” rather than an aviation project.
6. Meta RayBan AR Glasses Shows Lumus Waveguide Structures in Leaked Video
Total comment counts : 4
Summary
Blog notes a leaked Meta video of its Monocular AR glasses, codenamed Hypernova and likely named Celest, expected Sept 17. The device reportedly uses Lumus Z-Lens waveguides and will cost about $800 base. Similar pupil-expansion slats appear in Rivet’s AR glasses, suggesting Lumus tech in both Meta’s consumer AR and Rivet’s military & industrial AR. The author will speak at MicroLED and AR/VR Connect in Eindhoven, Sept 23–25, 2025, offering readers €150 off with code KarlARVR; presentation Sept 24 at 5:20 PM.
Top 1 Comment Summary
The author expects AI tech to become mainstream, with early apps that scan faces to quickly compile all available online information about a person. They note demonstrations on older hardware and anticipate improvements with newer devices. If it goes mainstream, it could reveal how much we’ve changed and spark renewed calls for stronger privacy protections.
Top 2 Comment Summary
The piece argues that the idea is essentially a rehash of Adrian Travis’s Wedge display concept, and it references a Microsoft Research PDF on wedge optics in flat-panel displays as a related source.
7. How Container Filesystem Works: Building a Docker-Like Container from Scratch
Total comment counts : 1
Summary
Containers isolate the filesystem by giving processes a separate mount namespace, so inside a container the view looks like its own Linux distro. The post shows how to build a tiny Docker‑like container with stock tools (unshare, mount, pivot_root) and why the mount namespace is the foundation of isolation, with PID, UTS, cgroup, and network as complementary layers. Through experiments, it demonstrates that unsharing a mount namespace creates independent mount tables and differing /mnt views, and that mount propagation can sync changes via shared subtrees. Mount namespaces appeared in Linux 2.4; Docker uses them via runtimes like runc.
Top 1 Comment Summary
Summary: The piece notes that chroot has existed since 1979 and asks why there isn’t a Docker-like wrapper for chroot that doesn’t require network namespaces (netns).
8. I built my own phone because innovation is sad rn [video]
Total comment counts : 7
Summary
error
Top 1 Comment Summary
The piece describes repurposing a broken Samsung Galaxy Z Flip 5 into a custom enclosure featuring a BlackBerry-style keyboard, and despite the unconventional hack, the result is still pretty cool.
Top 2 Comment Summary
The author praises the work, misses the original Motorola Droids’ slide-out keyboard, and notes that its nearly full keyboard made SSHing into a server practical, ahead of its time.
9. Wind turbine blade transportation challenges
Total comment counts : 16
Summary
The text is a notice indicating restricted access to information about a Varnish cache server. It names the cache node as cache-sjc1000139-SJC and provides two numeric identifiers (1758055973 and 1681352689), likely IDs or timestamps.
Top 1 Comment Summary
The writer finds the diagram odd and suggests building symmetrical turbine sets with wings extending in pairs from a host fuselage. This method, they note, is how ornithopters were invented and it evokes strong Cargolifter vibes.
Top 2 Comment Summary
Pixel-counting suggests a nacelle diameter of about 152 inches, close to the A350’s Trent XWB at 155 inches and to the smaller 777 engines, not the largest GE90.
10. Plugin System
Total comment counts : 9
Summary
IINA’s plugin system lets you extend its functionality with JavaScript, enabling control over playback, the mpv API, networking, filesystem access, and custom UI elements. Available in IINA 1.4.0, you can implement features with just a few lines of code. The Official User Scripts plugin lets you paste code snippets directly without building a plugin package. An included iina-plugin command-line tool helps create, build, and run plugins. Comprehensive documentation with tutorials and API references is provided. The site also uses Font Awesome icons licensed under CC BY 4.0.
Top 1 Comment Summary
IINA is a background app that quietly blends into the system; the author has used it for years and nearly forgot it isn’t part of the OS.
Top 2 Comment Summary
The article likens IINA’s plugin architecture to VS Code’s, arguing that a robust JavaScript API and solid documentation let the community tackle problems users didn’t anticipate. It also praises IINA’s approach of turning every media file into a canvas for interactive experiences.