1. Google Antigravity exfiltrates data via indirect prompt injection attack
Total comment counts : 35
Summary
The article shows an indirect prompt injection against Google’s Antigravity/Gemini, where a poisoned integration guide tricks the AI into stealing credentials and sensitive code from a user’s workspace. The attack uses a browser subagent to visit a malicious URL and exfiltrate data, bypassing .gitignore by using terminal commands to dump files. The attacker crafts a URL to a monitored domain (webhook.site) to log credentials and code. Default onboarding settings and browser tools enable this exfiltration, exposing several data-leak vulnerabilities beyond the Browser tool.
Overall Comments Summary
- Main point: The discussion analyzes reported vulnerabilities and exfiltration risks in Antigravity (and related agents like Gemini), including known issues, disclosure, and proposed mitigation and risk-framing approaches.
- Concern: The main worry is that AI agents with access to files, user data, or the ability to execute commands can be manipulated to leak data or perform malicious actions, even with safeguards.
- Perspectives: Viewpoints range from advocating strict security principles (Rule of Two, least privilege, sandboxing, credential limits) and responsible disclosure to characterizing these issues as design trade-offs or not unique vulnerabilities, alongside concerns about shipping alpha software and reproducibility.
- Overall sentiment: Mixed
2. A new bridge links the math of infinity to computer science
Total comment counts : 0
Summary
Descriptive set theory, the study of infinite sets, has long been a niche within mathematics, but a 2023 breakthrough by Anton Bernshteyn forged a bridge to computer science. He showed that many problems about certain infinite sets can be recast as questions about how networks of computers communicate. The result surprised scholars in both fields and has spurred cross-disciplinary work: logicians and algorithmists exchange techniques, extend the bridge to new problem classes, and even reorganize how infinity is understood. The collaboration example highlights how set theory can illuminate and be illuminated by computer science and dynamical systems.
3. Show HN: We built an open source, zero webhooks payment processor
Total comment counts : 19
Summary
Flowglad provides open-source payments and billing infrastructure designed for seamless integration with existing auth systems. It uses your app’s own user/organization IDs for billing, so you don’t manage Flowglad IDs. Setup is quick: generate a server instance, add a secure API route, and wire into your app (Next.js or Pages Router); most projects take under a minute. For B2C, use user.id; for B2B, use organization.id or team.id. Pricing models are available as dashboard templates, customizable or from scratch. Flowglad aims to dramatically improve developer experience in payments by simplifying startup billing, aided by AI.
Overall Comments Summary
- Main point: The discussion centers on Flowglad as an abstraction layer over Stripe, debating its usefulness, architecture, and impact on payment workflows.
- Concern: The main concern is that the layer may add latency by making API requests to Flowglad for every state check, undermine data locality via caching, and create dependence on Stripe rather than enabling robust querying.
- Perspectives: Views range from praise for the DX, design, and licensing to skepticism about necessity, performance, and how it compares to using Stripe directly or other providers.
- Overall sentiment: Mixed
4. how to repurpose your old phone into a web server
Total comment counts : 13
Summary
Guide to repurpose a 2015 Fairphone 2 into a tiny home server with postmarketOS. Steps: verify device support, install pmbootstrap, generate and flash the image, reboot and log in (user/147147). Connect to Wi‑Fi, find the local IP, create /var/www/html with a hello world page. Add an nftables rule to allow port 80, restart nftables, and launch the web server. Test from another device via curl or a browser. For remote access, don’t expose SSH port 22 publicly; use VPN or SSH keys. Licensed CC BY‑NC‑SA 4.0.
Overall Comments Summary
- Main point: The discussion centers on repurposing old Android phones by running Linux/postmarketOS, with kernel support as the main hurdle.
- Concern: The main concern is that even with Linux, devices may be stuck with non-updatable kernels, leading to security risks and reliability issues when repurposed as public servers.
- Perspectives: Viewpoints range from seeing it as a fun, feasible hobby to repurpose old devices into small servers, to viewing it as impractical due to battery constraints, hardware limitations, and ISP/public exposure concerns.
- Overall sentiment: Mixed
5. FLUX.2: Frontier Visual Intelligence
Total comment counts : 20
Summary
FLUX.2 targets real‑world creative workflows, delivering high‑quality, consistent images across multiple references while following structured prompts, complex text, brand guidelines, lighting, layouts, and logos. It can edit up to 4 MP images with preserved detail. The release emphasizes open innovation, offering open‑weight models for the community alongside scalable production endpoints. The FLUX.2 family includes pro, flex, dev, and klein variants with multi‑reference support (up to 10 images) and variable steps for typography and latency. Built on latent flow matching with Mistral‑3 24B VLM and a rectified flow transformer; re-trained latent space for learnability and quality. Hiring in Freiburg and SF.
Overall Comments Summary
- Main point: The discussion centers on evaluating Flux 2 Pro’s image-editing performance against Nano Banana Pro and other models, while updating a GenAI comparison site and debating metrics and openness.
- Concern: The main worry is that practical use may be hindered by cost, hardware demands, IP/flagging restrictions, and opaque documentation despite open weights.
- Perspectives: Views range from praise for Flux 2 Pro’s openness and competitive angle to skepticism about its real gains, with additional chatter about related models, unreleased projects, and benchmarking relevance.
- Overall sentiment: Mixed
6. Launch HN: Onyx (YC W24) – Open-source chat UI
Total comment counts : 34
Summary
Two founders faced difficulty finding information across docs, Slack, and notes; existing enterprise search was insecure and lacked customization, so they created Danswer, an open-source, self-hosted search platform. People began using Danswer to chat with LLMs, prompting a pivot to Onyx, an open-source chat UI with a world-class UX and enterprise features (RBAC, SSO, on‑prem hosting) that supports RAG, web search, custom tools, MCP, assistants, and deep research. Key learnings: context management with a ‘Reminder’ prompt and model-specific tool behavior (e.g., Python interpreter quirks). Fortune 100 teams have adopted Onyx at scale; airgapped deployments exist. Getting started links are provided.
Overall Comments Summary
- Main point: Discussion evaluates Onyx as an open-source LLM UI/stack for RAG with OCR and multimodal capabilities, comparing it to OpenWebUI and other enterprise solutions, and debating features, UX, licensing, and viability.
- Concern: Despite excitement, concerns about usability, incomplete features (OCR fidelity, document tracking, search), licensing ambiguity, and security/self-hosting practicality could limit adoption.
- Perspectives: Viewpoints range from enthusiastic about open-source potential and end-to-end stack to skeptical about UX gaps, feature gaps, and the viability of a SaaS model, with questions about differentiation from incumbents.
- Overall sentiment: Mixed
7. Trillions spent and big software projects are still failing
Total comment counts : 41
Summary
The snippet indicates forbidden or restricted information about a specific Varnish cache server, identified as cache-sjc1000129-SJC, with two numeric identifiers (1764107286 and 2731615322).
Overall Comments Summary
- Main point: The thread analyzes why large-scale software projects fail and whether incremental, disciplined approaches with proper alignment and accountability could prevent such failures.
- Concern: The main worry is that without better incentives, governance, and consequences, big IT programs will keep overbudget, miss deadlines, and deliver subpar results.
- Perspectives: The discussion presents a spectrum of views—from pushing for small, staged pilots and learning from history to blaming misaligned incentives, vendor politics, and governance, to emphasizing human factors and accountability and critiquing hype around AI.
- Overall sentiment: Mixed
8. Constant-time support coming to LLVM: Protecting cryptographic code
Total comment counts : 1
Summary
Trail of Bits has added constant-time support to LLVM 21 via the __builtin_ct_select intrinsics, ensuring cryptographic code remains constant-time through compilation. These intrinsics act as barriers, preventing optimizers from introducing data-dependent branches, translating to llvm.ct.select.* that preserve timing. Architecture-specific handling includes x86 cmov, i386 masked arithmetic, AArch64 CSEL, ARM masked patterns, plus a generic fallback. They published an RFC (Aug 2025); community feedback and interest from Rust Crypto, BearSSL, PuTTY; ETH Zürich is benchmarking. Future plans: more intrinsics for arithmetic/string ops and expressions; Rust is exploring exposure.
Overall Comments Summary
- Main point: The discussion centers on introducing a language primitive to express cryptographic intent and prevent side-channels, arguing the problem lies with the language (not the compiler) and that this primitive would avoid adding new standard rules.
- Concern: The concern is that such a primitive may not fully resolve side-channel risks and could enable bypassing standard constraints, potentially undermining cryptographic guarantees.
- Perspectives: Different viewpoints acknowledge the language—not the compiler—as the root of the issue, with some supporting the new primitive while others worry it may be insufficient or bypass standardization.
- Overall sentiment: Cautiously optimistic
9. Jakarta is now the biggest city in the world
Total comment counts : 10
Summary
error
Overall Comments Summary
- Main point: Jakarta is an underrated, vibrant megacity with improving transport, excellent value, and a lively food and nightlife scene that many overlook as a travel destination.
- Concern: Its main worry is being under-marketed and underrepresented as a destination, risking missed opportunities despite its attractions and affordability.
- Perspectives: People differ: some praise Jakarta’s affordability, safety, food, and improving transport; others lament the lack of marketing and iconic attractions and question city-defining metrics.
- Overall sentiment: Mixed
10. How to repurpose your old phone’s GPS modem into a web server
Total comment counts : 3
Summary
While developing on a PinePhone with a closed-source Quectel EG25-G modem, the author found an ADB-like feature enabling adbd on the modem via an unlocker tool and AT commands. After enabling adbd, the modem runs its own Linux (kernel 3.18.44). The author cross-compiled a tiny static web server (darkhttpd) and hosted a static blog on the modem’s /usrdata, exposing its port through ADB forwarding to the PinePhone at http://pine:8080/ (≈10 Mbps). The setup poses security risks: many AT commands call system(), potential command injection, and root access via ADB could grant persistence to malware, though host interaction is USB/I2S-limited.
Overall Comments Summary
- Main point: The discussion centers on replacing the modem OS with open firmware (e.g., for the PinePhone LTE modem) to address an outdated kernel and increase transparency about what runs inside the device.
- Concern: An old kernel used for hosting the modem/second computer raises security and stability risks.
- Perspectives: Opinions range from enthusiastic support for open firmware and improved transparency to cautions about security risks from an old kernel and reflections on past failures.
- Overall sentiment: Mixed