alt.hn

6/5/2026 at 3:11:52 PM

Good Careers at Bad Companies

 https://sharedphysics.com/good-careers-at-bad-companies/

by goopthink

6/6/2026 at 1:32:52 AM

OP/author here! Apologies about the malware and captcha. It looks like my site was exploited by CVE-2026-26980 affecting all Ghost sites pre v6.19 [1][2] An API key was hijacked to inject malicious JS into every page that looks like a cloudflare captcha; it seems that the JS only targeted windows users, so I didn't catch it before I shared the post widely.

The site has been upgraded to 6.44 to close the vulnerability, I rotated every API key and account credential, and both manually and programmatically scrubbed every instance I could find of the code injection across the database. I think we're clear now!

Sorry to anyone caught by this and thank you to folks for flagging it (and thanks to the HN team for letting me follow up on this after comments were closed). I'm seriously mortified. X_X

[1] https://github.com/TryGhost/Ghost/security/advisories/GHSA-w... [2] https://www.securityweek.com/ghost-cms-vulnerability-exploit...

by goopthink

6/6/2026 at 4:52:58 AM

Thanks for fixing the site, OP.

The post is fantastically helpful for keeping perspective and navigating orgs regardless of whether or not they’re a “bad company”. Because there’s parts of every company that are dysfunctional.

by yesfitz

6/5/2026 at 3:54:29 PM

I visited on mobile and didn’t get the captcha other folks are talking about, just a useful article. Interesting.

by kaikai

6/5/2026 at 3:56:28 PM

Same here. I didn't get a captcha. Good article. And looks like human-written. Refreshing.

by annjose

6/5/2026 at 3:59:04 PM

yes besides the malware it was a refreshing read

by stringfood

6/5/2026 at 3:39:15 PM

Why is the captcha on this site asking me to copy paste some giant command to my Terminal and hit enter?

by tronium

6/5/2026 at 3:55:49 PM

How is actual malware still up on HN after 45 minutes?

by happytoexplain

6/5/2026 at 3:42:45 PM

Interesting scam, hadn't seen a re-captcha like that before, you'd have to be pretty technically illiterate to follow the instructions

by Insensitivity

6/5/2026 at 3:53:14 PM

[flagged]

by stringfood

6/5/2026 at 3:45:48 PM

I am highly disrespected by your misleading and scummy CAPTcha, which is very very unethical. Copying a command to my clipboard and asking me to run it in terminal? You should be banned for this. Here is the analysis of what you were asking readers to do:

It's a multi-stage malware loader. The decoded PowerShell does this:

Forces TLS 1.2 and creates a randomly-named folder in %TEMP%. Downloads a copy of 7z.exe (the legitimate 7-Zip binary) from httXXXps://mstclaudens.beer/api/7z.exe — it brings its own archiver so it doesn't depend on one being installed. Downloads a password-protected archive from httpXXXs://mstclaudens.beer/api/index.php?a=dl&dg=EP7IutuFPF8R1&... — the URL carries a campaign/victim tracking ID and a hash, so the operator knows which lure you came from. It retries up to 3 times. Extracts the archive using 7-Zip with the hardcoded password rEEiT. The password is the whole point — it lets the payload sail past most network/email AV scanning, because scanners can't peek inside an encrypted zip. Hunts the extracted contents for an .exe or .msi and runs it with a hidden window (-WindowStyle Hidden). Deletes the downloaded files to clean up its tracks, and re-launches the whole thing in a hidden PowerShell process.

The actual malicious payload isn't in the script — it lives in that remote archive, which I can't and won't fetch. But the delivery pattern (fake CAPTCHA → "paste in terminal" → loader → encrypted second stage → silent execution) is the textbook ClickFix chain, and the end payload in these campaigns is almost always an infostealer (Lumma, StealC, Vidar, and friends) — something that grabs browser passwords, cookies, session tokens, and crypto wallets and ships them off. The Start-Process … -WindowStyle Hidden and self-cleanup are there so you'd never see it happen. IOCs worth recording / blocking:

Domain: mstclaudens.beer (note the cute "claudens" — these .beer / random-word TLDs are common for throwaway C2) URLs: hxxps://mstclaudens[.]beer/api/7z.exe and hxxps://mstclaudens[.]beer/api/index.php?a=dl&... Archive password: rEEiT Behavior: PowerShell spawning a child PowerShell with -NoProfile -WindowStyle Hidden -Command, writing random .exe/.zip names to %TEMP%

by stringfood

6/6/2026 at 4:19:01 PM

Looks like the site got hit by the CVE-2026-26980 exploit right shortly before I posted this. This was helpful in identifying the malicious code that was added to the footer of every page, thank you!

by goopthink