alt.hn

6/27/2026 at 2:31:00 PM

Anonymous GitHub account mass-dropping undisclosed 0-days

 https://github.com/bikini/exploitarium

by binyu

6/27/2026 at 4:04:22 PM

I took a look at the Ghidra ones (because I use Ghidra), and I'm unimpressed: https://github.com/bikini/exploitarium/blob/main/ghidra-12.1...

The first requires being able to overwrite binaries in the Swift tool directory. Yes, if you overwrite binaries executed by ghidra, you can trigger code execution. This is not a surprise.

The second, idk, I'm not familiar with TraceRMI (but it's probably worth noting that "RMI" stands for Remote Method Invocation).

The third is not a vulnerability in the slightest, they just demonstrate that native 7zip parsing code is reachable. Maybe there is a bug in the 7zip parser, but without that it's meaningless.

by Retr0id

6/27/2026 at 7:58:58 PM

A glance at the nmap one seems potentially high severity. It might be a nothing in practice, but it being around parser code means the chances of preparing something to jump around are pretty high.

There'd be a certain irony being able to reverse shell anyone doing an nmap scan. If i had infinite tokens i'd throw claude on writing an exploit and dig through the history who made it possible because - if we take a moment to wildly speculate and assume it can ACE - this is the kind of bug an intelligence agency would love to have: Add a few ipv6 packets that then edit the trace being observed if the observer uses nmap / get access to any researcher pc who uses nmap.

by athrowaway3z

6/27/2026 at 5:42:35 PM

Was just thinking it would be hilarious if these were all known CVEs hiding the next Shai-Hulud inside of them and waiting to compromise security hobbyists rushing to download them.

by ofjcihen

6/27/2026 at 5:47:09 PM

It wouldn't be the first time!

by Retr0id

6/27/2026 at 6:57:50 PM

Ghidra one is pretty weak, but I checked out the ones that were interesting to me (c-ares, libssh2, ffmpeg) and they seem to all work as of the latest upstream commit. Weird

by newguy33

6/27/2026 at 5:20:42 PM

The Gitea one looks marginally interesting, but is probably not exploitable in practice (unless Gitea or whoever else isn’t properly isolating jobs on dedicated VMs). I suspect GitHub Actions has similar behavior and is not considered exploitable because the user is assumed to already have local, non-namespaced root access.

by woodruffw

6/27/2026 at 6:18:18 PM

Gitea action runner has a bunch of different ways to setup and doing the isolation properly looks tricky. The documentation doesn't provide any isolation tests to administrators, either.

The biggest mitigation is that gitea documentation discourages you from using action runners from untrusted users. Not flawless security, but it's something...

by Scaled

6/27/2026 at 6:29:36 PM

> The biggest mitigation is that gitea documentation discourages you from using action runners from untrusted users.

This recommendation seems incompatible with third-party collaboration, at least on its face!

by woodruffw

6/27/2026 at 8:26:49 PM

Potentially, but for many projects things like that are tools that you want to control access to anyway. Anyone wanting to update the CI/CD process who isn't a trusted part of the project should be having their changes properly reviewed by someone who is anyway, at which point the reviewer is the trusted user not the random external entity.

by dspillett

6/27/2026 at 8:54:07 PM

I don’t disagree with that, but I think GitHub has shown that projects want to have their cake and eat it too. GitHub has also shown that it’s incredibly easy to design an insecure CI/CD that satisfies that goal, but I see that more as a symptom of them being first-to-market rather than an inherent quality of the problem.

by woodruffw

6/27/2026 at 4:57:34 PM

> Yes, if you overwrite binaries executed by ghidra, you can trigger code execution.

> but it's probably worth noting that "RMI" stands for Remote Method Invocation

This reminds me of someone submitting a (clearly vibecoded) vulnerability report claiming to have found a way to execute arbitrary SQL. The project in question? An SQL server... https://github.com/tursodatabase/turso/pull/4322

by andrepd

6/27/2026 at 5:06:53 PM

I'm no expert on any of these programs, but that's kinda the problem, isn't it? No single person is an expert on every codebase supposedly exploited in this repo.

After a bit of research, the Firefox one seems plausible to me. But, I haven't actually tried the POC. The explanation about the private-data and untrusted-input flags is plausible but I'm not an expert on Firefox's internals, maybe that's not actually how it works.

This just sucks, all around. Are we going to need every open source project gawking at the same repo full of stuff that has nothing to do with them, on the off chance that someone discloses a vuln that does have to do with them? Is this some kind of performative complaint about high friction in responsible disclosure? Well great job dickhead, you've just made a system that's even worse. Nobody benefits from this. Yuck yuck yuck.

by ryukoposting

6/27/2026 at 5:20:47 PM

I actually prefer them being public than in some governments or corporations toolbox

by trinari

6/27/2026 at 5:59:31 PM

> Nobody benefits from this

Disclosures always enable more secure software to theoretically exist,

even if nobody follows through creating it.

They often do.

by DANmode

6/27/2026 at 6:20:10 PM

>The first requires being able to overwrite binaries in the Swift tool directory.

Does it? Or does it need to be in the same directory you invoked ghidra?

by charcircuit

6/27/2026 at 4:49:38 PM

I immediately saw the Ghidra one and was thinking: huh?

by skerit

6/27/2026 at 4:57:24 PM

The bigger takeaway is someone that smart is pissed off and dropping their shit with zero warning... but hey, that's just like, my opinion man.

by firefax

6/27/2026 at 4:58:35 PM

You don't need to be pissed off to decide that immediate public disclosure is the best option.

by Retr0id

6/27/2026 at 5:26:06 PM

Ok, I don't know their emotional state. Fair point.

Maybe I'm projecting my own biases ;-)

by firefax

6/27/2026 at 6:13:15 PM

Meanwhile, some dude was just playing with claude and accidentally made his repo public.

by b112

6/27/2026 at 5:59:04 PM

Went over a few of these with a pretty keen eye, and they aren't that particularly interesting. The Docker one is just a weird bug, it's not a vulnerability, and certainly not a "0-day" (which is a pretty loaded term and people expect bad stuff to happen).

The nghttp2 nghttpx one is more interesting, and could potentially be used for phishing, but it's very hard to line up properly because the request queue is non-deterministic so basically impossible to target a specific victim (assuming proxy traffic).

The VLC one is just a straight-up crash/bug. And VLC crashes all the time when using weird codecs, so that's nothing new.

Am I missing something here?

by dvt

6/27/2026 at 6:50:38 PM

I mean, that's how people get hacked. If vlc crashed on my computer, and every day I should raise thanks to my gods that I do not use vlc, I would immediately unplug it and thoughtfully consider the circumstances under which it would be safe to turn it back on.

by jeffbee

6/27/2026 at 7:12:37 PM

Right, this is why video parse / decode ought to be sandboxed. Writing secure code for these formats, especially in C, is really hard. I just sort of glanced at the bug in the repo, but it sounds plausible. It certainly wouldn’t be the first of its kind.

by TheTon

6/27/2026 at 8:05:18 PM

> I mean, that's how people get hacked.

...when was the last documented case of an in-the-wild hack targeting VNC?

by Wowfunhappy

6/27/2026 at 8:29:11 PM

VLC != VNC

by ZeWaka

6/27/2026 at 4:38:53 PM

0-days-vibes-vulns? There should be a new category, for spotting and handling the em-dashes of this brave new world of vulns and making the old fossils like me only picking my head up for the old painfully still hand-crafted artisanal ones instead. A kind of label, like free-range for eggs, in sum.

by doe88

6/27/2026 at 4:51:41 PM

Yes, big pet peeve of the new world. Every em dash is apparently an AI trigger. Back in my day, they were a sign of great respect within my people.

by tyre

6/27/2026 at 5:20:02 PM

I used to be an em-dash user, but now my opinion is that I’d rather be perceived as someone who does not want to be confused with an LLM. So I’ve changed my writing style.

by rogerrogerr

6/27/2026 at 6:11:18 PM

My feeling is that my writing doesn't sound anything like an LLM, so if someone thinks I'm an LLM because I used an em-dash, that's on them. That, or I royally screwed up and need to do a better job as a writer. At least with today's LLMs.

by Wowfunhappy

6/27/2026 at 7:35:58 PM

I don’t give a flying fuck what people think. Most colleges copied or adopted my (for a few semesters) school’s style guide, so LLMs are essentially copying me, and I won’t change my punctuation usage because they suck.

by DrewADesign

6/27/2026 at 8:01:12 PM

Yeah, I get it, they do suck. It all sucks.

But people at work who are copying responses from LLMs into emails to others also suck, and I want to distance myself from them as much as possible. I'm kinda hoping we will eventually have a wave of "what the fuck are we paying you for if you're just copying stuff from an LLM to Slack" firings.

by rogerrogerr

6/27/2026 at 8:52:11 PM

This is a pointless and infinitely losing battle. LLMs will learn to use hyphens instead of em dashes, and so what? You’re going to start using em dashes again?

Just focus on not producing slop.

by stouset

6/27/2026 at 6:21:45 PM

It’s fine to use em-dashes — just be srre to add typos.

by brookst

6/27/2026 at 7:04:43 PM

You can also have the em-dash itself be a typo, e.g. using the figure dash ‒ (U+2012) instead.

by falcor84

6/27/2026 at 5:41:54 PM

They're just so handy! I do think LLMs tend to use them in a specific way, though.

So maybe tweaking your usage (ex. no spaces around them) or using a technically incorrect en-dash might offer the desired effect while subtly signaling that your message isn't AI-generated.

I still use them — mostly for pauses — but I'd like to think my voice sounds distinct enough from an AI that people can tell.

by jackp96

6/27/2026 at 6:23:32 PM

I've only ever been using "regular" dash, a minus, for that. How do you even type yours? If I ever needed differently-sized dashes (and I don't know the difference between them) I always used wiki to copy them.

(disclaimer: I feel like this obsession with dashes is special to native English speakers, which I'm obviously not)

by rplnt

6/27/2026 at 8:54:36 PM

It’s an obsession with literature and/or typography nerds specifically.

Option-hyphen types an em-dash, shift-option-hyphen an en-dash. Em dashes are used—like this—as something spiritually akin to a parenthetical. En-dashes are used within ranges: the Feb 14–17.

by stouset

6/27/2026 at 7:40:39 PM

silly specific: the minus sign is a separate character. The dash equivalent is the en dash (–), versus the larger em (—) and smaller hyphen (-).

The en dash is also used in things like scores (3–2 Turkey), votes (the bill passed 58–42), or connecting words where the second part is longer than one word (the Australia–New Zealand alliance.) You can remember the latter as, "a hyphen isn't big and strong enough to hold on to more than one word.

If you're on a mac, pressing Option+- is the en dash and Option+Shift+- is the em dash.

by tyre

6/27/2026 at 7:14:54 PM

Depends on your OS. Mac is the easiest, it's just ---, Linux depends on your distro, if it uses KDE, it's <right-win>--- —. Windows is a little awkward, I think you need <right win>+the code point.

by Macha

6/27/2026 at 5:51:58 PM

I for one am striving for clarity and couldn't care less about being confused with AI.

However I've only ever used regular dashes. How do you type an em-dash? Is it OS specific? I've taken to using Emacs insert-char with a list of frequently used ones in my scratch buffer. My memory for Unicode is unreliable.

by Syntonicles

6/27/2026 at 8:51:53 PM

In emacs, c-x 8 RET prompts you for unicode character names (or hex) so for rare use you can just spell it out. There's also C-x 8 _ m for em dash and C-x 8 _ n for en dash. (Hit c-x 8 c-h to get a full list of those bindings, like any normal secondary map - they're about as idiosyncratic as the XCompose bindings, but you might find some of them "stick" in your head better (I personally like "C-x 8 1 / 2" better than "Compose 1 2" even if it's a lot more typing...)

by eichin

6/27/2026 at 6:57:37 PM

> How do you type an em-dash? Is it OS specific?

On Linux X11 at least, you can enable the Compose key and then press `<Compose>---` which results in — and `<Compose>--.` which gives you –

by feanaro

6/27/2026 at 6:27:46 PM

Keyboard layout specific. Macs with their default English layout use “option-shift-dash” which is really easy to remember (and relatively discoverable, as such things go) which is why using proper m-dashes (not just double-dashes) used to be a strong indicator a poster was using a Mac, before LLMs took the character over.

On iOS you type it by pressing dash and holding until alternative options come up, same way you type e.g. accented characters.

by topgrain2

6/27/2026 at 8:41:22 PM

Macs have two possible ways. If you have key repeat enabled, option+shift+dash. Some newer Mac users may have the mode on where holding a key pops up an iOS-style bubble of alternate options, in which case they will just hold hyphen.

by redwall_hp

6/27/2026 at 7:13:24 PM

You can also just type two "-" minuses on iOS. So "--" will auto-convert to "—".

by alexfringes

6/27/2026 at 6:21:37 PM

Macs have a native way to do dashes: option- hyphen for en-dash and option shift hyphen for em-dash. On Windows there are some application-specific ways that make sense, e.g. in Office, but outside that you’re on your own and have to use the “hold alt and type the character codes” method! Or charmap.

by xp84

6/27/2026 at 6:20:06 PM

I now use "ASCII em-dashes" by using two hyphens -- like this. Or--if you prefer no spaces--like this.

by 998244353

6/27/2026 at 6:22:59 PM

Nah, I’ve started noticing people doing this replacement automatically in LLM output. I just try not to write with dashes anymore.

by rogerrogerr

6/27/2026 at 6:45:57 PM

the nn dash remains the goat. the arg dash

by 0gs

6/27/2026 at 7:23:57 PM

Don’t you love when your arg dashes get autocorrected to emdashes? And by love I mean hate with the fiery passion of a thousand suns.

by tim-tday

6/27/2026 at 7:50:13 PM

Agreed. On an iPhone that’s the easiest way to type an em dash and consequently the easiest way to fuck up trying to write out a command line example.

by hamburglar

6/27/2026 at 7:16:40 PM

same, or I use a semicolon

by audreyfei

6/27/2026 at 5:58:43 PM

Code switching in the post LLM era.

by VectorLock

6/27/2026 at 7:02:31 PM

What is the typical motivation to start using em-dashes?

Why go the extra way to have a slightly elongated dash when a normal one would just as well do the job?

I might be conpletely off here but I've never seen a situation where using a normal dash where a long one should be causes any sort of syntactic trouble.

by theK

6/27/2026 at 8:40:07 PM

Because ASCII minus instead of dash looks ugly. It's like using zero instead of "o".

by codedokode

6/27/2026 at 7:53:29 PM

I think people who care about correctness and also read a lot automatically see the difference and it seems (and is) technically incorrect to use a hyphen where an em dash belongs. That’s really it. Kind of like you wouldn’t just leave out the apostrophes in your writing even though in most contexts they are not strictly necessary for comprehension.

by hamburglar

6/27/2026 at 7:13:01 PM

It looks aesthetically nicer. It was also a bit of a signal that someone took pride in their work and so helped that way. It's a bit like whether your tradesperson cleans up after themselves. Technically sweeping up the dust after installing a kitchen cabinet doesn't actually mean anything for the quality of the kitchen cabinet installation, but in practice putting the effort into the presentation correlates with putting the effort into the actual work.

by Macha

6/27/2026 at 7:22:20 PM

i mean why use punctuation or any capitals at all, why not just blast words out in a stream of consciousness so readers know how yr thinking why even bother with speeling things write

Just because you don't care to use the proper dash doesn't mean everyone else doesn't. People have different levels of caring about different details. For the sticklers, there's even a special code point for ellipsis, … rather than .... (Four being correct, as one is to end the sentence.) Personally I'll just skip — entirely unless I'm in a trolling mood, though “sometimes” the right quotes are worth using. Special characters are easy to type on a phone soft keyboard, taking a long press on the relevant key, or if you're using any other advanced input system, so they shouldn't really be considered to be the mark of LLM input.

The real trouble is that people doing engage with the substance of the post anymore, and just shallowly dismiss a post as being vibe written, as if that makes any points raised invalid. Anti-intellectualism's always been cool among a certain crowd. Shame to see it spread but ah well, the propaganda's working.

by fragmede

6/27/2026 at 5:40:59 PM

I propose that humans use Unicode U+2E3B three em dash ⸻ it is an impressively long character.

by sva_

6/27/2026 at 8:28:24 PM

> U+2E3B three em dash

I had to look up why this exists, and apparently it was added in Unicode 6.1 (2012) because some style guide required it, and using consecutive U+2014 em dashes isn't sufficient because that might not render as one continuous line.

https://www.unicode.org/L2/L2010/10037r-longdashes.pdf

by omoikane

6/27/2026 at 6:14:35 PM

let’s market it as “human dash”

And if it ever catches on with LLMs ⸻⸻ we just make it longer

by deadbabe

6/27/2026 at 7:23:14 PM

Just write —(human)— to denote that a human wrote the dash. Just be sure to instruct your LLM to write —(LLM)— so readers know the difference.

by fragmede

6/27/2026 at 5:18:58 PM

I might like to see a collection of pre-2022 em-dash usage—a subset I suppose of the Low Background Steel category (https://lowbackgroundsteel.ai).

by Barbing

6/27/2026 at 6:01:23 PM

I still use them frequently. On iOS you just tap the hyphen twice, and it inserts an em dash—sorta like that.

by nativeit

6/27/2026 at 5:19:49 PM

You completely misunderstanding the comment feels like an AI trigger

by sureMan6

6/27/2026 at 5:43:37 PM

It’s so they don’t train on AI data, right?

by Dumblydorr

6/27/2026 at 6:11:44 PM

The question is whether the m-dashes are surrounded by spaces or not. The spaces are utterly maddening. But yeah, RIP the mdash, who would have thought.

by timcobb

6/27/2026 at 7:25:43 PM

Those aren't even em-dashes and yet there's a huge thread talking about them.

by djmips

6/27/2026 at 8:27:33 PM

..."and for the love of God, don't use M dashes when you write it"...input goes on for an hour droning about slop...

by kordlessagain

6/27/2026 at 6:39:11 PM

AI is always a bit eager to report everything as an issue because the "number" of findings is seen as a measure of it's intelligence. Same happens with code review as well. It reports lots of non-issues. I suspect even Mythos output could have the same bloat, and the number (instead of severity) of the issues it reported could have scared people.

by zkmon

6/27/2026 at 8:47:18 PM

I'm an OSS developer and I've received three "CWE" alerts in the last two weeks. While they were all valid, they were for very trivial things like "this debug logfile could overwrite a file if it were a symlink" and "if a user is able to put OSC screen codes into the Git output they could write arbitrary data to the screen"

These AI models are making *everything* sound like an exploit. Not sure if this is good for the ecosystem. It makes me question everything that comes in more carefully. Is this a real exploit, or someone farming for karma to claim "I opened 39 CWEs in the last week. Hire my 'security' company to audit your code."

by scottchiefbaker

6/27/2026 at 6:43:50 PM

This is not what I heard from folks who worked directly with mythos. I was told that the vulnerabilities it generated were largely real and meaningful.

by dpark

6/27/2026 at 3:47:50 PM

Are they all actually 0-day? I think a lot of them are from disclosed CVEs/code that were already fixed upstream. It often seems like the term "0-day" has lost most of its meaning today and people often use it to refer to any exploits.

by Tiberium

6/27/2026 at 4:03:05 PM

Repo claims

> A single archive of public exploit PoCs and vulnerability research writeups. At the time I post these, none have been reported. Feel free to report them yourself and take credit for the CVE if handed out lulz. Please do not abuse these. I do this so to allure people into the field, and I've always found this is the most efficient way.

Which is roughly the definition of zero day. Whether the contents of the repo reflect the above claim is something else entirely.

by tempest_

6/27/2026 at 4:50:39 PM

> Please do not abuse these.

Reminds me of Jamie Wolf's joke about bestiality laws. Who are those for? What stops most people from bestiality is… not wanting to have sex with animals! For people who do want to, what, they won't because of… the law??

Who will this comment stop??

by tyre

6/27/2026 at 5:06:20 PM

Well, it's a joke because the problem becomes apparent after you think a bit about it. The exact same reasonig can be applied to anything illegal, criminals are criminals because they don't respect the law, so you could try to say that laws are useless. Reality is, if something is illegal not only someone can be punished after the fact, but in some cases also preventive measures can be taken.

Regarding the comment, it isn't going to stop anyone. Most people will not do cybercrime because they're honest. Of the remaining, the risk of being sentenced to jail time will instead stop some people, even if not all of them.

by GTP

6/27/2026 at 7:56:05 PM

Technically there are distinct crimes where we know that shifting penalties changes what happens but the impact tends to be on organised crime.

by tialaramex

6/27/2026 at 7:29:50 PM

I mean I do actually think laws are basically useless. Good people don’t need em, bad people don’t listen to em.

I guess “bad” is excessive. I regularly observe traffic laws with less rigor the your average police officer would prefer.

by tim-tday

6/27/2026 at 5:01:43 PM

Those seem like two different scenarios though, right?

The point of beastiality laws are to give society some recourse to punish people who abuse animals.

There was a very famous case back in Washington state back in the early 2000s where a group of men were sexually abusing horses. It was uncovered because one of them died, and the other could only be charged with trespassing because it wasn't illegal at the time to sexually abuse animals.

by BoxFour

6/27/2026 at 4:58:00 PM

The laws are to punish the act once discovered. Not to inhibit it, primarily. Which I suppose cuts down on the incidence of the act in the long run,

by jldl805

6/27/2026 at 5:47:20 PM

That’s one school of thought. Law as a tool to punish those who have committed a prohibited act, mostly reactive.

Others consider law a way of encoding the group’s existing rules and norms.

In that view, making something illegal or mandatory is not a prerequisite for punishment: it’s the actual main point.

The threat of punishment is meant for those not deterred from an act by the simple fact it is illegal (and the threat only works if enforced).

Others put it the other way around, and see law as social engineering, a way to shape the group, either through the encoding itself of the desired behaviours in law, or through deterrence. Or both. If what one is after is either power or legitimacy, they need compliance more than punishment (can’t rule once you’ve chopped everyone’s heads off, or once the mob has put yours on a spike).

It’s also sometimes used as coordination (which side of the road we drive on).

And there’s also law as dispute resolution (if your neighbour’s hen lays an egg in your garden, who does it belong to? Yes, it’s ridiculous. Yes, some places have one or more laws for that). Which, incidentally, both requires and provides legitimacy. Funny, that.

And probably many other kinds / points of view, with many different purposes, intents, and mechanisms.

Anyway, all that to say law is vast, fascinating, and utterly tedious. And apologies for the tangent.

by ElFitz

6/27/2026 at 6:50:58 PM

> Law as a tool to punish those who have committed a prohibited act

You're thinking of criminal law. And it's not just some group's rules and norms - there already exists familial or social group punishment for that. Criminal law is prosecuted by the State. It's the code of conduct of the society you exist in.

If you want a thought experiment for what life would be like without organised society, read Leviathan

Hence why we accept State governance and law (to a greater or lesser extent, obviously people protest specific laws and injustices and what's on the statute books changes on a regular basis), because the alternative to law is "nature", aka bigger-army diplomacy. Anarchy doesn't free people, it only gives freedom to those with existing power to disempower others. Those with superior power will simply rob, rape, kill or enslave everyone else.

States exist to secure their territory from those sort of external threats, and incubate an economy inside their borders, which aspires to bring wealth and happiness. The criminal law is put in place by those with the monopoly on legitimate violence, often encoding the views of the population, to keep their society running.

by amiga386

6/27/2026 at 4:52:33 PM

If it stops even just 1 person once, isn't it already worth it?

by utopiah

6/27/2026 at 8:05:14 PM

We slaughter animals millions by the day in an industrialized fashion. I'm sure they'll feel much better that even singular instances of sexual harassment are officially not ok on paper.

by Valodim

6/27/2026 at 5:12:05 PM

> Who are those for?

The people who want to see the people doing bestiality punished

by seanclayton

6/27/2026 at 5:44:38 PM

I don't want to "see" any of it...

by chaboud

6/27/2026 at 5:09:52 PM

The jury, maybe.

by nostrademons

6/27/2026 at 5:01:30 PM

Either the fear of the consequences of breaking the law, or that the most effective way to reduce crime is to remove criminals from the population so over time these people being in jail or worse decreases the crime rate. They don't have to care about breaking laws in the abstract for the law, properly enforced, to reduce crime.

by PKop

6/27/2026 at 5:40:09 PM

RCE has no meaning either in these situations. The "remote" part is usually an ssh root session if it means anything at all.

by pooploop64

6/27/2026 at 4:23:14 PM

There is going to be a flurry of this sort of stuff as the AIs get smart enough to find them. It will naturally die down as the legitimate ones are fixed. Yes, there will always be some level of this, but I’d expect it to be low and the exploits found to be increasingly complex. This is a time of transition.

by drob518

6/27/2026 at 4:56:13 PM

> a flurry of this sort of stuff as the AIs get smart enough to find them.

I really think this characterization is misleading. It's not "getting smart", only more tailored toward a specific usage, better curated dataset, better harness, better prompts, better labeling of results, documentation of failures and success, etc.

The outcome is (hopefully) overall better but this anthropomorphized wording makes it sound like AI itself is somehow changing or evolving. No, both academia doing fundamental research, industry making it available commercially, and finally security researchers making the entire tooling and process packaged as a service are actively shaping it to make it better. There is no "it".

by utopiah

6/27/2026 at 5:08:13 PM

Do you have a definition of "smart" such that there is something an AI could do to prove itself intelligent?

Or are you just defining "fast" as something only horses can do, and considering that a useful insight about cars?

by handoflixue

6/27/2026 at 5:42:51 PM

A future AI may be intelligent, but LLMs are clearly not. They have no agency, no ability to reason, and no world model. The most effective way to use them is to treat them as next token prediction machines, because that’s what they are.

edit: downvotes but no rebuttals. feel free to show me where the agency, reasoning from first principles, world model etc exists. or you can ask an llm and they'll tell you they don't have those.

by slopinthebag

6/27/2026 at 5:02:03 PM

Yes, of course. I’m definitely anthropomorphizing as a shorthand. I’m the first one to say that these models are just a lot of matrix math.

by drob518

6/27/2026 at 7:01:43 PM

> It will naturally die down as the legitimate ones are fixed.

Every software update introduces and reintroduces them

by yieldcrv

6/27/2026 at 8:28:04 PM

Perhaps, but as the AI analysis becomes part of the release process (or even the CI process as prices fall), you’d expect those new issues to be caught before release and fixed. We’re seeing them caught post-release for now because the code is older than the AIs, so we’re catching up.

by drob518

6/27/2026 at 4:50:02 PM

> It will naturally die down as the legitimate ones are fixed.

Seems like we're already in the middle of this phase, but rather than dying down, the 'reports' have just gotten more noisy and obtuse, making it more difficult to establish the actual degree of threat / attack vector.

by jMyles

6/27/2026 at 4:59:36 PM

And if you are a state agency who'd like to keep the undisclosed zero-days you rely on secret, spamming maintainers with reports makes sense.

As a bonus if you find any actual zero-days in your mass-generated ones you don't report it and get a new one to play with.

by justacrow

6/27/2026 at 5:21:37 PM

I mean. Makes sense until adversary states start walking through the same doors you’re using. At which point you might regret that maintainers are too flooded to deal with it.

Assuming, of course, said state agency is operating under sufficiently strategic governance and management…

by alwa

6/27/2026 at 5:48:41 PM

Honestly execution complexity is over time becoming a lower and lower barrier too.

by juleiie

6/27/2026 at 4:46:03 PM

Pretty unimpressive as security vulnerabilities. It would be better to just say these are simple bugs for the most part.

by ok123456

6/27/2026 at 5:03:48 PM

all vulnerabilities are just bugs.

by unnouinceput

6/27/2026 at 5:11:08 PM

Vulns are a subset of bugs. What the above commenter is saying, is that some bugs don't belong to this category.

by GTP

6/27/2026 at 5:10:30 PM

But not the other way around, which makes them different.

by stonogo

6/27/2026 at 6:37:26 PM

Actually, Mudge of the l0pht (and later DARPA) once famously made the claim that all bugs are security issues waiting to be exploited in some way (I’m probably paraphrasing). I kind of agree. Although, the bugs on this dump are indeed mostly pretty lame, which is exactly what I’ve seen you get a lot of when you let an llm go bug hunting with no human vetting and confirmation in the loop.

It’s possible/likely that whomever is running this experiment is keeping the non slop bugs to themselves. It’s probably what I’d do.

by void-star

6/27/2026 at 7:01:16 PM

Such claims can both be true and pointless. For those of us who have to decide what actions to take, there is a point in differentiating between bugs and vulnerabilities, and breathlessly proclaiming "we found a vulnerability but we don't have an exploitation vector or proof that there's a meaningful security consequence" is annoying and likely to get the proclaimer ignored in the future.

by stonogo

6/27/2026 at 5:38:02 PM

I want to rush to git clone, but as things are, the odds are extremely high that this kind of things that are too good to be real are honeypots and something there will compromise your machine or make your llm start working for someone else...

by xlayn

6/27/2026 at 5:43:03 PM

Then, don't rush and take a few minutes to set up a virtual machine.

by GTP

6/27/2026 at 5:55:38 PM

What about all the virtual machine zero days?

by IncreasePosts

6/27/2026 at 6:22:57 PM

Buy a VM in the cloud?

by victorbjorklund

6/27/2026 at 6:42:54 PM

You can just download the zip over HTTPS

by midtake

6/27/2026 at 8:15:21 PM

I will consider it legit when in next 24 hours MSFT blocks it.

by ozim

6/27/2026 at 7:55:01 PM

cool to see rustdesk. low level memory bugs were long mysterious and i think often received most of the attention for this reason, but always fun to see reminders that "nope, good ol' fashioned logic bugs in high level languages have security implications too." if anything, i think they sometimes are more clever as they require deeper understanding of what the code actually does, intends to do and what was overlooked rather than the common set of bookkeeping errors that are often the root of the memory bugs.

by a-dub

6/27/2026 at 4:22:14 PM

trying something new? this is interesting. the problem is that submitting reports is too slow. if you find one then your not supposed to share. but then over the next 90 days you learn no one cares and 13 other people submitted it before you, 43 after. maybe better that we just know. so we can run code we can trust sooner. zero is the proper number of dependencies. otherwise assume its broken.

by kodareef5

6/27/2026 at 3:42:12 PM

Most of the exploits are for opensource/free software.

I don't know what methods where used to find these exploits but I am starting to think security through obscurity might not be a bad thing in this day and age, where someone can just let bots loose on your codebase.

by merelydev

6/27/2026 at 3:47:18 PM

llms are fantastic disassembly partners, they're quite good at labeling functions from various dissassemblers -- the net losses from losing the benefits of open source , imo , outweigh the protection afforded by hiding your source code in yet another layer that is more and more easily unrolled through automated procedures.

by serf

6/27/2026 at 3:56:54 PM

And isn't it also mostly a transitioning issue. Those open codebases will be constantly scanned for potential security issues and getting more and more hardened. There are probably a lot of easy wins that are going to be discovered over the next few years but it should taper out after a while.

by blensor

6/27/2026 at 3:58:17 PM

Fair point but it assumes we all have access to LLMs with the same capabilities.

by merelydev

6/27/2026 at 4:06:27 PM

I don't think that's exactly it. OSS only needs someone to have a strong LLM to check for bugs. If your software is proprietary, it's a competition between just you and whatever model you have vs any attacker and whatever model they can lay hand to.

by yjftsjthsd-h

6/27/2026 at 5:15:54 PM

I don't see the difference.

> OSS only needs someone to have a strong LLM to check for bugs.

The same applies to propietary, closed-source code. It being closed-source means that the source isn't generally available, but the executable is. Hence, someone with a strong model can still reverse it and find vulns.

by GTP

6/27/2026 at 3:53:01 PM

disassembly only applies to client side software

something like nginx could arguably be more secure if it was closed source

(I am a proponent of and contributor to open source)

by spongebobstoes

6/27/2026 at 3:59:12 PM

Only until a single server running nginx is hacked and the binary leaked though...

by gpm

6/27/2026 at 4:04:03 PM

Um, the nginx binary would have to be in the hands of hundreds of thousands of server operators. And the set of server operators is rich in the kind of person who would attack it. Not to mention the huge number of leaks you'd get.

Maybe if it's some server-side software that you only use yourself...

by Hizonner

6/27/2026 at 4:06:54 PM

Open source is a good thing, but I don't think what you are proposing is accurate.

A different way to frame this would be that those bugs would never be surfaced or exploited if the software were proprietary.

by maxloh

6/27/2026 at 4:30:10 PM

Presumably, one could let the bots loose on your own codebase first. The question is one of financing of course. If your end users are enterprises willing to pay for a support contract, they probably care enough about not getting hacked to endure the higher prices that would let you throw enough tokens at the problem. Other open-source projects might have a harder time.

by derektank

6/27/2026 at 6:55:53 PM

I think LLMs might actually have a bigger effect on closed source software - the tedium saved on open source bug hunting is significant, but on closed source software the tedium of finding bugs is extreme because of all the reverse engineering, but LLMs will chew through that. So there's probably a lot of low hanging fruit.

by IshKebab

6/27/2026 at 4:52:34 PM

> I don't know what methods where used to find these exploits but I am starting to think security through obscurity might not be a bad thing in this day and age, where someone can just let bots loose on your codebase.

I'd love to hear why you think obscurity is bad, if you now think maybe it's good in the LLM age?

I'd also be interested if you could describe exactly what or how you think security through obscurity works, or doesn't?

I've been thinking a lot about how to better teach this concept, so I'm looking to understand exactly how everyone thinks/understands how it currently works, or should work, or what it should do. I don't care about the "correct" answer, (I have ddg too :P) I'm interested in general expectations from SWE's that I might teach at work, instead of opinions of security eng speaking about theory.

by grayhatter

6/27/2026 at 5:34:46 PM

Security through obscurity can make something a bit more secure in practice by annoying an attacker IF AND ONLY IF you're not relying on the hidden information remaining secret in order to the system remaining secure. E.g., if you're using a broken cipher and assume this is ok because no one knows which cipher you're using, you're gonna have a bad time.

In the case of FOSS software, it is generally recognized that the small advantage of keeping the source secret is far outweighted by the contributions and vuln reports you get if you publish the source.

by GTP

6/27/2026 at 5:02:55 PM

"one ought to design systems under the assumption that the enemy will immediately gain full familiarity with them" - Claude Shannon

https://en.wikipedia.org/wiki/Kerckhoffs%27s_principle

by merelydev

6/27/2026 at 5:29:28 PM

If you believe this, then why did you say?

> starting to think security through obscurity might not be a bad thing

by grayhatter

6/27/2026 at 5:50:20 PM

Because of asymmetric differences, I don't have access to powerful LLMs but attackers might. And also the complexities of software dependencies (supply chain vulnerabilities), my software depends on packages not in my control and I don't have time to audit the entire stack.

by merelydev

6/27/2026 at 8:01:29 PM

Perhaps the answer is to depend only on packages that come from people that are more competent than you so you can know if or when your program is compromised that it'll most likely be your fault and not theirs.

by asadotzler

6/27/2026 at 4:12:18 PM

[dead]

by throwaway613746

6/27/2026 at 4:48:50 PM

I also have a library of bugs I found using Claude Opus 4.8 through the Customer Verification Program. Undisclosed, Atp I dont even know if they have been found by someone else. But just like this repo

Theres a bunch of very specific scenario DoS bugs, buffer over/ underflows, that will get caught by ASLR and whatnot

When I report serious ones, mostly the devs will respond with something like, yeah, thats how we designed it in a dangerous way, so that the layer above or below can solve the issues, and other footgun stuff.

by bassiee

6/27/2026 at 7:06:45 PM

I’m sitting on a 0-day rce on the tizen browser (smart tv)

Didn’t bother submitting since who actually uses tizen?

by ibarrajo

6/27/2026 at 3:48:31 PM

I'm going through each one, and it's fascinating to see things like this. The UAF principle in c-ares is really interesting.

The problem ultimately came from not being able to prevent stale pointers. The attack works by figuring out the size of the stale pointer, then spraying memory with data of the same size, and finally achieving RCE (Remote Code Execution). How do people even come up with ideas like this?

by jdw64

6/27/2026 at 4:03:18 PM

But do people actually find these vulnerabilities on their own, or are they using LLMs? I was curious about how these vulnerabilities work, so I tried asking my dear friend Mr. CLAUDE, but he immediately threw an error and ended the session because it was a cybersecurity question. Enterprise APIs block even the analysis itself, so it's amazing that people can actually pull this off in practice.

by jdw64

6/27/2026 at 5:21:55 PM

People have always used tools. Some people have better tools than others. I guess the line is thin whether they found on their own or not.

by nicce

6/27/2026 at 5:16:03 PM

If you want to chat with Claude about this, I'd recommend using Opus 4.6. IME it's happy to talk about (and even write) PoC exploits

by raesene9

6/27/2026 at 4:18:19 PM

I imagine this is a large open model like GLM5.2 etc

by lacoolj

6/27/2026 at 7:01:36 PM

[flagged]

by ZappoMan

6/27/2026 at 4:17:38 PM

le sigh, c-ares. Very predictable outcome. If you ever find yourself entertaining the idea that you will simply write non-blocking network protocol stacks in C with manual lifetime management, slap yourself. It doesn't matter if you think you are a super genius of unimpeachable taste. The job is impossible.

by jeffbee

6/27/2026 at 4:25:24 PM

Thank goodness I use a GC language

by jdw64

6/27/2026 at 3:59:24 PM

A surprising amount of documentation if the actor was just LLM-dropping these..

by mrbluecoat

6/27/2026 at 4:21:28 PM

Why is that surprising? LLMs can churn out arbitrary volumes of "documentation" in an instant.

by Retr0id

6/27/2026 at 6:52:18 PM

This was sarcasm, meaning exactly what you wrote.

by Bengalilol

6/27/2026 at 4:23:43 PM

That seems trivial for an llm to provide.

by dawnerd

6/27/2026 at 3:40:35 PM

we have got to stop putting our bank accounts and SSNs on computers

by functionmouse

6/27/2026 at 4:20:25 PM

We need our infrastructure to stop treating bank account numbers and social security numbers as secrets. At least in the US, bank account numbers appear on physical checks and are required to be shared in order to do an ACH transfer, and a social security number is not supposed to be used as an identifier (unless to the Social Security Administration itself) or as a secret password.

Ideally, nothing nefarious should happen if both of them were listed and queryable publicly.

by ryandrake

6/27/2026 at 4:44:38 PM

Hang on, can you actually do something nefarious with just the bank account number?

by silversmith

6/27/2026 at 4:54:01 PM

If someone has your bank account and bank’s routing number (which is also not secret), they can make fraudulent ACH transfers and payments from your account. Of course it will most likely be caught as fraud some time after the fact, but just those two bits of not-secret info are enough to grief someone.

by ryandrake

6/27/2026 at 5:23:34 PM

And both numbers, plus your name and address and a convenient sample of your signature, are on every check you’ve ever written.

by rogerrogerr

6/27/2026 at 7:26:11 PM

I suddenly feel very clever for signing everything with “Shamu T. Whale”

by derwiki

6/27/2026 at 5:59:14 PM

AFAIK that's US thing. In normal countries bank account numbers are not a secret. The worst thing that can happen is someone sending you money.

by mystifyingpoi

6/27/2026 at 6:46:13 PM

Yes but there are steep penalties for bank fraud so it is not especially common

by jazzyjackson

6/27/2026 at 4:33:20 PM

It’s quite ridiculous that we haven’t been able to build a modern identification system capable of replacing SSNs in the last 30 years.

by derektank

6/27/2026 at 8:32:23 PM

SSNv6. It will take 20 years for a 50% migration

by timacles

6/27/2026 at 5:20:47 PM

You all need a better system than US SSNs

by dgellow

6/27/2026 at 6:02:49 PM

You can buy your SSN for $6-$10.

by DANmode

6/27/2026 at 4:48:52 PM

Firewalled VM, locked-in keyboard/mouse, 1 query to any agent and it's setup.

by pixel_popping

6/27/2026 at 4:06:32 PM

... support cash, tell your neighbors

by gnerd00

6/27/2026 at 4:23:24 PM

And Monero for online.

by Cider9986

6/27/2026 at 4:18:12 PM

til you get debanked

by JohnMakin

6/27/2026 at 4:19:43 PM

Cash doesn't require a bank.

by krapp

6/27/2026 at 4:32:37 PM

Banks are kinda useful to avoid getting robbed all your money, on a regular basis.

Many French people with crypto money experienced that the hard way recently.

by speedgoose

6/27/2026 at 5:06:19 PM

do you have links about the french people?

by nubg

6/27/2026 at 6:09:39 PM

Sure, here are a few links. Use your favourite translator.

In short, it's a very active and growing activity. Many data leaks helped people to identify wealthy targets. Some just brag about having crypto.

https://www.lemonde.fr/societe/article/2026/04/24/enlevement...

https://www.franceinfo.fr/faits-divers/cryptomonnaies-la-vag...

https://www.lemonde.fr/societe/article/2025/08/19/l-ascensio... (paywall)

https://www.slate.fr/societe/enlevements-lies-cryptomonnaies...

Some random recent ones we know about:

https://france3-regions.franceinfo.fr/grand-est/haut-rhin/mu...

https://www.leparisien.fr/faits-divers/renseignes-par-des-ha...

by speedgoose

6/27/2026 at 5:26:14 PM

Kinda does?

by ahoka

6/27/2026 at 6:48:36 PM

Doesn't at all. You can take cash, keep cash and spend cash without any bank being involved. Cash is more anonymous than crypto and (if it's USD) accepted just about everywhere.

Banks give you an advantage with transaction security and deposit insurance, but that's dealing with money and not cash.

by krapp

6/27/2026 at 8:47:53 PM

Skynet's strategy is to beat us into submission via spam slop.

by shevy-java

6/27/2026 at 8:13:44 PM

I call fake or BS because Microsoft would be already on it.

by ozim

6/27/2026 at 5:25:17 PM

Mythos has been achieved internally

by hypercain

6/27/2026 at 7:55:40 PM

Ah yes, the typical 'echo' command accepting untrusted user input 0-days.

by himata4113

6/27/2026 at 6:20:25 PM

oh-days for days

by icase

6/27/2026 at 4:41:26 PM

I think people may miss the point of a repo like this. Individually these are small puzzle pieces that can't do anything. Put them all in one place and it becomes easier to pick up pieces and try them together to see if they fit and build something bigger. Get enough pieces to fit together and you actually have something. This is the 'FOUO' idea in security. Enough open information gathered together in one place crosses the boundary from 'just public info' to 'secret stuff here!'. Now we have automatic puzzle solvers (coding assistants) a repo like this becomes a lot more meaningful.

by jmward01

6/27/2026 at 4:44:17 PM

Yep and typically none of this is meaningful unless you have no security practices at all. You can't have it both ways. Every security team says these things are all critical even though, for example, it's only being used internally. Cool, so you somehow have our network cert, are on site physically, have compromised a laptop fully without all of our tools detecting weird shit, have a password, admin access to the repo, somehow are spoofing MFA, etc etc. Yeah it all adds up, but as an admin I'm just fucking done dropping everything for these kinds of things.

by esikich

6/27/2026 at 4:04:01 PM

A friendly reminder that a 0-day is a vulnerability that wasn't known until after a malicious actor exploited it. If someone publishes a PoC, it is not a 0-day, just a vulnerability.

by tliltocatl

6/27/2026 at 4:25:15 PM

No, the days start counting from the availability of a patch.

by Retr0id

6/27/2026 at 5:11:00 PM

I was thinking that the other definition was right and this correction was wrong.

Then I did some searching and found multiple examples of both definitions in use, making things murky.

So I turned to Merriam-Webster’s dictionary: “ of, relating to, or being a vulnerability (as in a computer or computer system) that is discovered and exploited (as by cybercriminals) before it is known to or addressed by the maker or vendor”

And of course they use an “or” to make it ambiguous as to whether the days start counting when the vulnerability becomes known, or when the vendor has addressed it.

by rmast

6/27/2026 at 5:20:21 PM

what if a path is never released?

by 0123456789ABCDE

6/27/2026 at 4:50:16 PM

I've only heard it used as Retr0id's definition.

by richbell

6/27/2026 at 6:27:19 PM

> A friendly reminder that a 0-day is a vulnerability that wasn't known until after a malicious actor exploited it.

No, the full name was always "zero-day exploit". The number 0 refers to the days between the vulnerability being known by the vendor and the public availability of the exploit. So the vendor has zero days to create a security patch before the release of the exploit.

The term "zero-day vulnerability" is a derived term to refer to a vulnerability affected by a zero-day exploit. Similarly, a "zero-day attack" is a derived term to refer to an attack carried out using a zero-day exploit.

by cubefox

6/27/2026 at 4:26:47 PM

That's one way to do it.

by johnwheeler

6/27/2026 at 4:44:28 PM

> At the time I post these, none have been reported. Feel free to report them yourself and take credit for the CVE if handed out lulz. I do this so to allure people into the field, and I've always found this is the most efficient way.

I've been a skiddy, he would have believed this. Thankfully, I've grown a bit, and can see this for the transparent, "I'm angry and want to hurt others so I will feel a little less alone", it actually is.

I'm sorry you're so angry dude (me too), but as someone who's joined the blue side, we'd appreciate it if you gave us some kind of heads up, the bad guys generally have a lot more time to scroll for new payloads than I do. Not all of us deserve the kindness of a heads up, but every single one of our users deserve it. Don't punish them because you're mad at someone else.

You can flex on the idiots you're trying to flex on, without hurting people. Even an email to security@[that_project_domain] saying "hey, I've published these" would move you from the group of people I see making the world worse, into the group making it better. (You don't have to, obviously, but making the whole world worse wont make you less angry.)

by grayhatter

6/27/2026 at 5:03:38 PM

While i can follow your path, maybe because i see the same, i sadly have seen in groups of friends how this can go sideways very fast. If you report things, some companies gone treat you as a criminal/offensive actor and even go legal actions against you even you just tellem here you got this vuln.

Sure you than can do it anonymous and so on but point is : its not like every actor that gets notified will react thankful to it. Some even just ignore it.

by voodooEntity

6/27/2026 at 6:04:43 PM

User/admin discretion for software they use should be a big factor, sometimes getting burned is how you learn to play with fire. Or decide that having your data/participation disrespected means you need to set harder boundaries. My solution is to try things in isolation, run very few services, try to avoid becoming dependent on the online, appreciate the offline and local first.

by sellmesoap

6/27/2026 at 5:24:12 PM

How bad are your security practices that these tiny obscure things matter? None of these findings that show up here on HN should even make you flinch. The alarmist takes on this stuff is fucking exhausting and I'm tired of security teams bugging me about it. Do your job and this shit doesn't matter AT ALL.

by esikich

6/27/2026 at 5:48:55 PM

I said "doesn't matter" to someone once... the resulting lesson came in the form of a reply from the whitehat researcher (waves, hi brian!) a 16step exploit chain resulting in a one click full account takeover.

I'm equally annoyed and over the alarmist takes. But I don't think it's fair to group mine into it. I'm annoyed at seeing discard respect for others into the same void everyone is happy to toss quality.

Do these tiny things matter? No, not to the default-panic-level everyone adopts when they see 0day, or CVE... but duh, I'm now just repeating exactly what you already said. That no, for the record is mostly because I don't use any of these, not just because they're boring exploits. While I always look, I default assume anything CVE is boring/pointless. But I still read them.

But then, I'm not trying to convince the owner of the repo. I'm trying to discourage the theme among researchers that "no one cares", because I have seen researchers disclose bugs publicly, that we'd be eager to pay out on, because they disagreed with the decision on their last report.

I've fixed bugs being actively exploited against our users, that was found/fixed only after a whitehat report for something adjacent (we pay on those btw, and you should too). I don't wanna live in the world where it's easier for the bad guys, the only way we get there is once "everyone knows", you gotta report the all bugs that you can turn into an exploit. I don't want "the whitehat researcher culture" to move towards, who cares' dump the PoC on github, screw anyone that could be hurt by the bad guys, they deserve to be punished for the incompetence of others. SWE's are shit at security, security researchers are shit at SWE, the only way we get the good outcome, is if they're willing (and encouraged) to work together.

by grayhatter

6/27/2026 at 6:25:13 PM

No one is doing 16 step exploits unless you're a huge target in some way. 0.0000001% of companies fit that bill. And even then, ok, what did they get? An account login? What are they doing to do? Read email? Then what? "Use it for social engineering"? Who cares, you have MFA right? You have a firewall? You don't allow people to randomly jump from box to box via RDP? You have basic security and auditing on your fileshares? EVEN THEN, what, they get a spreadsheet from your last town hall meeting? I'm also tired of pretending that 99.999% of the data in a company even matters. Unless they have some way to cryptolock your whole company, AND you don't have backups/snapshots without any basic access security, there isn't a lot of value to be taken. Security "teams" are a bunch of fucking busybodies with nothing to do. Pay for a competent admin team and the security dept is completely redundant and useless.

by esikich

6/27/2026 at 6:06:59 PM

That’s a whole lot of “we” to not mention which company you’re at that supposedly plays well with security researchers/has a proper bug bounty.

by DANmode

6/27/2026 at 6:34:20 PM

Even if the company doesn't have a big bounty publishing exploit code without warning them is unethical. Moreover, a lot of these projects are FOSS without a company which could pay bug bounties.

by cubefox

6/27/2026 at 4:09:25 PM

Open source is the best

by ohadkr

6/27/2026 at 4:50:52 PM

"Cibercrime is cringe"

by jiug

6/27/2026 at 5:19:27 PM

[flagged]

by yuvrajsa

6/27/2026 at 7:46:21 PM

[dead]

by huflungdung

6/27/2026 at 4:39:25 PM

"cybercrime is cringe"

by haberdasher

6/27/2026 at 4:38:10 PM

What if this person is from an AI lab that really wants the govt to keep suppressing Mythos/Fable & GPT5.6? It's what I would do, the timing couldn't be any better.

by segmondy

6/27/2026 at 4:56:30 PM

wouldn't it be trivial to match the repo to the user logs?

by 0123456789ABCDE