HN Reader

Grade 2 Braille (en.wikipedia.org)

1 points by admp 5m ago 0 comments

The Cudy AX3000 Wi-Fi 6 System (With OpenWRT) (taoofmac.com)

1 points by rcarmo 9m ago 0 comments

A spammer promoting an AI coding tool spammed my repo (ruby.social)

3 points by luu 9m ago 0 comments

US power use to reach record highs in 2025 and 2026, EIA says (reuters.com)

1 points by JumpCrisscross 11m ago 0 comments

AI Skepticism and Oracle's Big Risk: How Will Open AI Pay for It? (eaglepointcapital.substack.com)

1 points by lemonberry 11m ago 0 comments

Show HN: From selling AI to QA teams to building a smooth test-management app (tester.desplega.ai)

3 points by harlequinetcie 12m ago 0 comments

Git Without Stash/Tags

1 points by birb07 14m ago 0 comments

Quantum Physics Myths, Debunked [video][13 mins] (youtube.com)

1 points by Bender 15m ago 0 comments

Three Kinds of Contrarians (overcomingbias.com)

1 points by jger15 17m ago 0 comments

Are high school sports living up to their ideals? (theconversation.com)

1 points by PaulHoule 17m ago 0 comments

Large-scale semi-discrete optimal transport with distributed Voronoi diagrams (sciencedirect.com)

1 points by ibobev 17m ago 0 comments

Fire up the gas turbines, says US Interior Secretary We gotta win AI arms race (theregister.com)

2 points by Bender 17m ago 0 comments

DOJ files civil forfeiture complaint against over $5M in Bitcoin SIM Swap (cryptonews.com)

1 points by paulpauper 18m ago 0 comments

How to join or concat ranges, C++26 (cppstories.com)

1 points by ibobev 20m ago 0 comments

Searching Places Unknown: Law Enforcement Jurisdiction on the Dark Web (2017) (scholarship.law.bu.edu)

1 points by aspenmayer 21m ago 1 comments

Paged Attention Performance Analysis (martianlantern.github.io)

1 points by martianlantern 25m ago 0 comments

Google Gemini is the top free iPhone app (9to5google.com)

4 points by blinding-streak 25m ago 0 comments

Epstein's Inbox (bloomberg.com)

2 points by 1vuio0pswjnm7 26m ago 1 comments

Asymptotic Chase (symptotic.substack.com)

2 points by sujayk_33 27m ago 0 comments

The Death of the Corporate Job (thestillwandering.substack.com)

4 points by brycewray 29m ago 0 comments

Show HN: Gradax โ€“ Watch your study charts rise and feel your grades follow (mygradax.vercel.app)

1 points by naymul 30m ago 1 comments

Agentic AI has changed my career (medium.com)

1 points by kiyanwang 30m ago 0 comments

Utah governor says motive not certain but the suspect was on the left (apnews.com)

3 points by SilverElfin 30m ago 0 comments

Lisp in 2025 (FOSS Book, 10 chapters) (github.com)

1 points by DavidCanHelp 31m ago 0 comments

Show HN: AutoDocs โ€“ Reduce AI costs and never manage context again (github.com)

2 points by Aperswal 33m ago 1 comments

LiteFS VFS SQLite Extension for Serverless Environments (github.com)

1 points by nethunters 34m ago 0 comments

OpenAI Backs AI-Made Animated Feature Film (wsj.com)

1 points by gmays 36m ago 0 comments

Rockbox (rockbox.org)

1 points by ustad 36m ago 0 comments

Pymunk 2d Physics (pymunk.org)

2 points by ustad 37m ago 0 comments

Target Market Isn't Demographic (longform.asmartbear.com)

1 points by sltr 40m ago 0 comments

Personal task manager Super Productivity v15 Release with complete UI overhaul (app.super-productivity.com)

1 points by johannesjo 45m ago 1 comments

Rereading (maxgirkins.com)

2 points by mgirkins 46m ago 0 comments

I have hard evidence that YouTube manipulates creators' (twitter.com)

3 points by AIALGORITMOS 48m ago 1 comments

Hardship, hashtags combined to fuel Nepal's violent response to social media ban (theconversation.com)

2 points by rntn 50m ago 0 comments

Exposing the Dark Side of America's AI Data Center Explosion [video] (youtube.com)

2 points by mgh2 51m ago 1 comments

Breaking down the breathtaking visual effects of Chrono Trigger [video] (youtube.com)

1 points by marc_omorain 52m ago 0 comments

Measuring the environmental impact of delivering AI at Google Scale [pdf] (services.google.com)

1 points by doener 53m ago 0 comments

How to Burst the Israeli Bubble (theguardian.com)

4 points by NomDePlum 54m ago 0 comments

The West is buried under red tape (ft.com)

1 points by arbuge 55m ago 1 comments

Eye drops could replace glasses or surgery for longsightedness, study says (theguardian.com)

2 points by giuliomagnifico 55m ago 0 comments

What Caused Democrats' No-Show Problem in 2024? (thenation.com)

3 points by rawgabbit 56m ago 2 comments

The AI Doomers Are Losing the Argument (bloomberg.com)

1 points by thm 57m ago 0 comments

The teens behind RedSnapper: a smart Arduino-powered prosthetic arm (blog.arduino.cc)

2 points by PaulHoule 57m ago 0 comments

Library of Time (libraryoftime.xyz)

3 points by japaget 59m ago 0 comments

A U.S.-China tech tie is a big win for China because of its population advantage (gabrielweinberg.com)

1 points by paulpauper 59m ago 0 comments

Meh Superpowers, or Not? (jovex.substack.com)

1 points by paulpauper 1h ago 0 comments

Howl, after Allen Ginsberg (for the AI-headed hipsters) (statmodeling.stat.columbia.edu)

1 points by paulpauper 1h ago 0 comments

Ask HN: Is there a easy connector between MongoDB and Postgres?

2 points by singlepaynews 1h ago 2 comments

The Day-Long, Repeating GRB 250702B: A Unique Extragalactic Transient (iopscience.iop.org)

1 points by Stratoscope 1h ago 1 comments

Defending Amateur Radio Spectrum: The AST SpaceMobile Battle Continues (openresearch.institute)

3 points by upofadown 1h ago 0 comments

PyPI mirror proxy that injects code and bypasses pip hash verification

1 gzer0 1 9/14/2025, 3:58:48 PM github.com โ†—

Comments (1)

zahlman ยท 2h ago
Yes, if you control the index, you can lie to pip about what the package's hash should be. This is why you have to opt in to using a different index, and why the connection to PyPI has been properly secured since forever (https://github.com/pypa/pip/issues/425 ; note the date).

Once pip supports installation from a PEP 751 lockfile (should be very soon, by my understanding), presumably this won't work, unless the lockfile is already compromised.

The clearly AI-generated README is also confused about how this works. It claims:

> Intercepts package index requests and rewrites URLs to point to the malicious mirror

but it's actually implementing a malicious mirror by forwarding requests to PyPI and then serving a modified version of the PyPI result. "Preserves and updates SHA256 hashes for modified packages" is also an incoherent description; preserving something and modifying it are mutually incompatible.