Feed aggregator

Article URL: https://devblogs.microsoft.com/directx/standardizing-hlsl/

Comments URL: https://news.ycombinator.com/item?id=46989375

Points: 1

# Comments: 0

Article URL: https://www.kruithne.net/posts/2026-02-11-the-archive-system

Comments URL: https://news.ycombinator.com/item?id=46989374

Points: 1

# Comments: 0

Researchers found a malicious Microsoft Outlook add-in which was able to steal 4,000 stolen Microsoft account credentials, credit card numbers, and banking security answers. 

How is it possible that the Microsoft Office Add-in Store ended listing an add-in that silently loaded a phishing kit inside Outlook’s sidebar?

A developer launched an add-in called AgreeTo, an open-source meeting scheduling tool with a Chrome extension. It was a popular tool, but at some point, it was abandoned by its developer, its backend URL on Vercel expired, and an attacker later claimed that same URL.

That requires some explanation. Office add-ins are essentially XML manifests that tell Outlook to load a specific URL in an iframe. Microsoft reviews and signs the manifest once but does not continuously monitor what that URL serves later.

So, when the outlook-one.vercel.app subdomain became free to claim, a cybercriminal jumped at the opportunity to scoop it up and abuse the powerful ReadWriteItem permissions requested and approved in 2022. These permissions meant the add-in could read and modify a user’s email when loaded. The permissions were appropriate for a meeting scheduler, but they served a different purpose for the criminal.

While Google removed the dead Chrome extension in February 2025, the Outlook add-in stayed listed in Microsoft’s Office Store, still pointing to a Vercel URL that no longer belonged to the original developer.

An attacker registered that Vercel subdomain and deployed a simple four-page phishing kit consisting of fake Microsoft login, password collection, Telegram-based data exfiltration, and a redirect to the real login.microsoftonline.com.

What make this work was simple and effective. When users opened the add-in, they saw what looked like a normal Microsoft sign-in inside Outlook. They entered credentials, which were sent via a JavaScript function to the attacker’s Telegram bot along with IP data, then were bounced to the real Microsoft login so nothing seemed suspicious.

The researchers were able to access the attacker’s poorly secured Telegram-based exfiltration channel and recovered more than 4,000 sets of stolen Microsoft account credentials, plus payment and banking data, indicating the campaign was active and part of a larger multi-brand phishing operation.

“The same attacker operates at least 12 distinct phishing kits, each impersonating a different brand – Canadian ISPs, banks, webmail providers. The stolen data included not just email credentials but credit card numbers, CVVs, PINs, and banking security answers used to intercept Interac e-Transfer payments. This is a professional, multi-brand phishing operation. The Outlook add-in was just one of its distribution channels.”

What to do

If you are or ever have used the AgreeTo add-in after May 2023:

• Make sure it’s removed. If not, uninstall the add-in.
• Change the password for your Microsoft account.
• If that password (or close variants) was reused on other services (email, banking, SaaS, social), change those as well and make each one unique.
• Review recent sign‑ins and security activity on your Microsoft account, looking for logins from unknown locations or devices, or unusual times.
• Review other sensitive information you may have shared via email.
• Scan your mailbox for signs of abuse: messages you did not send, auto‑forwarding rules you did not create, or password‑reset emails for other services you did not request.
• Watch payment statements closely for at least the next few months, especially small “test” charges and unexpected e‑transfer or card‑not‑present transactions, and dispute anything suspicious immediately.

We don’t just report on threats—we help safeguard your entire digital identity

Cybersecurity risks should never spread beyond a headline. Protect your, and your family’s, personal information by using identity protection.

The latest report into growth trends across the European datacentre market shines a light on how power supply issues are affecting things

In a preliminary ruling, European Commission says TikTok’s additive design features are in breach of laws designed to create safer digital spaces

Article URL: https://9to5mac.com/2026/02/06/apple-says-random-or-anonymous-chat-apps-no-longer-welcome-on-the-app-store/

Comments URL: https://news.ycombinator.com/item?id=46988746

Points: 1

# Comments: 0

Article URL: https://tether.io/news/tether-evo-scores-top-5-in-global-ai-benchmark-for-brain-to-text-ai-challenge/

Comments URL: https://news.ycombinator.com/item?id=46988732

Points: 1

# Comments: 0

Article URL: https://medium.com/@kohii/software-creation-replaced-by-ai-where-do-i-go-from-here-66f9869aa511

Comments URL: https://news.ycombinator.com/item?id=46988725

Points: 1

# Comments: 1

Article URL: https://www.popsci.com/science/article/2013-07/curious-genius-amar-bose/

Comments URL: https://news.ycombinator.com/item?id=46988714

Points: 1

# Comments: 0

I read a lot of articles but rarely have time to sit and read them all. So I built @SornicBot on Telegram - you send it any article URL and it sends back an MP3 you can listen to right inside Telegram.

How it works:

Open @SornicBot on Telegram Send any article link Get back an MP3 in seconds It extracts the article text (strips ads, popups, cookie banners), then converts it to natural-sounding audio. You get 3 free articles per day.

Just forward an interesting article link to the bot and listen to it later.

If you prefer a web experience, there's also https://sornic.com where you can:

Choose from 6 different AI voices Queue up multiple articles for back-to-back listening Download MP3s for offline use Get HD audio quality with credits The bot is free to use with a daily limit. Would love feedback on the audio quality and any article sources that don't work well.

Bot: https://t.me/SornicBot Web: https://sornic.com

Make sure to read the list of not allowed URLs before using it on the how it works page.

Comments URL: https://news.ycombinator.com/item?id=46988701

Points: 1

# Comments: 0

Article URL: https://stumpy.ai/blog/cloudflare-vitest-barrel-trick

Comments URL: https://news.ycombinator.com/item?id=46988694

Points: 1

# Comments: 0

Article URL: https://www.eff.org/deeplinks/2026/02/no-one-including-our-furry-friends-will-be-safer-rings-surveillance-nightmare-0

Comments URL: https://news.ycombinator.com/item?id=46988692

Points: 1

# Comments: 0

Article URL: http://meatballwiki.org/wiki/HelpingLusers

Comments URL: https://news.ycombinator.com/item?id=46988691

Points: 1

# Comments: 0

Article URL: https://www.youtube.com/undefined

Comments URL: https://news.ycombinator.com/item?id=46988686

Points: 1

# Comments: 0

Article URL: https://www.zeroentropy.dev/articles/prompting-best-practices-for-instruction-following-rerankers

Comments URL: https://news.ycombinator.com/item?id=46988684

Points: 1

# Comments: 0

Article URL: https://github.com/wiseprobe/patchpal

Comments URL: https://news.ycombinator.com/item?id=46988679

Points: 1

# Comments: 1

Every time a new feature ships, someone has to make a demo.

Recording it. Retaking it. Editing it. Adding captions. Exporting it.

That usually takes hours, so teams either rush it or skip it.

The idea here is simple:

When you ship a new feature, a demo video should exist automatically.

BuildShot records your live app, follows the feature flow, and generates a clean, shareable demo video with narration and light editing applied.

It’s focused specifically on new features, not generic marketing videos.

You can also script your demo just by describing what should happen inside the AI IDE that ships with it. For more control, there’s a CLI where you can define flows, steps, and behavior directly from your project.

So the workflow becomes:

Ship feature → define or generate flow → demo video is produced.

No manual screen recording. No editing timeline. No stitching clips.

This is meant for: – Release demos – PR walkthroughs – Internal updates – Changelog videos – Customer feature announcements

I’m especially curious:

• How do you currently create feature demos? • Would automated demos fit into your release workflow? • What would break this for your setup?

If this solves a real pain for you, early access is here:

https://waitlist.buildshot.xyz/?source=HN

Comments URL: https://news.ycombinator.com/item?id=46988671

Points: 1

# Comments: 0

Article URL: https://twitter.com/atlasforgeai/status/2021773566341988758

Comments URL: https://news.ycombinator.com/item?id=46988646

Points: 1

# Comments: 0

Article URL: https://www.hanzifive.com/

Comments URL: https://news.ycombinator.com/item?id=46988636

Points: 1

# Comments: 0

I’ve been struggling with YouTube Shorts addiction. The issue with current iOS tools like Screen Time is that they are too blunt—they block the entire YouTube app, not just the "Shorts" feature. I wanted to keep using YouTube for educational content and long-form videos while completely stripping away the addictive Shorts feed.

To solve this, I built ShortGuard.

Technical Implementation

Since Apple doesn't provide a "Shorts-only" blocking API, I had to implement a local filtering layer. ShortGuard uses the NEVPNManager API and a local Root Certificate to intercept and filter specific network requests.

100% Local: All traffic filtering happens strictly on-device. No user data is ever collected or transmitted to external servers.

Granular Control: It identifies and drops requests to specific endpoints that serve YouTube Shorts.

Current Behavior: Due to how the initial YouTube payload is structured, you might still see the very first Shorts video in the feed. However, ShortGuard successfully blocks the "infinite scroll" mechanism, preventing you from falling into the scrolling rabbit hole.

The Apple Rejection

After months of development, Apple rejected ShortGuard under Guideline 2.5.1, stating that using a VPN profile or root certificate to block content in third-party apps is "not appropriate."

I pointed out a clear double standard: pro-level tools like Proxyman are permitted to use this exact technical architecture to intercept and block traffic. Why is this technical approach considered "appropriate" for a developer utility but "inappropriate" for a user's digital well-being tool?

Apple maintained their stance and rejected my final appeal.

Free Release via TestFlight

I believe users should have the right to control their own network traffic to protect their focus. Since Apple won't allow a formal App Store release, I’m making ShortGuard available for free via TestFlight to anyone who needs to regain their focus.

TestFlight Link: https://testflight.apple.com/join/eTKmdWCU

If this tool helps you reclaim your time from the algorithm, feel free to buy me a coffee: https://buymeacoffee.com/callmejustdodo

I'm just happy to see this project finally in the hands of people who need it.

Comments URL: https://news.ycombinator.com/item?id=46988635

Points: 1

# Comments: 0