🐝 Hive Five 226 - Mastery vs. Management

Hi friends,

Greetings from the hive!

I took my laptop on the road and outside several times this week while it was sunny, and it made me appreciate light mode in a whole new way.

Usually, I stick with dark mode as my system setting, which carries over to my apps.

For a while now, I've been using the Minimal theme in Obsidian, and I have to say, the light mode is surprisingly nice.

What’s your favorite theme these days?

Let's take this week by swarm!

🐝 The Bee's Knees

• Invariant has discovered a critical vulnerability affecting the widely-used GitHub MCP integration (14k stars on GitHub). The vulnerability allows an attacker to hijack a user's agent via a malicious GitHub Issue, and coerce it into leaking data from private repositories. MORE

• The Era Of The Business Idiot. Too many business leaders are detached from the real work, chasing vibes and shareholder value instead of building good products or treating people well. They latch onto fads like AI without understanding them, proving they prioritize looking busy over actually getting things done right. MORE

• Grafana Full read SSRF and Account Takeover: CVE-2025-4123. A seemingly simple redirect bug in Grafana was chained with other flaws, creating a path for attackers to read internal files or even fully take over user accounts. MORE

• Shopify's approach to careers is refreshingly simple: let people who are good at making things keep making things. They've rejected the corporate ladder nonsense where your only path forward is management. Instead, they've built a "mastery system" where craftspeople can advance by getting better at their craft. MORE

• Top bug bounty hunter Rhynorater shares 11 critical web, desktop, and IoT hacks. Learn how clever bypasses netted him up to $400k in bounties. MORE

Interested in sponsoring the Hive Five? Secure your spot.

📰 Updates

✅ Changelog

• Remix is getting a major reboot with v3, building a faster, simpler toolkit from scratch that even moves away from React. Get ready for a whole new web framework experience. MORE

• GitHub Issues search now supports nested queries with AND/OR operators and parentheses, allowing users to create complex searches that pinpoint exactly what they need. The engineering team rebuilt the search system to handle these advanced queries while maintaining performance for the feature's 160 million daily searches. MORE

• The latest curl 8.14.0 release includes two security fixes for QUIC certificate vulnerabilities with wolfSSL, plus new features like MQTT pings and OpenSSL 3.5 QUIC API support. This update also bundles wcurl and adds options to customize SSL signature algorithms and disable websocket auto-pong responses. MORE

💼 Work

💰 Career

• AI is rapidly changing many jobs, especially information work, but its critical flaws like "hallucination" mean human skills remain key. Learn AI's limits to adapt your career; trades and creative fields offer safer bets against automation. MORE

• Can you live off a paid API? Yes! Developers on HN share how their unique services, from OCR to SMS, prove focused APIs can be profitable ventures. MORE

• Q&A during your presentation doesn't have to be a battlefield. Treat your presentation like a working theory, open, curious, collaborative. Your hypothesis isn't gospel, it's an invitation for dialogue. When you stop defending and start exploring, the conversation becomes interesting. Less ego, more learning. MORE

🚀 Productivity

• Feeling stuck? The secret to faster progress isn't finding the perfect plan, but sticking to one sensible path and improving how you execute it. Success comes from enduring pain and uncertainty longer than the competition, focusing on talent, culture, and training. MORE

• Kepano (Obsidian CEO) updated his Obsidian repository to leverage the newly released bases. MORE

• Boost your focus and declutter your screen fast with Raycast hotkeys! Use ✦+Q to quit all apps, ✦+W to quit all but the frontmost, and ✦+T to quickly close all other Safari tabs. Read the replies for more gems. MORE

• Easily turn your Dataview tables in Obsidian into the Bases format with this handy online tool. It simplifies organizing your notes' data for better structure. MORE

🌎 Community

⚡️ Zeitgeist

• Responsive web design, the approach that allows websites to adapt to different screen sizes, celebrates its 15th anniversary this month. Creator Ethan Marcotte reflects on how this once-revolutionary concept has become standard practice across the web. MORE

• See the cool tech projects HN users built this May. Discover new AI tools, custom hardware, and more interesting personal projects. Top voted one is an open-source, self-hostable app for sending out newsletter to your friends and families. MORE

• Security researcher Harsh Jaiswal has left ProjectDiscovery. He's now working full-time on Hacktron AI, his AI tool that finds security bugs. MORE

• NGL this is pretty brilliant. Pieter Levels suggests using a "bug board" for countries, similar to tracking app bugs, where citizens report and upvote national problems. This system aims to help politicians see and act on the public's highest-priority issues. MORE

💛 Follow
Awesome accounts to follow. Randomly selected from my curated Twitter lists.

🍄 Level up

📰 Read

• The Browser Company pivots from Arc to Dia, a new AI-native browser that aims to replace traditional web browsers. CEO Josh Miller explains why Arc fell short of expectations and why they believe AI will fundamentally transform how we interact with the internet. MORE

• A revolutionary new algorithm called FSRS has made spaced repetition systems like Anki dramatically more efficient for learning and retaining information. Using machine learning instead of arbitrary formulas, it predicts when you're about to forget something, resulting in fewer reviews and better long-term memory retention. MORE

• Jorian creates the ultimate double-clickjacking proof-of-concept that tricks users into authorizing account access by playing Flappy Bird while a hidden popup window tracks their cursor and appears right when they're about to click. MORE

• A critical vulnerability in vBulletin forums allows attackers to execute malicious code by exploiting PHP's Reflection API to call protected methods. The flaw affects versions 5.x and 6.x running on PHP 8.1+ and was likely patched a year ago. MORE

• A new macOS bug (CVE-2025-31250) allowed apps to trick you with permission pop-ups that looked like they were from another program. While fixed in macOS Sequoia 15.5, older versions like Ventura and Sonoma were surprisingly left unprotected. MORE

💡 Tips

• Need to search code fast? Ripgrep (rg) beats grep and this guide shows you how with handy flags for quick searches. MORE

• TomNomNom demonstrates a useful command-line trick where you can pipe command output directly to Vim using the "pipe to vim dash" technique. This allows you to view, edit, and further process command output within Vim, offering flexibility when you're not sure what to do with command results initially. MORE

• Raycast's AI can generate up to 4 images at once in square, landscape, or portrait formats with a simple text prompt by calling @gpt image 1 MORE

• TIL about moving managers. Mitchell found "moving managers," a word-of-mouth service handling entire moves. They organize everything; you arrive at a ready home with zero effort. MORE

• Remember to strip EXIF data from CTF images. Adam's Canva image embedded his username, which happened to be an XSS attack. Now players are confused, requesting access to his Canva account. MORE

🧠 Wisdom

• Companies use algorithms to turn workers into exploited "reverse-centaurs," controlled by the tech. Workers are fighting back with their own tools to understand these systems and demand better pay and conditions. MORE

• Tired of metrics deciding if anyone cares? The internet makes it hard to feel heard, but real connection happens off-screen, beyond the numbers. MORE

• Jessica Livingston, Y Combinator co-founder, shares career wisdom from her Bucknell commencement speech: find interesting people to discover your path, ignore skeptics, and embrace ambition after college when the "train tracks" of structured education end. MORE

• Dustin reflects on how AI has disrupted his creative process, making his original thoughts feel like "early drafts" of what LLMs can produce and causing his thinking skills to atrophy despite knowing more information than ever before.MORE

• Effective growth isn't about adding more strategies; it's about removing the things that hold you back. Like a gardener clears weeds, focus on clearing obstacles to flourish. MORE

📚 Resources

• Input Validation Vulnerabilities in Microsoft Bookings due to the lack of input validation, attackers can manipulate booking details in meeting invitations and calendar attachments. MORE

• 25+ sources of threat actor profiles, ranging from Malpedia's 821 adversary entries to specialized collections like Dragos's ICS/OT-focused profiles. MORE

• Microsoft's AI Red Teaming Playground Labs offers 12 hands-on challenges to help security professionals test AI systems for vulnerabilities. The repository includes exercises on credential theft, prompt injection, and bypassing safety filters. MORE

• This practical Command Line Handbook teaches essential terminal skills without overwhelming technical jargon. Perfect for beginners and experienced users alike, it features 100+ annotated examples to help you master command line tools efficiently. MORE

• Disclosed.Online aggregates bug bounty hunters' achievements from platforms like HackerOne and Bugcrowd into unified professional profiles. Security researchers can showcase their skills while companies can evaluate talent based on verified public data. MORE

The Member Edition