Hackers' Pub

Syntax	Description	Examples
`"` keyword `"`	Finds the string within quotes, including spaces. Case-insensitive. (Escape quotes inside with `\"`)	`"Hackers' Pub"`
`from:` handle	Finds content written by the specified user.	`from:hongminhee` `from:hongminhee@hollo.social`
`lang:` ISO 639-1	Finds content written in the specified language.	`lang:en`
`#` tag	Finds content with the specified tag. Case-insensitive.	`#HackersPub`
condition condition	Finds content that satisfies both conditions on either side of the space (logical AND).	`"Hackers' Pub" lang:en`
condition `OR` condition	Finds content that satisfies at least one of the conditions on either side of the OR operator (logical OR).	`#HackersPub OR "Hackers' Pub" lang:en`
`(` condition `)`	Combines the operators within the parentheses first.	`(#HackersPub OR "Hackers' Pub" OR "Hackers Pub") lang:en`

Olivier Forget @teleclimber@social.tchncs.de

1/23/2026, 6:11:00 PM

Public

I don't use #react so I didn't pay much attention to this, but #react2shell is quite a thing, wow.

From what I understand if you were running your RSC in @deno_landDeno with *minimal permissions* then the exploit's consequences would have been limited. In the post I boosted below, the exploit was used to overwrite the authorized SSH keys. You'd *never* run Deno in prod with that kind of access (right? RIGHT???).

What surprises me a bit is that I don't see many posts from people who were running their React in Deno (properly) and therefore largely escaped this massive vuln. I feel like they'd be celebrating, but I don't see it. Does nobody run React in Deno in prod? Or did they still get pwned somehow? Something else?

If you have a fediverse account, you can quote this note from your own instance. Search https://social.tchncs.de/users/teleclimber/statuses/115945757738056076 on your instance and quote it. (Note that quoting is not supported in Mastodon.)

Olivier Forget @teleclimber@social.tchncs.de

1/23/2026, 7:01:22 PM

Public

RE: https://social.tchncs.de/@teleclimber/115945757738056076

By the way this vulnerability is exactly why Dropserver apps run in a sandbox by default, and why I'm focusing on making it easy to have a useful DS install that isn't visible to the public internet (like using Tailscale). I'm also thinking of more ways of making small projects useful and safe to have around the net without having to keep up with every vuln all the time.

With people vibe-coding their personal apps you just know this kind of thing is going to happen over and over again. How to run these apps safely is going to be the question.

#security #selfhosting