June 13, 2026

Malware, mystery, and a ghost sequel

Article URL →HN comments →

Apt Encounters of the Third Kind

A creepy malware mystery wowed readers—then left everyone hanging

TLDR: A researcher uncovered malware hidden inside a file-sharing server, complete with secret signals and backdoor commands. But the comments were obsessed with a different shock: the post ends on “To be continued,” and readers are still waiting years later.

This story had everything: a strange file server, a tiny hidden change nobody should notice, a memory dump that mysteriously vanished, and then the big reveal—someone had secretly modified the server so it could smuggle data and take orders in disguise. In plain English, the researcher found malware hiding inside a file-sharing system, using innocent-looking file activity as a secret signal. It’s the kind of plot twist that makes comment sections instantly go full detective mode.

And yet, the biggest community reaction was less “wow” and more “wait… that’s it?” The loudest comment energy came from readers realizing this 2021 post ends with the ultimate cliffhanger: “To be continued” …and apparently it never was. That became the real drama. Instead of a huge fight over the technical details, the mood was a mix of awe, frustration, and dark comedy. One commenter basically dropped the internet equivalent of staring into the distance: yes, this was published years ago, and yes, the continuation never showed up. Another helpfully linked the old Hacker News discussion, which only added to the vibe of people rummaging through the internet for closure like fans after a canceled TV finale.

The jokes were subtle but sharp: readers treated the article title itself like a cult classic, repeating “Apt Encounters of the Third Kind” with the energy of people admiring a pun while also mourning an unfinished saga. The hottest take? The malware story is wild, but the real crime may be leaving the audience on a sequel bait cliffhanger for four years.

Key Points

  • The article traces anomalous NFS client behavior to a modified request-encoding path that could change `open id` to `open-id`.
  • It states that the changed identifier was normally ignored by standard NFS servers but was used as a covert marker by a compromised server.
  • The investigated server was running NFS-Ganesha-3.3, and an in-memory dump revealed an injected malicious `libfsalvfs.so` alongside the legitimate one.
  • The main NFS-Ganesha binary was patched so its function table pointed to the alternate malicious shared object.
  • The malicious code implemented two covert channels: one that appended payload data to reads of marked file handles and altered the wire `eof` value, and another that exposed command-and-control operations through fake files under `//.snapshot/meta/`.

Hottest takes

“To be continued.” — bananamogul
“apparently never continued” — bananamogul
“Discussion at the time” — fisian

Save News

Made with <3 by @siedrix and @shesho from CDMX. Powered by Forge&Hive.