I think the real surprise is that hims was able to sell the drug without approval in the first place. I do not support gatekeeping drugs from generic makers but their supply chain should be inspected just like any body else. The fact that they were able to sell a drug for so long without approval shows that something is really broken in the process.
I was under the impression that they were initially allowed to produce the drugs since they were on FDA drug shortage lists. As expected, the compounders scaled up their pipelines to meet demand and now that the drugs have been taken off the shortage list the compounders are incentivized to figure out how to keep things legal. (Of course, they should have had clean supply chains this whole time.)
I'm curious if one of these outfits got bought out to end the supply shortage.
I don’t think this is about inspecting supply chains, or keeping anybody safe. It’s about somebody’s profits. Other times it’s about the FDA’s incredibly overconservative approach, which keeps many meds you can buy OTC everywhere else, Rx only here, and keeps other drugs available elsewhere illegal here. Even for people facing terminal illness.
if it helps people facing terminal illness it doesn't mean it should be OTC. "facing terminal illness" probably needs strong stuff. something required for that can harm the normal guy. it's not like Vit D supplement.
What about drugs that were initially prescribed, but have to be taken for a long time?
A long time ago I had a Lexapro prescription. This is a very, very common drug and is on the list of the WHO's essentials for bootstrapping a healthcare system.
Then I quit my job and spent a few months unemployed. I was no longer seeing the psych who prescribed them and I was not covered by health insurance.
The last few refills my prescription had? Walgreens bumped the price to $200 a bottle, and unless I paid another doctor there was no way to keep taking the medication I'd been on for two years.
Mind you, this drug is old and generics are CHEAP. I've also got all the knowledge I need to take it safely because I have been.
Instead of doing that, I made the decision to quit rather than deal with the doctor mafia. We let people buy industrial chemicals on the Internet and trust they're not gonna kill themselves with it, but somehow my situation was an unacceptable risk?
No, what I mean is it takes pulling teeth to get someone who would die anyway, the ability to try experimental drugs even with a doctor’s prescription.
It’s a separate dysfunction than their obsession with making things Rx-only, such as for example, an albuterol inhaler. In Mexico you can just grab one at a drugstore.
> No, what I mean is it takes pulling teeth to get someone who would die anyway, the ability to try experimental drugs even with a doctor’s prescription.
This topic came up in another online community (which I'm intentionally not mentioning) a lot a few years ago. I left a comment about why giving experimental drugs to terminally ill patients is not a simple or obvious idea like many would assume. I got some very long, very intense replies from someone who was dying of a type of cancer who believed he had a good shot at recovery if he could get his hands on an experimental drug. He had all of the links and papers to prove it.
I remember trying to take it all in and reconsider my position.
A few years later, there was a post from his wife that he had died. It was a very sad situation. I clicked some of her links and found that he had a blog where he had written a lot. He actually did go through with the process of requesting the experimental drug and his request was granted. However, the drug not only didn't work, it had caused some irreversible damage to his body that made his final months a lot more painful and difficult than they had to be.
Apparently the "compassionate use" exemptions are not as hard to get as the anti-FDA writers have led us to believe. The harder part is often getting the companies to provide the drugs, because they know the risk profiles and uncertainties better than anyone and aren't always interested in letting terminally ill patients experiment on themselves outside of the process.
experimantal, not fully proven drugs available to help terminally ill patients (which should be true) needs first to make sure the patient is terminally ill. it is not about making them available OTC to anyone who asks. because what happens then is free for all, scams and corporate experimentation on live population.
What specifically do you think is problematic about this, and how do you propose that we mitigate companies from preying on desperate patients while making it easier for patients in need?
Any idea why they'd change their mind about point 4?
The regulatory agencies were understaffed for the work load even before recent layoffs. Why focus on this, of all the things they could put their effort into?
They didn't change their minds. The enforcement was consistent. It's the companies who scaled up their production to mass market levels who prompted the action.
There have been several examples in the past 5-6 years of the FDA loosening regulations to benefit patients and companies rushing in to abuse the opportunity at scale.
Another one that comes to mind is when the FDA loosened restrictions on telehealth prescribing of controlled substances during COVID. Several companies saw this as an opportunity to set up digital pill mills, advertising on TikTok and offering Adderall prescriptions as a service. Nurse practitioners were paid up to $60,000 per month to write prescriptions as fast as they could without interacting with patients.
The companies who bet several billions of dollars in literal decades of research on this stuff should absolutely be swimming in cash until the end of their days. Hims & Hers should be sued into oblivion for stealing the rewards of other companies' ingenuity, risk-taking, and dedication toward helping patients.
I am highly sympathetic to the argument that the government should just buy these patents and mass manufacture to increase availability, or just buy guarantee order vast amounts to scale up manufacturing and distribute cheaply, but the idea that a different private company ought to be able to profit in the way Hims & Hers has is absolutely flatly fucking insane.
So millions of Americans should deal with years of obesity because Novo is a disaster, insurance coverage is ridiculous (any insurer accurately charging for the purpose of risk mitigation should be paying people to take GLP-1s, when instead they are out of coverage for most plans), and there exists no government body to do what you’ve said?
While I'm sympathetic to this argument, I should point out patent time to expiration for medicine in the US is pretty inoffensive (relative to how bad it could be, like software patents), and we already have plenty of drugs for excreting excess. We get a big basket of drugs into public domain each year, and government would be wise to publicly celebrate this, I think; would help with the general sense of impending doom citizens feel.
Semaglutide molecule patent will expire in 2031 here (many caveats to this). For the most part, you can get any pill ~15+ years old for ~nothing without insurance, but associated devices like auto-injectors can extend this due to goofy rules; I expect execs thoughtfully considered medical patent law when deciding to initially trial and release GLP-1s as an injection.
Because “this” is about the biggest in-your-face blatant disregard for FDA rules that has quite literally ever existed in history. The scale is unprecedented.
If there was a single thing an understaffed FDA would go after it would be the compounding pharmacies and that whole ecosystem blatantly thumbing their nose at it all.
Not that I agree with the rules - but if this is allowed it’s essentially an end-around the entire prescription drug regime as we know it.
Hims is mostly marketing. They are using compounding pharmacies to fulfill orders. Compounders are a shady industry in general, and most the GLP places are using Florida pharmacies, which are notoriously extra shady, as Floridas regulatory function is deliberately incompetent.
Compounders are primarily regulated at the state level, and regulatory effectiveness varies. The more legit ones are mostly buying Rybelsus (the pill version of Ozempic for Type 2 diabetes) at wholesale and crushing it. The shadier ones are using precursors, sourcing from questionable & unregulated suppliers or watering down does and adding stuff like vitamin B-12.
The FDA has more limited jurisdiction, and they have been busy firing people.
The federal attention probably has more to do with whatever grift POTUS has going with Eli Lily and Novo Nordisk. Both companies are about to scale up their daily tablet versions of Wegovy and Zepbound at lower price points, and that availability will push the cost of compounded injectables way down.
They are adding B12 as a way to say that it’s tailored to individuals and not available.
I’ve used mainly compounded medicine over the last five years and find the fervent dislike that people have for compounders bizarre.
If you look into generic regulation in the US, the standards are already through the floor. I’d rather work with someone who has a more direct financial incentive to not fuck up.
Sure, and Novo spent 2M last quarter on lobbying. Nobody in this industry comes out looking wonderful. But the compounders who are meeting demand are not Hims & Hers.
that reminds me, as in Canada the semaglutide patent expired, Sandoz said they will put a generic on the market in Canada, could that be imported into the US and be sold?
The fact that they could sell in the first place I think implies some corruption occurred at some point in the past that permitted them to do so (not necessarily by them, but someone must have lobbied for "compounding" since that afaik doesn't exist in other proper countries). Then they failed to pay the necessary bribe to be allowed to continue. To be fair, the bribe would have been very large given the GLP-1 manufacturers' position in the pension savings of ordinary Americans.
Compounding pharmacies are in many ways just a continuation of the original apothecaries and pharmacies, and the US is hardly the only country with the legal framework that allows this.
Australia was basically a carbon copy of the US in this regard until 2024, but they have specifically started targeting a lot of the "wellness" compounding that includes peptides, GLP-1s, etc. since then.
Germany has two classes of pharmacy that are nearly the exact same as 503A and 503B compounders in the US
Canada is similar but stricter about the big pharmacies turning into de facto manufacturers, pumping out huge quantities for downstream compounders and clinics, which is what happened in the US.
Lots of other countries that you might not consider "proper countries" (whatever that means) follow a very similar system to the US, and lots of countries that allow some form of compounding, like the UK through their "specials" program, but it's much more centralized - basically cutting out the 503A compounders in the US.
Fundamentally compounding pharmacies offer pretty important services - there are people out there that would literally not be able to take the most effective medication for their condition without the compounding pharmacies making formulation changes that the larger manufacturers might not have incentive to make. Their existence quite literally saves lives. So it becomes a matter of not making that so restrictive that you wind up killing people due to restricted access vs. letting it get abused in situations like we're seeing today with tirzepatide and semaglutide.
FWIW my experience has been very good, and LTT said recently that they are working on a long term review, so I expect that to be a more accurate review than first impressions when you aren't familiar with how it works.
I feel like a lot of readers are missing the main point. US and European manufactures do not want to enter this low volume zero margin market. The total sales in Latin America (that includes Mexico and South America is around five million units - that is less than half of what is sold in the US each year. And at a price point of 20K it just does not make sense for American and European manufacturers given that their R&as costs are higher than Asian manufacturers and their North American models are too large and expensive for South America markets.
In addition they know that the US is a captive market as the government will not allow Chinese companies to sell their cars here due to data and security concerns.
Given the recent npm attacks, is it even safe to develop using npm. Whenever I start a react project, it downloads hundreds of additional packages which I have mo idea about what they do. As a developer who has learnt programming as a hobby, is it better to stick to some other safe ways to develop front end like thyme leaf or plain js or something else.
When I build backend in flask or Django, I specifically type the python packages that I need. But front end development seems like a Pandora box of vulnerabilities
All package ecosystems that allow unvetted code being published are affected, it just happens that npm is by far the most popular one, so it gets all the news.
Oh man you pick the one other language that followed the JavaScript model?! How about C, Java, Go, Lisp, C#, C++, D… and new ones like Odin that are explicitly against package managers for this very reason.
When you start writing with C, where do you get your stdio.h file? Do you write it yourself, or inspect it line by line every time or do you trust the installation package you just ran?
Hm... if you use something like Debian it's quite difficult to get your package installed in the distro. People do review everything that goes in.
I find it incredibly silly to compare something like that to npm, where every kid has dozens of packages installed that anyone using npm can end up downloading and no one is really reviewing anything.
I agree one is more difficult than the other, but I feel the principal is the same. Whilst anything is built using other modules, there is always risk those modules will be compromised.
What can we do about it indeed!? I guess its either fully digitally detox or accept the fact that if you use modern technology then somebody is watyching what you do.
But it is. Both C/C++ and Go are not at all like this.
I don’t know about Python but Rust ecosystem tends attract enthusiasts who make good single purpose packages but that are abandoned because maintainers move on, or sometimes forked due to minor disagreements similar to how Linux/unix is fragmented with tribal feuds.
M'yea, good luck finding such occurrence with NuGet or Maven for example. I would rephrase your "anywhere else".
NPM is a terrible ecosystem, and trying to defend its current state is a lost cause. The energy should be focused on how to fix that ecosystem instead of playing dumb telling people "it's all ok, look at other, also poorly designed, systems".
Don't forget that Rust's Cargo got heavily inspired by NPM, which is not something to brag about.[0]
> "Rust has absolutely stunning dependency management," one engineer
enthused, noting that Rust's strategy
took inspiration from npm's.
What's wrong with micro dependencies? Isn't it better to download only the code you need? Also it makes refactoring easier, and enforces better architecture.
Larger attack surface - you just need one of those N dependencies to fall for a spear phishing attack and you're cooked. Larger N is necessarily worse.
It depends on the software being written, but if it's a product your business sells or otherwise has an essential dependency on, then the best model available right now is vendoring dependencies.
You still get all the benefits of standing on top of libraries and frameworks of choice, but you've introduced a single point of entry for externally authored code - there are many ways you can leverage that to good effect (vuln scans, licence audits, adding patch overlays etc etc) and you improved the developer experience - when they check out the code, ALL of the code to build and run the project is already present, no separate npm install step.
You can take this model quite a bit further and buy some really useful capabilities for a development team, like dependency upgrades because they're a very deliberate thing now, you can treat them like any other PR to your code base - you can review the changes of each upgrade easily.
There's challenges too - maybe your npm dep builds a native binary as part of it, you now need to provide that build infra / tooling, and very likely you also want robust build artifact and test caching to save wasting lots of time.
Rust has a really big and comprehensive stdlib, especially compared to languages like C or JavaScript. It just decided that certain things won't be solved in the standard lib because there is no obviously-right solution and evolving towards a good solution is much easier in packages than in the stdlib, because the stdlib isn't versioned.
Some of the gaps feel huge, like no random, no time/date handling, and no async runtime. But but for most of them there are canonical packages that 95% of the ecosystem uses, with a huge amount of eyeballs on them. And sometimes a better solution does emerge, like jiff slowly replacing chrono and time for time/date handling.
Obviously this isn't the best solution from a security perspective. There would be less potential for supply chain attacks if everything was in the standard library. But that has to be weighed against the long-term usability of the language
I come from a JavaScript background, and I've got to admit that the ecosystem is designed in a way that is really prone to attack.
It is like the xz incident, except that each dependency you pull is maintained by a random guy on the internet. You have to trust every one of them to be genuine and that they won't fall into any social engineering attacks.
Here's my black pill: Node in general is not safe.
The blurring of the client-server lines is a security risk. Very easy to expose the wrong thing; the language appeals to people who know 1 language (which correlates with lack of experience).
In my personal experience node projects developed under my supervision had very basic client-server boundary vulns 66.67% of the time. Empirically it's not great.
Just a heads up that Pypi isn't immune from the same attack, with "Pypi supply chain attack" into Google revealing a (much smaller) number of packages that turned out to be malware. Some were not misspellings either, with one being a legitimate package that got hacked via GitHub Actions and a malicious payload added to the otherwise legitimate package.
No language ecosystem is but NPM/Node still encourages this idea (borrowed elsewhere and interpreted poorly) that everything must be its own tiny package and that it's acceptable to author libraries consisting of thousands of transitive dependencies from potentially dubious sources. Just this week I saw one (unmaintained dependency of a popular package) which consisted of a list of a dozen SQL operators. Anywhere else you would just write the damn code, maybe add a comment that these are the SQL-92 operators and be done with it literally forever. But in Node land that would be viewed as an antipattern which only another package can fix. It's a security and maintenance nightmare that can only be explained by laziness and outright stupidity.
It's a misconception that NPM or Node encourage this, because they don't. There are a few package authors that are doing it that way (some even paid by download count), but that's their opinion.
Recently there is a trend towards minimal-dependency packages and I would certainly recommend auditing every package for its dependencies before using it.
> As a developer who has learnt programming as a hobby, is it better to stick to some other safe ways to develop front end like thyme leaf or plain js or something else.
Oh, absolutely, there is no question about it. Fewer dependencies means less headache; and if you can get the number of your dependencies to zero, then you have won the internet.
> Unlike other npm clients, Bun does not execute arbitrary lifecycle scripts for installed dependencies, such as `postinstall` and `node-gyp` builds. These scripts represent a potential security risk, as they can execute arbitrary code on your machine.
Hmmm, it still has a pretty extensive default list of permitted npm packages, which wouldn't necessarily be a problem if there were a way to disable it, but I can't seem to find it.
the latter is what i was getting at yeah. updated list of standard library-esque functions implemented in native code so the need to reach to npm for a dependency happens far less often.
I think the root cause of the problem is not insurance companies but they definitely do play a part. The real reasons are multiple but can be listed as below.
1 A very high cost of drugs due to no intervention by the government as part of free market philosophy. This means that the same insulin that costs $25 in Canada can be sold for up to $1000 per month. New introduced drugs for Alzheimer's or other diseases can cost up to 50k per year - again because no price controls.
2. Insanely high prices of services due to a captive market - example a ten minute ambulance ride can cost up from $1000 to $5000. The private ambulance companies know they can charge a high base rate because they are connected to a city or municipality via contracts. Bribes as campaign funds are popular here. E.g. a new York based ambulance operator paid 45k in campaign funds to NY's governor elect and got a contract worth one billion dollars
3. Overcharging by hospitals for medicines and services again due to a captive audience. The hospitals are free to maintain various price books and you are not told what each service will cost at the time of administration of service. lately the hospitals have been forced to open up their price books but they are so convoluted that no normal human can decipher those prices.
Thus a ten cent aspirin would cost you $25 in the hospital and a MRI can run up to 15k.
4. Very high charges for doctors due to strict control on the number of MD positions and no increase in colleges or D seats over multiple years.
5. Insurance companies have a for profit motive and need to extract their profits from premiums paid. Thus they fight tooth and nail to deny procedures and medications and set up convoluted processes for appeals.
6. Extensive fraud on Medicare and other government run health programs especially in durable medical goods and fake billing. In fact one of sitting US senators medical care company was involved in the largest Medicare fraud fines in the US and he still holds his seat.
I think the hill is trying to create a narrative here. The law specifically states to post job postings in newspapers and it is congress's fault if they have not updated the laws.
As per PERM regulations (20 C.F.R. §656.17):
For professional positions (those requiring a bachelor’s degree or higher), the employer must conduct two Sunday newspaper advertisements in a newspaper of general circulation in the area of intended employment.
For non-professional positions, at least one Sunday ad is required.
Instacart sent a cease and desist for trademark violation. You cannot become a middleman for random businesses/services. Kind of similar to how doordash and others got into trouble by hijacking restaurants' order flow without consent.
Finally, someone in this thread says this. Thank you!
This opinion column from The Hill is written by a Fox News contributor. Of course it’s going to leave out certain inconvenient facts in service of a nativist agenda. The HN community time and time again shows that they are ready to be whipped up into an anti-immigrant frenzy at the drop of a hat.
reply