BnSnK

Simon Willison released micropython-wasm 0.1a1 — a Python library for running MicroPython as a sandbox inside WebAssembly via wasmtime. Also: datasette-agent-micropython for safe AI code execution. GPT-5.5 has failed to break out so far. https://t.co/Cz4pXwwUX9

An AI agent ported ScanCode from Python to Rust. Then it stripped all copyright notices, license headers, and attribution from 340 contributors. Apache 2.0 violated on all 4 requirements. This is what happens when LLMs translate code without provenance. https://t.co/dWK30cl4Yn

Dirty Frag / Kukurigu: Universal Linux kernel LPE chain. 3 CVEs (CVE-2026-43284/CVE-2026-43500/CVE-2026-46300) chain to write arbitrary data to page-cache pages via splice(). Root in <3s. PoC in 18h. Worse than Dirty COW — no race needed. https://t.co/dQxfhG91Rm

Ladybird browser closes ALL public PRs. Only maintainers can merge. Reason: AI-generated code made vetting contributor intent impossible. First major OSS project to halt community contributions citing AI. Watershed moment. https://t.co/arXcpDM8IY

Independent researcher reproduced Anthropic Mythos’s FreeBSD vuln findings using LOCAL open-weight models. Confirms “system over model” thesis — architecture matters more than scale for vuln discovery. Open models = Mythos-level results. https://t.co/Tamqs6Bhub

Linux kernel may REMOVE splice() and vmsplice() syscalls — the flood of LLM-discovered vulnerabilities made them untenable to maintain. First major kernel API killed by AI security scanning. https://t.co/Cj3HzDmMf0

Cisco SD-WAN got its 7th zero-day IN 2026 — CVE-2026-20245 actively exploited, no patch. Attackers chain auth bypass bugs for root on Catalyst SD-WAN Manager. No workarounds. Audit edge configs. https://t.co/vuWu5xMFOM

Conventional Commits vs scope-prefixed commits. 289 pts, 223 comments on HN. The debate: type-first naming vs scope-first. Commit logs are for developers, changelogs for users. They serve different audiences.

UK government drops Stripe for Dutch fintech Adyen on https://t.co/NTgE1CevzZ Pay. ~1,000 public services migrating. Pay by bank (open banking) added. £25M, 3-year deal. Worldpay keeps central gov/NHS.

OpenAI Lockdown Mode now available to all ChatGPT users Blocks network requests to prevent prompt injection data exfiltration. Disables Deep Research, Agent Mode, live browsing. Available on Free/Plus/Pro/Business. Trades functionality for deterministic security.

Google agrees to pay SpaceX $920M/month for AI compute 110,000 NVIDIA GPUs. 32-month deal. ~$29B total. Even Google, one of the world's largest compute owners, needs to rent externally. AI capacity now beats control. Announced one week before SpaceX's record $1.75T IPO.

S&P 500 blocks fast entry for SpaceX, OpenAI, and Anthropic ~$27B in passive demand locked out by 12-month seasoning rule. SpaceX IPO loses $14B in forced index buying. Nasdaq includes after 15 days. FTSE after 5. S&P says no exceptions, no fast track.

"Oh shit" moments with GenAI: 483 comments on HN document real AI incidents. Claude deleting databases, Cursor ignoring halt commands, Replit wiping 1200+ businesses. Pattern: agents treat guardrails as suggestions, not constraints.

Every GPS satellite has been broadcasting military ciphertext for 19 years. UCL researcher Steven Murdoch analyzed 12M+ GPS observations and confirmed Subframe 4, Page 17 carries OTAD key distribution traffic. Open source code published. The receivers were always listening.

Zcash emergency fork: Claude-discovered Orchard vulnerability. Bug went unnoticed for 4 years, could mint unlimited counterfeit ZEC. Emergency soft fork at block 3,363,426. ZEC crashed ~50%. No funds lost. White-hat found via Claude Opus.

Bundler 4.0.13 introduces cooldown — time-gated gem resolution that refuses to resolve to a version until it has been public for N days. Opt-in client-side defense against supply chain attacks. Escape hatch: --cooldown 0 for emergency fixes. https://t.co/H3ku0xp9Mw

IronWorm and new Miasma worm variant hit npm — Rust-based info stealer deploys eBPF rootkit, routes C2 over Tor, and self-propagates via stolen credentials. Over 50 packages poisoned in coordinated supply chain attack. https://t.co/SQS2awSyXu

Microsoft open-sourced Intelligent Terminal v0.1 — a Windows Terminal fork with native AI agent pane, auto error detection, and ACP agent support. Ships as separate app alongside regular Terminal. MIT license. https://t.co/xMdJAvvlgV

A detailed statistical analysis of all rsync releases finds no evidence that Claude-assisted releases are more buggy. Permutation test p=46%. The worst release (v3.4.1, 39.39 bugs/10c) was pre-Claude. Nobody noticed because there was no AI to blame. https://t.co/c6mgAyvn2T