Friday evening on Hacker News. Here are 30 stories worth your attention tonight, spanning supply chain malware in the Python AI ecosystem, Uber burning through its entire AI budget in four months, and a deep dive into running Adobe’s 1991 PostScript interpreter inside a modern browser.

Security & Privacy

whohas – Command-line utility for cross-distro, cross-repository package search

Summary: The whohas tool provides a command-line utility for searching software packages across Linux distributions and repositories. Written in Perl with its last release from 11 years ago, it relies on hardcoded repository domains within its single-file script. It aims to fill the gap where individual distros each have their own package search that doesn’t cross boundaries.

HN Discussion: Commenters note the tool’s age and criticize the lack of coverage for Homebrew on Linux and flatpak ecosystems. The Perl origin sparks a debate about maintaining decades-old utility scripts versus rewriting them in modern languages, with several pointing out that hardcoding domains means upstream changes can silently break the tool.

Sally McKee, who coined the term “the memory wall”, has died

Summary: Sally Anne McKee (1963–2025), a computer science professor who coined the influential concept of “the memory wall” — the growing gap between processor speed and memory access latency — has passed away at age 61. She received her bachelor’s from Yale, master’s from Princeton, and built a long career as an itinerant professor. Her seminal paper “Hitting the Memory Wall: Implications of the Obvious” remains widely cited in computer architecture research.

HN Discussion: Commenters share how her work shaped their own research — one doctoral student notes they never heard of her until reading about her passing. Another commenter found a link to her archived personal website on her obituary page, highlighting how academic tributes often surface unexpected historical documentation.

Show HN: My Private GitHub on Postgres

Summary: Developer Caleb Win shares gitgres, a personal project that stores GitHub-like repository data in PostgreSQL. The project demonstrates how a relational database can serve as a self-hosted alternative to GitHub for private code management, with basic Git operations backed by Postgres tables.

HN Discussion: The response is sparse — one commenter calls it a “nice idea” without diving into technical critique. There’s limited engagement beyond acknowledgment of the concept, possibly because the project lacks details on how Git operations are mapped to relational schemas or what limitations exist compared to a dedicated Git server.

Understand Anything

Summary: Understand-Anything is a GitHub project that converts codebases and knowledge bases (including Karpathy’s LLM wiki) into interactive knowledge graphs. It works with Claude Code, Codex, Cursor, Copilot, Gemini CLI and similar AI coding assistants, letting users explore, search, and query code relationships visually.

HN Discussion: Early commenters compare it to Obsidian’s graph view, questioning whether the visualizations offer genuine analytical value or are primarily aesthetic. Some skepticism exists around whether auto-generated graphs from LLM-assisted analysis produce meaningful structure or just decorative output that becomes cumbersome at scale.

Show HN: Loopsy, a way for terminals and AI agents on different machines to talk

Summary: Loopsy enables terminals and AI agents running on different machines to communicate with each other. The project bridges separate computing environments into what the author describes as “one coherent organism.” It currently depends on Cloudflare infrastructure but is being actively developed with rapid iteration based on early feedback.

HN Discussion: Commenters express enthusiasm about unified machine-agent orchestration while raising questions about overlap with existing tools like Tailscale and whether self-hosted deployment options exist. The project’s pace impressed some — 16 releases in 7 hours — though reliance on Cloudflare remains a concern for those wanting full infrastructure control.

Advanced Quantization Algorithm for LLMs

Summary: Intel’s AutoRound is a state-of-the-art quantization algorithm designed for high-accuracy, low-bit large language model inference. It supports CPU, XPU, and CUDA backends with multi-datatype flexibility and integrates with vLLM, SGLang, and Hugging Face Transformers. Benchmarks claim improvements of 0.1–0.7 percentage points in accuracy retention over stock quantization at Q4_K_M.

HN Discussion: The community is actively testing the tool against existing models, with one commenter reporting good results on a 35B Qwen model running fast with 300K context and 11.65 GB memory footprint. Interest in quantization-aware training methods like LSQ+ for extremely low-bit configurations (2-bit/3-bit OPD) is emerging, though open-source adoption remains limited compared to closed implementations.

Shai-Hulud Themed Malware Found in the PyTorch Lightning AI Training Library

Summary: Semgrep researchers discovered malware with Dune-themed naming (“Shai-Hulud”) injected into the PyTorch Lightning AI training library, revealed during RSA conference talks. This supply chain attack targets an established open-source deep learning framework, adding to a recent pattern of high-profile compromises in major Python packages.

HN Discussion: Commenters note a suspicious bot called pl-ghost that automatically commented on and closed four security issues before the Shai-Hulud vulnerability was finally addressed. One contributor advocates going dependency-free for simple projects, using vanilla JavaScript and HTML instead of npm packages — even for educational apps involving physics simulations — to eliminate supply chain risk entirely.

Grok 4.3

Summary: xAI released Grok 4.3 via its API documentation without an accompanying blog post or public announcement. The release notes list capabilities including text, images, video, voice with files support, and new model pricing at $10/million input tokens and $30/million output tokens. No benchmark numbers are publicly available except what third-party sites like Artificial Analysis have independently measured.

HN Discussion: Users who prefer Grok highlight its voice mode as notably higher quality than competitors’ voice offerings, which some suspect route to cheaper models like Haiku. As a non-native English speaker, one commenter praises Grok’s ability to capture subtleties of formality and tone replication. The lack of an announcement has sparked speculation about what it signals internally at xAI.

Show HN: WhatCable, a tiny menu bar app for inspecting USB-C cables

Summary: A macOS menu bar app that tells users, in plain English, what each USB-C cable plugged into their Mac can actually do. The tool reads cable capabilities through the system and translates hardware specs into actionable information — whether a cable supports data transfer, charging, video output, or any combination thereof.

HN Discussion: One commenter shared they had GPT-5.5 convert this into a KDE Plasma 6 Plasmoid in about 10 minutes and two dollars, demonstrating the app’s simple design translating well across platforms. The rapid iteration impressed others — 16 releases in 7 hours incorporating HN feedback. Some question why so many Mac apps insist on living in the menu bar when there are other UI paradigms available.

[Claude Code refuses requests or charges extra if your commits mention “OpenClaw”]

Summary: A user discovered that Claude Code would refuse requests or charge extra credits whenever their git commit messages mentioned “OpenClaw.” One reproducible case shows that initializing a repo, creating a file, and making a commit with {"schema": "openclaw.inbound_meta.v1"} triggered an immediate disconnect with session usage hitting 100%. Another user found Claude dismissing OpenClaw references in blog posts as “a typo or playful reference.”

HN Discussion: Comments focus on two fronts: the censorship concern and what this might reveal about internal policies at Anthropic. One commenter speculates that the blocking reflects pressure from external entities rather than standard safety tuning, noting that companies don’t typically block benign product names unless there’s legal or business motivation behind it.

Apple accidentally left Claude.md files in Apple Support app

Summary: An observer noticed that CLAUDE.md configuration files were inadvertently included in the Apple Support app bundle, revealing Anthropic’s deep influence on Apple’s internal tooling. The files suggest Apple runs custom versions of Claude on its own servers for product development and internal workflows.

HN Discussion: Commenters note that while Anthropic already powers significant portions of Apple’s internal products, finding CLAUDE.md in a consumer-facing app is an embarrassing oversight. Some remark that surrounding social media reactions have “LLM smells” — AI-generated engagement on top of an AI-relevant story. The broader takeaway concerns how much proprietary configuration leaks into shipped software.

AWS stops billing Middle East cloud customers as repairs to war damage drag on

Summary: Amazon Web Services has suspended billing for customers in the Middle East following drone strikes that damaged data centers in the Fujairah region of the UAE on March 5, 2026. The physical infrastructure damage from aerial attacks is expected to require months of repairs, and AWS absorbed the costs rather than passing them to clients whose services were affected.

HN Discussion: The discussion is thin given the event’s recency, but broader implications around cloud infrastructure concentration in geopolitically vulnerable regions are implied. This is another example of how physical supply chain disruptions cascade into digital service failures, compounding the risk profile of centralized cloud deployments.

Our agent found a bug with WireGuard in Google Kubernetes Engine

Summary: The engineering team at Lovable discovered a networking bug affecting WireGuard inside their GKE cluster that caused intermittent project failures, code clone timeouts, and “Connection reset by peer” errors. The issue was initially surfaced by an agent that noticed anetd pods crashing roughly 120 times per pod over six days. Stack traces pointed to a concurrent map-access panic — multiple goroutines reading and writing shared data structures without proper locking.

HN Discussion: Credit for the bug hunt went largely to human engineer Sascha Eglau, though the agent’s alerting played a supporting role. Some commenters questioned whether disabling encryption layers as a workaround was the right call when user experience suffered from errors — suggesting fixing the race condition would have been better than removing the security feature. Others expressed disbelief that such bugs can exist in Google’s managed networking stack.

Geopolitics & War

Flock cameras keep telling police a man who doesn’t have a warrant has a warrant

Summary: A YouTube video documents an encounter where Flock surveillance cameras repeatedly flagged an innocent person as subject to outstanding warrants, despite the man having no warrant. The situation escalates when officers at different locations receive conflicting information from the system — listing both the real and incorrect warrant statuses simultaneously. This highlights systemic issues in how commercial license plate reader data is managed and shared with law enforcement.

HN Discussion: A key finding from Colorado shows regular practice of listing license plates with both valid “O”s and substituted “Z” zeros on warrant lists, creating false positives. Commenters note the story has less to do with Flock itself and more about systemic practices in law enforcement data management, drawing parallels to targeted-ad targeting as another surveillance-capitalism-adjacent problem.

Running Adobe’s 1991 PostScript Interpreter in the Browser

Summary: Michael Steil reverse-engineered and emulated the HP C2089A “PostScript Cartridge Plus” — a 1991 ROM module for the LaserJet II/III — running inside a modern browser. Thirty-five years later, Adobe’s original reference implementation still renders PostScript Level 2 correctly, proving that old code isn’t always retro code. The project emulates the M68K processor, fakes the LaserJet hardware, and makes the decades-old ROM interactive in contemporary environments.

HN Discussion: macOS users lamented the loss of built-in PostScript support, including Preview.app’s PostScript handling in recent versions. Some tested the emulation by downloading old PostScript test files from archive sites and found them rendered well even without color support. A few joked about 502 errors being evidence of genuine enthusiasm for PostScript as a rendering standard — ironic given its reputation for complexity.

An open letter asking NHS England to keep its code open

Summary: A public initiative with 74 signatures requests that NHS England maintain open-source commitments for publicly funded software, citing the UK Government Design Principles and the NHS Service Standard as existing frameworks supporting this position. The letter was published alongside reports of NHS moving against open-source tools, potentially in response to security concerns raised by AI safety groups.

HN Discussion: Commenters split between supporters of the open-letter approach and those arguing the right response isn’t shuttering everything. One notes neither the AI Safety Institute nor NCSC recommended total exclusion, warning that it may increase risk rather than reduce it. A Cloudflare verification issue prevented at least one supporter from signing, highlighting accessibility concerns in public campaigns.

Show HN: Perfect Bluetooth MIDI for Windows

Summary: A developer built a free, open-source utility bridging Bluetooth LE MIDI keyboards into the new Windows 11 MIDI Services stack, enabling any DAW or Web MIDI application to use wireless keyboards as if they were wired connections. The project emerged after discovering three stacked bugs in Microsoft’s BT-MIDI implementation on Windows 11.

HN Discussion: Commenters acknowledged that while Microsoft is rolling out Windows MIDI Services as an improvement, the broken BT-MIDI implementations are genuinely frustrating. Several mention preferring wired MIDI to avoid latency issues. One commenter shared that Claude-assisted development helped them build 20 utilities for music practice — underscoring AI’s growing role in creative tooling beyond coding contexts.

I built a Game Boy emulator in F#

Summary: A software engineer with eight years of industry experience built a Game Boy emulator from scratch in F# to understand computer internals more deeply. The choice of Game Boy was deliberate — real hardware with manageable scope and strong personal connection from childhood Pokémon gameplay. The project took hundreds of hours and served as both a technical exercise and proof that non-LLM-assisted learning still has value.

HN Discussion: Commenters praised the idiomatic F# in discriminated unions and recommended lowering allocations. Several celebrated the human-effort angle — “Finally someone putting in actual human effort to learn something, and not an LLM helped me build X in Y minutes” — reflecting a broader HN sentiment valuing deliberate skill-building over AI-assisted shortcuts. Nostalgic comments about F# as a better alternative to C#‘s evolving identity also emerged.

The X-Files Has Made Me Nostalgic for a Time I Never Experienced

Summary: A Substack essay explores how rewatching The X-Files sparked nostalgia for the 1990s — an era the author never actually lived through. Set against a backdrop described as “a time before crypto, Twitter, and AI slop,” the piece reflects on community, authentic experience, and cultural touchstones predating today’s attention-economy landscape. The author watched the show to fill a void left by Doctor Who in their pop culture life.

HN Discussion: Commenters draw parallels to synthwave aesthetics and share rosy recollections of the 1990s — Bill Clinton raising taxes, eliminating the deficit, lowering interest rates — while acknowledging these memories may be filtered through nostalgia’s selective lens. The piece resonates as meta-commentary on how cultural artifacts can create longing for eras we only experienced secondhand.

Business & Industry

Uber Torches 2026 AI Budget on Claude Code in Four Months

Summary: Uber spent its entire annual AI budget for 2026 within just four months after rolling out Claude Code and Cursor across its engineering organization starting in December 2025. Monthly API costs per engineer ranged from $500 to $2,000 as adoption surged — 95% of engineers now use AI tools monthly, with 70% of committed code originating from AI. The CCTO’s revelation underscores tension between AI productivity gains and unbounded cost scaling.

HN Discussion: Commenters are divided between skepticism about the spending figure and recognition that productivity may offset costs. One questions how any company could burn $1,000/month per engineer in tokens while they themselves spend only $200–$400. A recurring theme is whether AI tool usage became tied to performance evaluations, explaining the near-universal adoption figure. Others argue that if productivity genuinely increased, revenue growth would make affordability irrelevant.

I’m Peter Roberts, immigration attorney who does work for YC and startups. AMA

Summary: Immigration attorney Peter Roberts, who advises Y Combinator companies and startups on visa and work authorization matters, hosted an Ask HN AMA covering topics including H-1B fee changes, PERM labor certification processes, and how AI is affecting legal practice. Roberts cautioned he couldn’t provide legal advice on specific cases due to incomplete fact patterns.

HN Discussion: The community pressed on practical differences between pre- and post-fee-change H-1B processing, with one commenter puzzled by the PERM process where managers appear to advertise non-existent jobs for their direct reports. Questions about AI in legal practice focused on hallucination risks and what tools lawyers actually find reliable. The thread reflects ongoing uncertainty around immigration policy shifts impacting startup talent pipelines.

How an oil refinery works

Summary: An exploration piece tracing how crude oil is processed at facilities like India’s Jamnagar refinery — one of the world’s largest. Despite wind and solar gaining share, petroleum still accounts for 30% of global energy use (over 100 million barrels daily as of 2023), and this infrastructure will remain essential for the foreseeable future. The piece details distillation, cracking, and blending processes that transform raw crude into usable products.

HN Discussion: Commenters shared personal stories — one describes a factory tour in Yokohama decades ago; another grew up near Jamnagar where families were occasionally permitted to visit. Several referenced related posts about buying actual barrels of crude oil, highlighting the gap between everyday awareness of petroleum consumption and understanding the physical supply chain behind it.

History & Science

Your Website Is Not for You

Summary: A web developer argues that websites serve visitors first, not their creators. After working alongside many designers, the author noticed a recurring pattern: designers present research and reasoning in boardrooms while developers quietly nod along. The piece challenges the designer-centric approach to web creation and advocates for visitor-first design thinking — prioritizing user goals over ego-driven expression.

HN Discussion: Some reject the premise entirely, arguing that personal websites should express identity and values. Others point out that not all designers truly understand customer needs or business context as well as founders do. The debate touches on whether “the website isn’t art” is a productive framing or one that dismisses creative expression unnecessarily — with readers noting the tension between functional product design and personal branding.

A Letter from Dijkstra on APL (1982)

Summary: A newly rediscovered 1982 letter from Edsger W. Dijkstra discussing his views on the APL programming language has been transcribed and published. The letter comes from Dijkstra’s time at Burroughs Research Fellow in Nuenen, Netherlands, offering historical perspective on one of computing’s most contentious design debates — concise, symbol-heavy expression versus readable, verbose syntax.

HN Discussion: Commenters draw parallels between APL’s unconventional syntax friction and Perl’s similar trajectory under competitive pressure. One recalls writing substantial APL for an undergraduate project in 1978–79, enjoying its expressive power while acknowledging single-line density made code nearly unreadable. Another describes uniquely pleasant programming dreams about writing APL compared to debugging nightmares associated with other languages.

Engineering tough blood clots for rapid haemostasis and enhanced regeneration

Summary: A Nature paper describing engineered blood clots designed for rapid haemostasis (stopping bleeding) and enhanced tissue regeneration. The research was made available via a non-paywalled preprint on ResearchSquare, making the findings accessible despite Nature’s paywall.

HN Discussion: Engagement centered on accessing the research without a paywall — one commenter provided the ResearchSquare link directly. The biomedical engineering angle drew less commentary than expected for a healthcare-focused story, possibly because HN’s audience skews toward software and infrastructure topics rather than clinical or materials science applications.

Tech Tools & Projects

If I could make my own GitHub

Summary: A blog post imagining a redesigned GitHub from scratch, critiquing current platform limitations: boolean PR approval (too simplistic for nuanced code review), repo history management (suggesting lazy fetching rather than full clones), and the need for stacked PR workflows. The piece draws on years of developer experience to propose structural changes that would improve collaboration at scale.

HN Discussion: Commenters challenged several premises — boolean approval as a permission model is technically appropriate, blobless Git clones already solve the history problem, and tools like Jujutsu (jj) with Tangled already support stacked PRs natively. The thread became a broader discussion about whether incremental improvements to GitHub are sufficient or if fundamentally new version control paradigms are needed.

System Administration

Softmax, can you derive the Jacobian? And should you care?

Summary: An essay exploring the mathematics behind the softmax function — that deceptively simple operation converting arbitrary real numbers into values between 0 and 1 summing to 1. The piece examines what softmax actually does to probability distributions, how it relates to the Boltzmann distribution from thermodynamics (explaining why “temperature” works as a parameter), and whether engineers using softmax daily should understand its underlying mechanics beyond API calls.

HN Discussion: One commenter highlighted a key omission: the mathematical identity between softmax temperature scaling and the Boltzmann distribution in thermodynamics. Readers debated the theoretical justification for base e versus integer exponents (2 or 3) in the softmax equation, while others noted that softmax technically produces pseudo-probabilities rather than true distributions — an important distinction for rigorous ML work.

Other

Ask HN: Who is hiring? (May 2026)

Summary: The monthly hiring thread where companies post open positions directly. Featured postings include Kredit seeking .NET engineers (Remote US), Starbridge looking for senior Kotlin/Java/React/TypeScript engineers (NYC or Remote) to build an AI-powered sales insights platform, and Coalition expanding engineering leadership following a recent acquisition.

HN Discussion: Standard monthly hiring activity with geographic and technology-specific detail. Commenters noted the continuing emphasis on remote US roles as a baseline, while startup positions increasingly mention AI platform development capabilities. The thread reflects ongoing demand for full-stack engineers comfortable with modern TypeScript ecosystems and distributed data processing.

Police Have Used License Plate Readers at Least 14x to Stalk Romantic Interests

Summary: An investigation by the Independence Journal reveals that police officers have repeatedly used license plate reader systems to track romantic interests over several years. One commenter describes requesting audit logs from their town’s Flock system and finding that pre-November 2025 logs were searchable by user ID, enabling independent correlation of search volume per officer to detect unusual patterns. Another note points out Flock employees snooping on private business feeds for pools and gymnastics studios.

HN Discussion: Commenters emphasize that the “at least” in the headline likely understates the problem significantly. The debate centers on whether audit logs are sufficient oversight or if structural changes to who controls these systems are needed. Several commenters draw parallels to targeted-ad targeting as another example of surveillance-capitalism-adjacent abuse by the same industry.

Ask HN: Who wants to be hired? (May 2026)

Summary: The reciprocal monthly thread where job seekers share their profiles directly. Listings span locations from Africa (open to remote or relocation within the continent) to Miami/NYC/LA, with specializations ranging from Expo/Flutter cross-platform development and Django/Rails web frameworks to Python backend work with Terraform, AWS CDK, and CI/CD pipelines.

HN Discussion: Seekers emphasize flexibility — willingness to relocate, preference for remote with travel openness, and diverse technology stacks reflecting the broader shift toward full-stack competency. Multiple profiles mention LLM integration experience alongside traditional engineering skills, indicating how AI tooling proficiency has become part of standard developer expectations by mid-2026.