May 20, 2026

Hacker News Evening Brief: 2026-05-20

Railway’s eight-hour outage after Google Cloud suspended their account in error leads this evening’s brief, alongside OpenAI’s claim that one of its models disproved a decades-old conjecture in discrete geometry. GitHub confirms a supply-chain breach hitting thousands of repositories, Firefox finally switches off asm.js after thirteen years, and Europe’s sovereign payment alliance takes shape. Those stories and twenty-five more below.

Web & Infrastructure

Incident Report: May 19, 2026 – GCP Account Suspension

Summary: Railway suffered a platform-wide outage lasting roughly eight hours on May 19 after Google Cloud incorrectly placed its production account in suspended status. The suspension took down Railway’s dashboard, API, control plane, and databases. As cached network routes expired, the disruption cascaded beyond GCP-hosted workloads to affect every customer deployment regardless of hosting provider. Railway now plans to remove GCP from its data plane’s hot path entirely, retaining it only for secondary failover capacity.

HN Discussion: Commenters treated the incident as further evidence that Google Cloud cannot be relied upon as a business-critical provider, pointing to a pattern of automated account suspensions without warning or clear recourse. The unexplained trigger for the flagging drew particular scrutiny, with several readers demanding transparency about whether automated fraud-detection systems were responsible.

Saying Goodbye to Asm.js

Summary: Firefox 148 disables SpiderMonkey’s asm.js optimizations by default, marking the beginning of the end for the statically-typed JavaScript subset that debuted in 2013. Existing asm.js code continues to run through the regular JIT; nothing breaks, but performance and binary size improve by switching to WebAssembly. The post recounts how asm.js enabled Unity and Unreal to ship C/C++ codebases to the browser, with the Epic Citadel demo ported in just four days.

HN Discussion: Figma’s early reliance on asm.js before migrating to WebAssembly was cited as a practical case study of the transition’s real-world impact. Gary Bernhardt’s “Birth and Death of JavaScript” talk was referenced repeatedly, with commenters noting how much of his satirical forecast materialized. The contrast between Mozilla’s standards-driven approach and Chrome’s push for NaCl/PNaCl was revisited as a lesson in platform politics.

Node.js 26.0.0 (Now with Temporal)

Summary: Node.js 26 ships with the Temporal API enabled by default, finally giving JavaScript a modern date-and-time library built into the runtime. The release also updates V8 to version 14.6 (Chromium 146), bringing Map and WeakMap upsert methods, Iterator.concat, and other TC39 proposal implementations. Undici moves to 8.0, and several legacy APIs face deprecation or removal ahead of the October LTS promotion.

HN Discussion: Readers welcomed Temporal as a long-overdue fix for the notoriously awkward Date object, noting that libraries like Moment and Luxon served as stopgaps but that proper date/time handling belongs in the platform itself.

Handling the great code forge fragmentation

Summary: As projects spread across GitHub, GitLab, Codeberg, SourceHut, and self-hosted Gitea instances, Alex Selimov examines the practical pain of fragmented identities, cross-forge contribution workflows, and project discovery. The article surveys tooling for managing a presence across multiple platforms and evaluates protocol-based approaches like atproto for unified identity and federation across independent forges.

HN Discussion: Several commenters argued that fragmentation is healthy and aligns with git’s original decentralized design, preventing a repeat of the GitHub monoculture. AI coding tools tightly integrated with GitHub were cited as a factor slowing any shift away from the dominant platform.

Show HN: Hocuspocus 4 – self-hosted Yjs collaboration backend

Summary: Hocuspocus 4 provides a production-ready self-hosted WebSocket backend for Yjs, the CRDT-based framework for real-time collaborative editing. The release targets the Tiptap editor ecosystem but works with any Yjs-based application, offering document persistence, authentication hooks, and horizontal scaling for multi-user editing sessions.

HN Discussion: Production users flagged two persistent challenges: efficient materialization of documents from stored CRDT diffs and the memory cost of keeping live documents in RAM for idle connections. Privacy-focused prospects noted the absence of clear documentation about zero-knowledge or warrant-resistant architectures for hosted content.

Apparently Google hates us now

Summary: A popular Pokémon community wiki reported being effectively delisted or deprioritized by Google Search, cutting off a major source of organic traffic. The complaint points to a combination of relentless wiki spam overwhelming moderation capacity and possible changes in Google’s crawling behavior that excluded the site from indexing.

HN Discussion: Some readers attributed the problem to delayed cause-and-effect in Google’s search pipeline rather than deliberate targeting, noting that minor crawling bugs can silently exclude small percentages of websites. Others took a darker view, arguing that Google has little incentive to send traffic outward when it has already scraped and trained on the data.

AI & Tech Policy

How fast is N tokens per second really?

Summary: An interactive visualization lets users experience LLM token-generation rates from 5 tok/s (Raspberry Pi territory) up to 800 tok/s (Cerebras-class throughput) in four modes: syntax-highlighted code, prose text, reasoning chains interleaved with code, and agent tool-call sequences. The tool makes tangible what raw benchmark numbers abstract away — that perceived speed differs dramatically between code and prose at the same rate, and that beyond roughly 200 tok/s the bottleneck shifts firmly to human reading speed.

HN Discussion: Users shared stories of burning through Cerebras credits in minutes at ultra-high throughput, making the format better suited for subagent pipelines than interactive coding. Several noted that reasoning tokens typically consume two to three times the visible output, making raw tok/s a misleading proxy for actual workload cost.

Qwen3.7-Max: The Agent Frontier

Summary: Alibaba released Qwen3.7-Max, claiming state-of-the-art scores on the AA-omniscience non-hallucination benchmark ahead of Opus 4.7, Gemini 3.1 Pro, and GPT-5.5. The model targets agentic workflows and continues Qwen’s trajectory of open-source releases that compete with proprietary frontier models. Users report it works well as a free alternative to Claude Code for moderately complex tasks when paired with llama.cpp and OpenCode.

HN Discussion: Commenters expressed frustration that Qwen models lack a US-domiciled hosting option, limiting enterprise adoption despite competitive benchmark numbers. Discussion of practical hosting through proxy services like OpenRouter raised concerns about throttling compared to direct provider access.

Google’s AI is being manipulated. The search giant is quietly fighting back

Summary: A BBC investigation demonstrated that ChatGPT, Gemini, and Google AI Overviews can be manipulated into presenting fabricated information within twenty minutes by poisoning web sources that AI systems ingest. The reporter convinced Google and ChatGPT to present him as a world-champion competitive hot-dog eater. Commercial operations are exploiting the same technique at scale to inject biased answers on health and financial topics.

HN Discussion: Readers drew direct parallels to the SEO arms race, predicting an analogous cycle of AI-output manipulation and provider countermeasures. Some questioned the severity of the demonstration, noting it targeted a low-traffic query rather than a high-visibility one. A broken internal link in the BBC article (pointing to a local file path on the reporter’s machine) was flagged as an editorial embarrassment.

Stable Audio 3

Summary: Stability AI released Stable Audio 3, a family of fast latent diffusion models in small, medium, and large variants for variable-length audio generation and editing. The models operate on a novel semantic-acoustic autoencoder that compresses audio into a compact latent space, supporting inpainting for targeted editing and continuation of short recordings. The paper reports generating 120 seconds of audio in under two seconds on an RTX 3090.

HN Discussion: Users described the output as reminiscent of General MIDI — better suited to electronica than other genres and lacking the frequency range expected of final production quality. The absence of audio samples in the accompanying blog post was criticized as a baffling omission for an audio generation release.

Show HN: Lance – image/video generation and understanding in one model

Summary: ByteDance released Lance, a 3B-active-parameter unified multimodal model that handles image and video understanding, generation, and editing within a single architecture. The open-source release on GitHub includes model weights and inference code, aiming to reduce the deployment complexity of running separate models for each visual task.

HN Discussion: Commenters criticized the video output as sub-HD with low frame rates, noting that displayed samples were upscaled and frame-interpolated rather than natively high resolution. The name “Lance” was flagged as confusing given the popularity of LanceDB in the same ecosystem.

Security & Privacy

GitHub confirms breach of 3,800 repos via malicious VSCode extension

Summary: GitHub confirmed that a malicious Visual Studio Code extension was used to gain unauthorized access to approximately 3,800 repositories across the platform. The breach follows a prior investigation into unauthorized access to GitHub’s own internal repositories, suggesting a coordinated supply-chain attack. GitHub has not publicly identified the specific extension involved, leaving affected developers unable to assess their exposure.

HN Discussion: Commenters expressed frustration that neither GitHub nor BleepingComputer named the extension responsible, arguing that transparency would help organizations check their exposure immediately. Supply-chain risks from VSCode extensions were discussed as a systemic weakness in developer tooling.

Academic & Research

An OpenAI model has disproved a central conjecture in discrete geometry

Summary: OpenAI announced that one of its models disproved a nearly eighty-year-old conjecture in planar discrete geometry related to Erdős’s unit distance problem: how many pairs of n points can be exactly distance 1 apart. The proof employed techniques from algebraic number theory and was produced without a specialized mathematical harness. OpenAI published both the proof and companion remarks, calling it a research milestone.

HN Discussion: Commenters debated whether the result represents a genuine mathematical advance or an incremental finding amplified by OpenAI’s public-relations machinery. Some noted that OpenAI models appear to hold a lead in academic reasoning compared to competitors. The absence of an accessible illustration of the construction frustrated several readers.

LoRA and Weight Decay (2023)

Summary: This analysis demonstrates that LoRA fine-tuning with weight decay implicitly regularizes adapter weights toward the frozen base model rather than toward zero. The practical consequence is that LoRA solves a fundamentally different optimization problem than full fine-tuning — even with equivalent computational resources, it converges to a different solution. Depending on the use case, this implicit regularization can either prevent catastrophic forgetting or limit adaptation capacity.

HN Discussion: The mathematical analysis of LoRA’s interaction with weight decay has been widely cited in the ML fine-tuning literature, influencing how practitioners configure regularization in adapter training.

When Fast Fourier Transform Meets Transformer for Image Restoration (2024)

Summary: SFHformer, presented at ECCV 2024, combines Fast Fourier Transform with Transformer architectures for image restoration tasks such as deblurring and super-resolution. By incorporating spectral-domain information alongside spatial attention, the model captures global frequency patterns that purely spatial transformers miss. The full implementation is available on GitHub.

HN Discussion: Commenters discussed the broader challenges of integrating spectral information into neural networks, including the difficulty of complex-valued generalizations and the Fourier uncertainty principle’s implications for localization in dual domains.

Autoregressive next token prediction and KV Cache in transformers

Summary: This technical explainer breaks down the mechanics of autoregressive next-token prediction in transformer models and the role of the KV cache in accelerating inference. At each generation step, the model would otherwise need to recompute attention over all prior positions — the KV cache avoids this by storing key and value matrices from previous steps, trading memory for a substantial reduction in compute during generation.

HN Discussion: KV cache mechanics remain a foundational topic for understanding transformer inference bottlenecks and the various optimization strategies deployed in production LLM serving.

Business & Industry

Why is Inkwell stuck in review

Summary: Developer Manton Reece chronicles a month-long App Store review ordeal for Inkwell, an RSS reader for iOS submitted on April 21. The app has passed through multiple rejections, code changes, clarifications, a phone call with Apple, and an appeal to the review board — still unresolved. Apple’s objections span missing content-reporting features, Sign in with Apple issues, and monetization questions. The underlying conflict appears to be Apple’s own trademark on the “Inkwell” name.

HN Discussion: Commenters identified the trademark conflict as the probable real blocker, recalling Steve Jobs telling the iPodRip developer to “just change your app’s name.” The broader pattern of Apple leveraging App Review in trademark disputes drew sharp criticism from independent developers.

Tracking Starbucks’ ‘widely recyclable’ cups: none ended up at recycling

Summary: A three-month investigation by Beyond Plastics placed Bluetooth trackers inside Starbucks cold-beverage cups deposited in in-store recycling bins. Not a single tracked cup reached a recycling facility — all ended up at landfills or incinerators. The polypropylene (No. 5 plastic) cups are labeled “widely recyclable” by Starbucks, a claim the report calls deceptive greenwashing.

HN Discussion: Commenters noted that almost no US municipality actually recycles No. 5 plastics, making Starbucks’ labeling effectively fraudulent. Broader frustration with corporate greenwashing was a recurring theme, with paper straws and recyclability labels dismissed as performative gestures.

Goodbye Visa and Mastercard: 130M Europeans switching to sovereign payment

Summary: Five major European mobile payment platforms — including Wero and Bizum — have formed an alliance to create a unified sovereign payment network covering 130 million users across the continent. Starting in 2026, the system will handle cross-border person-to-person and merchant payments without routing through Visa or Mastercard networks, giving EU member states greater financial independence from American payment infrastructure.

HN Discussion: The Dutch iDeal system was cited as the gold standard for how internet payments should work, redirecting users to their own bank rather than requiring card numbers on merchant sites. Concerns about US access to foreign transaction data were raised, with Canada’s 2018 cannabis legalization cited as an example of payment history being weaponized across borders.

Geopolitics & War

Meta blocks human rights accounts from reaching audiences in Saudi Arabia, UAE

Summary: Since April 30, Meta has geo-blocked the Facebook and Instagram accounts of Gulf-focused NGOs including ALQST for Human Rights, Democratic Diwan, and several individual researchers from reaching audiences in Saudi Arabia and the UAE at the request of those governments. A coalition of organizations condemned Meta’s actions as part of a pattern of major tech companies acting as enforcement arms for repressive Gulf states.

HN Discussion: Commenters debated whether Meta faces a genuine dilemma — comply or be replaced by worse local alternatives — or whether the company simply prioritizes market access over human rights. The gap between the original promise that social media would “spread democracy” and current reality was a recurring theme.

Tennessee man jailed 37 days for Trump meme wins settlement after lawsuit

Summary: Retired Tennessee law enforcement officer Larry Bushart won an $835,000 settlement after being jailed for 37 days over a Trump meme, in a First Amendment lawsuit supported by the Foundation for Individual Rights and Expression. The sheriff’s office faced no individual criminal accountability for the arrest. FIRE framed the outcome as a victory for free expression, while acknowledging that settlements paid by taxpayers rather than responsible officials represent a structural accountability gap.

HN Discussion: Readers debated whether police settlements should come from pension funds rather than taxpayer coffers to create personal accountability. European commenters contrasted US accountability structures with legal systems where officers face criminal charges for exceeding their authority. The irony of a retired law enforcement officer being the victim drew particular note.

Tech Tools & Projects

SBCL: the ultimate assembly code breadboard (2014)

Summary: Paul Khuong demonstrates using Steel Bank Common Lisp as an interactive environment for hand-optimizing x86_64 assembly code. The article walks through implementing a minimal virtual machine interpreter with hand-tuned instruction encodings, squeezing each dispatch step from 14 bytes down to 9. SBCL’s ability to inline VOPs and control register allocation makes it more productive for experimental assembly work than a traditional assembler.

HN Discussion: The article has been reposted multiple times on HN since 2014 and continues to reward re-reading. Commenters acknowledged the difficulty of following the low-level encoding details while praising the educational value of seeing Lisp deployed as a systems-programming tool.

Flipper One Tech Specs

Summary: Flipper Devices published specifications for the Flipper One, the successor to the popular Flipper Zero multi-tool. The device runs a Rockchip RK3576 SoC alongside a dedicated MCU, measures 155×67×40mm, and features a 256×144 monochrome LCD with 64 grayscale levels behind Gorilla Glass. An M.2 expansion port, anodized aluminum heatsink, and dual-processor architecture running Flipper OS on the Linux side with FlipCTL for hardware management round out the design.

HN Discussion: Commenters questioned the pairing of a capable SoC with a low-resolution monochrome display, calling it underwhelming. Power consumption and battery life concerns were raised given the RK3576’s capabilities relative to the original Flipper Zero’s modest hardware. The M.2 slot and open Linux platform were seen as promising for the hardware-hacking community.

Formal Verification Gates for AI Coding Loops

Summary: Reuben Brooks proposes embedding formal verification gates — type-system-level assertions generated from specifications — as structural backpressure on AI coding agents. Rather than relying on prompts and review checklists, deterministic compile-time checks enforce invariants like access control across thousands of lines of generated code. The core argument is that guardrails in the code itself outperform any instruction you give the model.

HN Discussion: DevOps practitioners confirmed an industry progression from “let the LLM do everything” to “build deterministic tools that both humans and agents can use.” Critics noted that codegen verification rules can miss critical steps, citing a JWT example where generated checks validated only non-empty strings rather than actual token integrity.

Testing distributed systems with AI agents

Summary: Li Shen published a GitHub repository of AI-agent skills for distributed-systems testing built around a “claim-driven” framework where tests are named after the invariant they attempt to falsify, not the setup details. The approach targets the common problem of test suites decaying over time as tests named after implementation specifics drift from the properties they were meant to verify.

HN Discussion: Kyle “Aphyr” Kingsbury, creator of the Jepsen distributed systems testing framework, expressed disheartenment at seeing fifteen years of freely shared work being used to automate his role. The claim-driven framing was praised as a structural safeguard against test-suite entropy.

History & Science

Sharla Boehm, the programmer whose code underpins the Internet

Summary: Sharla Boehm, a math teacher turned programmer at the RAND Corporation, wrote the first working implementation of packet switching — so-called “hot potato routing” — proving the concept could enable resilient distributed communications during the Cold War. Her simulation laid the technical foundation for what evolved into the modern Internet, yet her contributions have been largely overlooked in mainstream histories.

HN Discussion: Commenters debated whether characterizing her work as “machine learning” was a retroactive application of modern buzzwords. The article was celebrated as part of the “Lost Women of Science” initiative highlighting overlooked female contributors to computing. Archive links were shared for readers unable to access the paywalled Scientific American piece.

Qian Xuesen: The missile genius America lost and China gained (2025)

Summary: Qian Xuesen (Hsue-Shen Tsien) was a Chinese-born aerodynamicist who co-founded JPL and became central to America’s early missile program before being deported during the McCarthy-era Red Scare. In China, he led the development of the DF-2 and DF-5 ICBMs and the Long March rocket family. His deportation is widely regarded as one of the most consequential self-inflicted intellectual losses in US national security history.

HN Discussion: Commenters noted the story is widely taught and mythologized in China, where multiple students independently recounted it. The difficulty of making a compelling film about someone whose genius was organizational rather than dramatic was discussed. JPL’s history of employing colorful figures with security-clearance troubles, including Jack Parsons, was raised as parallel context.

Smartmedia Card Spec Opened, available free (2000)

Summary: A look back at the moment around 2000 when the SmartMedia card specification was opened and made freely available. SmartMedia cards were distinctive for their thin, flexible form factor and lack of an onboard controller, which offloaded that responsibility to the host device. The format eventually lost to SD and CompactFlash but remains historically notable for its role in early digital cameras and the ingenious FlashPath floppy-disk adapter.

HN Discussion: Sony’s Memory Stick drew particular ire as the epitome of proprietary-format lock-in. The FlashPath adapter was remembered as a creative but finicky hack. One commenter summarized the era: “CompactFlash cards weren’t that compact, and SmartMedia wasn’t at all smart.”

System Administration

Everything in C is undefined behavior

Summary: A programmer with three decades of C and C++ experience argues that virtually every non-trivial C program contains undefined behavior, and that the situation is worsening as compilers increasingly exploit UB for optimization. Examples include unaligned pointer casts that are UB even without dereferencing, and volatile reads in printf arguments creating unsequenced side effects. The author suggests that in 2026, using C/C++ for security-critical software could constitute a SOX compliance violation.

HN Discussion: Commenters shared even more obscure UB examples, such as volatile accesses creating unsequenced side effects in function calls. The “five stages of learning about UB in C” — denial, anger, bargaining, depression, acceptance — resonated widely. Some pushed back on the sensationalism, arguing that conflating potential UB with actual UB is misleading and that analogous footguns exist in every language.

Other

Map of Metal

Summary: An interactive visualization mapping the genealogy of heavy metal music from its blues-rock and psychedelic roots through doom, thrash, death, black, and progressive sub-genres. Originally built in Flash by Patrick Galbraith and later ported to HTML5, each node links to representative tracks so users can explore the evolutionary relationships between metal styles.

HN Discussion: The creator appeared in the thread, sharing that the original Flash version took about two weeks to build. The site was compared to Ishkur’s Guide to Electronic Music as a similar genre-mapping project. Several users discussed the difficulty of finding modern bands that capture the slow, brooding sound of early Black Sabbath and Judas Priest.