Good morning. Here are today’s top stories from Hacker News.

AI & Tech Policy

DeepSeek v4

Summary: DeepSeek launched its v4 API, offering two model variants — deepseek-v4-flash and deepseek-v4-pro — with an API format compatible with OpenAI and Anthropic. The chat endpoint supports streaming, a configurable “thinking” mode with adjustable reasoning effort, and the new models come with deprecated paths: the older names deepseek-chat (non-thinking) and deepseek-reasoner (thinking) will be phased out on July 24th, mapping directly to their v4-flash equivalents.

HN Discussion: Commenters debated whether DeepSeek’s API-compatible approach represents genuine competitive pressure or merely a thin wrapper over someone else’s infrastructure. Some expressed skepticism about whether the reasoning model delivers meaningful improvements, noting that “thinking” modes often inflate costs without proportionate quality gains.

Anthropic’s Mythos finds security issues in Firefox 150

Summary: Anthropic’s Mythos system found security vulnerabilities in Firefox 150 through automated scanning, generating discussion about the methodology and broader implications. Mythos identified flaws by systematically probing the browser, raising questions about whether AI-driven vulnerability discovery at this scale represents a new frontier in security research or simply more sophisticated noise. Mozilla published details of several findings, though the broader impact on Firefox users depends on how quickly patches land.

HN Discussion: Commenters questioned whether the marketing narrative outpaces actual impact, noting that AI vulnerability scanning at this scale requires massive compute budgets most organizations can’t access. Several pointed out Firefox is already a hard target with low-hanging fruit eliminated, making any additional findings noteworthy regardless of discovery method.

TorchTPU: Running PyTorch Natively on TPUs at Google Scale

Summary: Google released TorchTPU, enabling PyTorch workloads to run natively on TPU hardware without the intermediate PyTorch/XLA bridge. Three eager execution modes were introduced: Debug (synchronous and slow for shape matching), Strict (asynchronous single-op dispatch mirroring default PyTorch), and Fused Eager (on-the-fly operation fusion). The stack integrates at the deepest level via PyTorch’s PrivateUse1 interface, so developers can change device initialization from “cuda” to “tpu” without modifying core logic.

HN Discussion: Researchers who previously struggled with PyTorch/XLA on TPUs welcomed the development, citing undocumented behavior and silent hangs during long training runs as common pain points. One commenter shared a custom workaround pipeline they built for TPU research while waiting for native support.

GPT-5.5: Mythos-like hacking, open to all

Summary: Security testing firm XBOW evaluated GPT-5.5 on their internal vulnerability detection benchmark running inside agent workflows across real penetration testing tasks. The model reduced their miss rate from 40% (GPT-5) and 18% (Opus 4.6) down to just 10%, with the white box performance (using source code) being so dramatically better than GPT-5 even with source code that XBOW says it “effectively killed our benchmark.”

HN Discussion: Commenters were divided between excitement about automated pentesting capability and caution about whether benchmarks based on known vulnerabilities actually predict performance against novel attack surfaces. Several noted that a 10% miss rate still means one in ten real-world vulnerabilities will go undetected by the tool.

Security & Privacy

Bitwarden CLI compromised in ongoing Checkmarx supply chain campaign

Summary: Bitwarden CLI 2026.4.0 was compromised as part of the Checkmarx supply chain campaign after attackers abused a GitHub Action in Bitwarden’s CI/CD pipeline. The malicious code landed in bw1.js within the npm package, using identical C2 infrastructure (audit.checkmarx.cx/v1/telemetry) to previous targets in this campaign. Payloads include Python memory-scraping scripts targeting GitHub Actions runners, RSA public keys, credential harvesting for AWS/Azure/GCP/npm tokens, and an embedded ideological manifesto string.

HN Discussion: The discussion centred on whether CI/CD pipeline compromise fundamentally differs from package tampering — when attackers own the build environment, they can inject arbitrary code into trusted outputs that bypass dependency scanners. Some pointed out that Bitwarden’s open source nature should have caught this earlier if proper binary signing and verification practices were in place.

UK Biobank health data keeps ending up on GitHub

Summary: A privacy researcher built a public tracker documenting 110 DMCA takedown notices UK Biobank has filed against GitHub, targeting 197 repositories across 170 developers in at least 14 countries. The biobank holds genetic, health, and lifestyle data on half a million British volunteers under strict non-sharing agreements, yet researchers keep accidentally uploading participant datasets to public repositories. The Guardian was able to re-identify one volunteer using only a date of birth and a single surgery date from an exposed dataset.

HN Discussion: Commenters found the scale of repeated accidental exposure remarkable, with takedowns spanning the US, China, UK, Germany, and Australia. The discussion highlighted that UK Biobank must use copyright-based DMCA notices rather than privacy-specific mechanisms because the UK lacks an equivalent process for compelling platform takedowns of personal data breaches.

French government agency confirms breach as hacker offers to sell data

Summary: France Titres (ANTS), the government agency responsible for issuing administrative documents including driver’s licenses, national ID cards, passports, and immigration papers, confirmed a security incident impacting approximately 11.7 million accounts. Exposed data includes login IDs, full names, email addresses, dates of birth, postal addresses, place of birth, and phone numbers. The threat actor “breach3d” claimed to hold up to 19 million records and offered the data for sale before broad dissemination.

HN Discussion: The thread sparked a broader debate about mandatory KYC requirements, with one commenter noting France offers a unique single-use digital identity service that discloses only minimum information required for a specific organization and duration. Users shared mixed experiences with the France-Identité app, including compatibility issues with LineageOS and MicroG.

Apple fixes bug that cops used to extract deleted chat messages from iPhones

Summary: Apple released a software update fixing a bug that allowed law enforcement to extract messages deleted or set to auto-disappear from messaging apps. The issue arose because notification content — which displayed the message text — was cached on the device for up to a month even after the app itself had removed the message. Signal president Meredith Whittaker prompted Apple’s response, stating that notifications for deleted messages should never remain in any OS-level notification database.

HN Discussion: Privacy activists expressed alarm that the FBI had found a circumvention path through a feature used daily by at-risk populations. Some questioned why Apple cached notifications at all — was it a bug or an intentional design choice that later became a problem when forensic tools exploited it?

Web & Infrastructure

Incident with multiple GitHub services

Summary: GitHub experienced a multi-service outage on April 23 that disrupted multiple core services including Copilot, Actions, and Webhooks simultaneously. Repository availability was degraded during the incident, causing continuous integration Actions pipelines to fail or stall indefinitely while their runners struggled to authenticate. Webhook delivery for third-party integrations relying on real-time event notifications from the platform was also affected, meaning automated deployments and issue tracking syncs were delayed or lost entirely.

HN Discussion: The outage prompted renewed self-hosting enthusiasm, with several commenters describing recent migrations to Forgejo instances running on Proxmox and NixOS. One user noted that self-hosted Forgejo page loads completed in roughly 6ms on a single NUC, while others expressed ambivalence about the sysadmin overhead of maintaining infrastructure at home.

Ubuntu 26.04

Summary: Ubuntu 26.04 LTS shipped with several notable changes that drew mixed reactions from early adopters. Middle-click paste (select-and-paste) is broken for some users, and the BitLocker password prompt blocks the entire screen during volume mounting, preventing keyboard-based password manager integration. The new default tiling assistant drew complaints for its unintuitive behavior and insistence on pairing window placements in ways that feel unpredictable.

HN Discussion: Users who disabled the tiling assistant reverted to default GNOME behaviour and found it serviceable but lacking quarter-tiling support. The experimental ZFS root installer also drew attention, though some found it only downloaded packages over Wi-Fi during setup, not wired ethernet, which caused confusion for machines connected via cable.

Tech Tools & Projects

My phone replaced a brass plug

Summary: An iOS developer at an Edinburgh shooting range automated the frustrating manual process of scoring paper targets — shooters had to push brass plugs into bullet holes to determine ring placement. The challenge proved harder than expected: Apple’s Vision framework object detectors are trained on what should be present, not on absence-of-material. The solution involved first detecting the known geometric structure of the target (ring positions), then searching for holes within that fixed coordinate system rather than trying to detect bullet holes in isolation.

HN Discussion: Shooters with competitive experience discussed differences between NSRA and ISSF scoring rules, particularly how the outermost versus innermost edge of a ring determines the score. Several mentioned that electronic scoring targets using wave triangulation already exist commercially, but the phone-based approach offers a cheaper alternative without specialised hardware.

Show HN: Honker – Postgres NOTIFY/LISTEN semantics for SQLite

Summary: Honker is a SQLite extension that brings Postgres-style event notifications to the lightweight database engine by monitoring the write-ahead log file and firing events whenever changes are committed. The extension achieves single-digit millisecond cross-process notification delivery without requiring polling loops or a separate message broker service, providing bindings for Python, Node.js, Rust, Go, Ruby, Bun, and Elixir — all wrapping a single Rust-defined on-disk layout.

HN Discussion: Commenters compared Honker to pg_notify, pg-boss, and Oban, with the author clarifying the project targets the “SQLite plus Litestream on a VPS” deployment pattern where adding Redis and Celery would be overkill. The cross-process notification capability for languages using process-based concurrency (Python, JavaScript, Ruby) was highlighted as the primary differentiator.

Your hex editor should colour-code bytes

Summary: A blog post proposes that hex editors should adopt syntax-style colouring for byte values, making structural patterns immediately visible at a glance. Under this model, ASCII-printable characters would appear in green, null bytes in red, repeated sequences highlighted uniformly, and binary data boundaries coloured distinctly — enabling analysts to spot file format transitions, embedded strings, cryptographic padding, and other structured data regions without manually scanning raw hexadecimal dumps for subtle anomalies.

HN Discussion: A colourblind commenter pointed out that the example colour scheme uses colours appearing nearly identical to someone with deuteranomaly, affecting roughly 8% of men. The broader discussion touched on accessibility in developer tooling, with suggestions to support bold, italic, and pattern-based encoding alongside colour so meaning is never lost when colour perception varies.

A programmable watch you can actually wear

Summary: LILYGO released the T-Watch Ultra, an ESP32-S3-based smartwatch with IP65-rated durability that breaks the usual pattern of DIY watches failing in everyday conditions. The 2.01-inch AMOLED display (410×502), 16MB flash, and 8MB PSRAM make it suitable for edge AI tasks. It includes LoRa support for Meshtastic-style off-grid messaging, a u-blox GNSS module, NFC, and a 1,100mAh battery — all programmable via Arduino IDE or ESP-IDF, pre-ordering at $78.

HN Discussion: Commenters questioned the ESP32’s suitability for battery-powered wearables, suggesting Nordic nRF chips offer significantly better power efficiency. Others defended the choice, noting an 1100mAh battery can last years on deep sleep and that LILYGO’s ecosystem is built around ESP chips regardless. Comparisons to Garmin watches offering weeks of battery life were frequent.

Familiarity is the enemy

Summary: An essay arguing that enterprise knowledge management has failed for sixty years because buyers select software on familiarity rather than merit. The author recounts a demo to a senior executive at a billion-dollar company who acknowledged the product worked but chose a consulting firm’s proposal at hundreds of thousands of dollars because buying from a recognised name serves as “an insurance policy.” The piece traces HP-Autonomy’s $11.1 billion acquisition and subsequent $8.8 billion write-off as a case study in how little due diligence enterprise buyers actually perform.

HN Discussion: References to Rich Hickey’s “Simple Made Easy” talk were frequent, with commenters noting that enterprise software selection consistently confuses “easy” (familiar) with “simple” (not intertwined). Some pushed back that the insurance rationale is genuinely rational for risk-averse buyers whose careers depend on vendor reputation rather than product quality.

Writing a C Compiler in Zig

Summary: A developer documented building paella, a C compiler written in Zig, following Nora Sandler’s “Writing a C Compiler” book series. The project covers the full pipeline: lexer, parser, and code generation. The author originally started in Rust but switched to Zig after growing frustrated with data structure overhead, though they later returned to Rust for certain components where it proved more productive.

HN Discussion: Zig and Rust advocates debated what “low-level” actually means — some argued that Rust’s heavy reliance on RAII, Arc, Box, and async abstractions makes it significantly higher-level than Zig’s bare-bones approach, while others countered that dependency count and standard library richness are orthogonal to how low-level a language is.

Science & Nature

Astronomers find the edge of the Milky Way

Summary: Astronomers identified a boundary region in the Milky Way’s stellar disk by analysing the age distribution of stars at increasing galactic radii. Since disk galaxies form stars inside-out — with older stars concentrated toward the centre and progressively younger stars toward the edges — the age profile of observed stars reveals where the active star-forming disk ends and the surrounding halo begins, essentially mapping the galaxy’s growing rings like a tree.

HN Discussion: The article’s phrasing caused confusion for some readers who misinterpreted “the farther out astronomers look, the younger the stars are” as referencing Earth’s position rather than distance from the galactic centre. Others clarified the inside-out formation model using a tree-ring analogy, noting Earth sits on an intermediate ring regardless of viewing direction.

Girl, 10, finds rare Mexican axolotl under Welsh bridge

Summary: Ten-year-old Evie Edwards discovered an axolotl in the shallows of the River Ogmore near Bridgend, Wales — lifting a discarded mat to reveal the nine-inch creature nestled among rocks. It is the first documented wild axolotl sighting in the UK, and with only 50 to 1,000 remaining globally in their native lake system near Mexico City, conservation experts confirmed it would not survive long unassisted. The family named him Dippy and took him home.

HN Discussion: Commenters were nearly unanimous that this was an abandoned pet, noting axolotls die within days in water below 14°C and that over a million exist in captivity thanks to Minecraft and Roblox exposure. Some questioned whether the story was fabricated for viral attention, while others pointed out wild axolotls are dark-coloured while captive-bred specimens are typically the pale morphs seen in pet trade photos.

What physical ‘life force’ turns biology’s wheels?

Summary: A new wave of studies since 2020 has cracked the molecular structures of the bacterial flagellar motor’s components — specifically the small cogwheels that drive the larger cogwheel at the flagellum’s base. Recent structural work from March 2026 completed the picture, revealing how evolution turned a billion years of trial and error into an electric motor rotating hundreds of times per second. The machine exploits proton motive force — the same physical gradient that powers essentially all cellular energy transfer — not as some mysterious “life force” but as ordinary thermodynamics applied with exquisite precision.

HN Discussion: Creationists who had long held up the flagellar motor as an example of “irreducible complexity” were mentioned as having been addressed by decades of evolutionary biology research showing how complex systems can arise stepwise. Biophysicists discussed how the motor’s direction-switching mechanism represents one of nature’s most elegant signal-processing circuits.

Geopolitics & War

US special forces soldier arrested after allegedly winning $400k on Maduro raid

Summary: A US special forces soldier was charged with using classified operational information about a raid targeting Venezuelan leader Nicolás Maduro to place $400,000 in betting wagers on a sportsbook. Federal charges allege the soldier obtained specific details of the military operation through access to classified intelligence materials and then leveraged that inside knowledge to make substantial financial bets before the public announcement.

HN Discussion: Commenters discussed the security implications of operational plans leaking to individuals with access. Some questioned how the information reached the soldier — whether through loose-lipped colleagues or a more systemic intelligence breach.

Business & Industry

Meta tells staff it will cut 10% of jobs

Summary: Meta announced it would eliminate approximately 10% of its workforce in what CEO Mark Zuckerberg described as a “push for efficiency.” The company has been redirecting enormous capital expenditure toward AI infrastructure — building massive new data centres, procuring GPU clusters at scale, and investing heavily in custom silicon. Analysts note the cuts are driven less by direct worker replacement through AI and more by this shifting of operating budgets, where funds previously allocated to existing division salaries now flow into AI infrastructure.

HN Discussion: Commenters identified three mechanisms by which AI drives layoffs: genuine worker replacement, budget cannibalisation from AI spending, and AI serving as a convenient narrative for cuts companies wanted to make anyway. Many noted that pandemic-era overhiring and the end of the ZIRP era are the real drivers, with AI providing a more palatable explanation for investors.

Palantir employees are starting to wonder if they’re the bad guys

Summary: WIRED reports that Palantir employees are raising internal concerns about their company’s expanding role in Trump administration policies, particularly around immigration enforcement through DHS. Former and current employees describe an identity crisis: the company was founded on the premise of preventing safety abuses, but workers now feel they’re enabling them. The situation intensified after the killing of Alex Pretti, a nurse shot by federal agents during protests against immigration raids, which prompted some employees to directly ask colleagues “Are you tracking Palantir’s descent into fascism?”

HN Discussion: Several commenters noted that internal dissent at secretive companies like Palantir is rare due to non-disparagement agreements and cultural pressure, making the public nature of these concerns significant. Others drew parallels to broader Silicon Valley moral reckoning around government surveillance tools and military contracts.

Other

Using the internet like it’s 1999

Summary: An essay arguing that using social media frontends only exposes you to 3–5% of what the internet could be, leaving users trapped in algorithmic echo chambers. Advocates returning to protocol-layer interactions: RSS feeds for content consumption, XMPP/IRC for communication, self-hosted search engines, and direct email (SMTP) instead of platform intermediaries. The author argues the HTTP, XMPP, IRC, and SMTP protocols are genuinely good but their frontend platforms have been perverted into attention-extraction machines.

HN Discussion: Pushback on romanticising 1999: spam was rampant, research required buying physical books, dial-up averaged 4.4 KB/s. Some recommended surviving examples of small-scale internet communities like Fark.com and NomadNet that retain the older ethos. Several commenters shared their own protocol-layer setups as proof of concept.

Website streamed live directly from a model

Summary: Flipbook is an experiment where an entire website — including its text content, page layout, and visual styling elements — was generated directly by a large language model without human intervention or traditional HTML coding. The result demonstrates that modern models can produce coherent, fully navigable multi-page websites from a single natural language prompt. This capability raises fundamental questions about the future role of software developers in creating digital interfaces.

HN Discussion: Commenters debated whether browser-generated websites represent genuine innovation or repackaged HTML templates dressed up with model-generated content. Some questioned the practical utility compared to traditional development workflows, while others explored whether this could become a new paradigm for prototyping and small-scale sites.

Over-editing refers to a model modifying code beyond what is necessary

Summary: The author documents a phenomenon they call “over-editing” — when AI coding models modify more code than requested, introducing changes the user did not ask for. The blog post analyses why this happens: attention patterns in the model’s training data reward comprehensive rewrites over surgical edits, leading to outputs that change entire files instead of the specific lines the user targeted.

HN Discussion: Users shared frustration with similar behaviour across multiple AI coding tools, noting that even precise prompt engineering doesn’t always prevent sprawling rewrites. Some discussed using evaluation frameworks to measure edit precision and penalize over-editing in model selection criteria.

MeshCore development team splits over trademark dispute and AI-generated code

Summary: The MeshCore community mesh networking project split after one developer, Andy Kirby, used Claude Code extensively without telling the team and then registered the MeshCore trademark behind their backs. The original team claims Kirby never contributed to the GitHub source repo, controls the meshcore.co.uk domain and Discord server, and is now promoting his own products using the brand. Meanwhile, the remaining team launched meshcore.io with 85+ firmware versions supporting 75+ hardware variants, claiming the actual “official” MeshCore.

HN Discussion: Discussion of the broader question of whether AI-assisted code contributions count as legitimate when not disclosed to a project community. Debate over trademark ownership when one party controls the brand but another controls the open source implementation. Several commenters drew parallels to other open source projects where contributor recognition and IP rights have caused friction.

Verus is a tool for verifying the correctness of code written in Rust

Summary: Verus is a formal verification framework for the Rust programming language that enables developers to write mathematical specifications alongside their code and prove that implementations satisfy those precise specifications. The tool works with standard Rust syntax while adding verification annotations in comments, allowing safety properties, data structure invariants, and API contracts to be checked at compile time rather than through runtime testing alone.

HN Discussion: Some commenters expressed interest but questioned whether formal verification can scale to production codebases where developers rarely have time for proof engineering. Others pointed out that companies building critical infrastructure (cryptography libraries, consensus protocols) already need this level of assurance and that Verus bridges the gap between academic tools and practical Rust development.

A Renaissance gambling dispute spawned probability theory

Summary: A 1494 puzzle first posed by Luca Pacioli — how to fairly divide stakes when a coin-flipping game is interrupted mid-play — stumped mathematicians for over 150 years before Blaise Pascal and Pierre de Fermat cracked it through their famous correspondence. Their solution not only resolved the “problem of points” but effectively invented modern probability theory, laying foundations still used today for risk assessment in insurance, finance, and science.

HN Discussion: Readers appreciated the historical narrative connecting a mundane gambling dispute to one of mathematics’ most important fields. A few commenters noted that the same mathematical framework underpins everything from actuarial tables to modern AI uncertainty quantification, making it remarkable that a card game was its birthplace.

WireGuard for Windows Reaches v1.0

Summary: Jason Donenfeld announced the v1.0 release of WireGuard for Windows and WireGuardNT, marking the completion of final release blockers after extensive source code review and testing. The release introduces use of NdisWdfGetAdapterContextFromAdapterHandle() — a documented Windows 10 API that replaces the previous hack of stuffing pointers into an undocumented “Reserved” member of NDIS_MINIPORT_BLOCK, eliminating what Donenfeld called a “ticking time bomb.”

HN Discussion: Long-time WireGuard users expressed relief at finally reaching v1.0 after years of beta status on Windows, with many noting the project’s consistent quality across all platforms makes its Windows hesitation previously puzzling. A few discussed implications for enterprise VPN deployments considering migration away from IPSec to WireGuard’s simpler architecture.

Windows 9x Subsystem for Linux

Summary: A retro computing project demonstrating Linux running as a native application on Windows 9x through a compatibility subsystem, effectively reversing the WSL concept by adding Linux to Windows rather than Windows to Linux. The achievement demonstrates remarkable reverse engineering of both the Windows 9x kernel ABI and early Linux portability requirements to create a working cross-platform environment decades after these systems were obsolete.

HN Discussion: Commenters marveled at the technical accomplishment while debating whether WSL has made native integration between operating systems less necessary, or if it’s created a cultural dependency on Microsoft that makes reverse-compatible projects like this both unnecessary and oddly satisfying. A few noted Windows 9x-era software archaeology as an increasingly niche but fascinating field.