A one-click GitHub token theft via VSCode, the concentrated fragility of US missile production, using GPU VRAM as Linux swap space, and Microsoft’s newest coding model lead this morning’s roundup. From ancient egalitarian cities to vinyl-loaded Sega games, here are 30 stories the Hacker News community was talking about overnight.

---

AI & Tech Policy

MAI-Code-1-Flash

Summary: Microsoft released MAI-Code-1-Flash, a 137B-parameter mixture-of-experts coding model with only 5B active parameters. It scores 51% on SWE-Bench Pro and is positioned as a fast, cost-efficient coding assistant, benchmarked primarily against Claude Haiku. It joins Microsoft’s broader MAI model family, which includes thinking and image generation models.

HN Discussion: Commenters noted that Qwen3.6-35B achieves 49.5% on SWE-bench Pro at a fraction of the size, questioning the efficiency of Microsoft’s approach. Several expressed skepticism about whether small coding models handle serious work well enough, preferring to plan with heavier models and delegate structured tasks. Frustration was also directed at GitHub Copilot’s shift to per-token pricing, which coincided with the launch.

HHS is overriding peer review to require changes to research scope, design

Summary: Science magazine reports that the Department of Health and Human Services is intervening in NIH grant decisions, demanding changes to research scope and design beyond what traditional peer review would require. The number of affected grants appears small so far, and no specific proposal has been confirmed as unfunded due to these interventions, but the practice raises questions about political influence over scientific independence.

HN Discussion: The submitted title was flagged as editorialized and mismatched with the original article headline. Some commenters dismissed the concern as overblown given the limited scale, while others debated the fundamental question of whether government funders should steer research direction at all.

How we index images for RAG

Summary: Kapa.ai describes a practical approach to image indexing for retrieval-augmented generation: run a cheap vision model once at indexing time to generate text descriptions, store those descriptions alongside regular text chunks, and retrieve them at query time without ever sending images to the model. This “eager processing” pattern slashes per-query cost and latency.

HN Discussion: A key trade-off was identified: non-deterministic LLM descriptions may miss details that better future models would catch. Multiple commenters confirmed using the same pattern in personal knowledge systems like Obsidian, while others noted the practical difficulty of getting document authors to write meaningful image captions in the first place.

Trump signs downsized AI order after weeks of reversals

Summary: After weeks of revisions, the White House signed a scaled-back executive order on AI that replaced an earlier draft’s 90-day voluntary review period with a shorter 30-day window. The order asks certain AI companies to submit powerful new models for voluntary government review before public release, focusing on cybersecurity benchmarking and threat assessment for financial and national security systems.

HN Discussion: Critics argued the order lacks substance—Section 1 was described as saying nothing meaningful, and the benchmarking is entirely voluntary. Concerns were raised that “voluntary review” is a stepping stone toward mandatory licensing and regulatory capture favoring large incumbents, with open questions about how the process would handle open-source and foreign models.

Bringing Up DeepSeek-V4-Flash on AMD MI300X

Summary: Doubleword, an inference cloud provider, published a detailed engineering account of running DeepSeek-V4-Flash on AMD MI300X GPUs. The MI300X offers 192GB of HBM3 per card versus the H100’s 80GB at roughly half the list price, with comparable FP8 compute. Getting it working required custom vLLM patches to address missing FP8 dialect support, incomplete attention fast paths, and HIP graph issues.

HN Discussion: AMD hardware was described as viable for low-interactivity inference but demanding significantly more software engineering upfront. A researcher noted similar struggles training Gemma 4 31B on MI250X. Commenters hoped growing hardware competition would push prices down across the board.

---

Security & Privacy

1-Click GitHub Token Stealing via a VSCode Bug

Summary: A security researcher demonstrated a vulnerability in VSCode’s github.dev web editor that lets an attacker steal a GitHub OAuth token through a single crafted link. The browser-based VSCode instance receives a token from github.com granting read and write access to all user repositories—including private ones. The exploit leverages the webview security model to exfiltrate this token, and the writeup includes a full disclosure timeline noting poor past experiences with MSRC’s handling of VSCode bug reports.

HN Discussion: Several commenters shared personal stories of having GitHub and Cloudflare tokens stolen, emphasizing damage segregation over prevention. MSRC came in for sustained criticism for historically poor responsiveness to security researchers. The deeper question was raised: whether github.dev should be authenticated at all, given the enormous attack surface it creates.

The advertising cartel coming to your web browser

Summary: Don Marti warns about Attribution Level 1, a proposed browser standard from Meta, Google, Apple, and Mozilla that would build advertising measurement directly into web browsers. The system correlates ad impressions with conversions, yet the specification contains no consent, permissions, or opt-out provisions. The concern is a two-track system where third-party trackers face regulatory scrutiny while browser-built tracking gets a free pass.

HN Discussion: Some commenters dismissed the post as an advertiser defending their own tracking profits under the guise of privacy concern. Others found the fact that Meta, Google, and Apple all agree on a “privacy” feature inherently suspicious. The debate centered on whether the proposal worsens the existing attribution problem or merely formalizes what already happens.

---

Geopolitics & War

The American Missile Crisis

Summary: A Contrary Research report examines the concentrated fragility of US missile production, which hinges on a tiny number of ammonium perchlorate (AP) facilities. A single plant accident could bring output to a standstill. AP manufacturing requires rare workforce skills in energetics handling, layered environmental and explosives permitting, and purpose-built equipment that cannot be quickly duplicated. The report also surveys solid versus liquid propulsion alternatives.

HN Discussion: A commenter pointed out that one of the report’s authors is the CEO of Galadyne, a company discussed favorably in the piece, raising advertorial concerns. Technical debate followed over whether liquid propellants could realistically replace solids for missile applications. Some pushed back on the “crisis” framing, given the destructive purpose of the weapons in question.

---

Tech Tools & Projects

Roku LT Operating System open source distribution

Summary: Roku open-sourced the LT OS, a real-time operating system written primarily in C that powers their remote controls and embedded devices. The code is hosted on GitHub at rokudev/lt-sdk and appears reasonably documented, offering a rare look at the software running inside consumer streaming hardware.

HN Discussion: Commenters questioned why a remote control requires an RTOS at all. There was visible relief that the codebase is in C rather than Roku’s proprietary BrightScript. Criticism was directed at Roku for providing documentation only through videos rather than text-based reference material.

Capstone – multi-platform, multi-architecture disassembly framework

Summary: Capstone is a lightweight disassembly framework implemented in pure C with bindings for over 20 languages. It supports architectures including ARM, RISC-V, x86, PowerPC, WebAssembly, and Ethereum VM. Designed for high-performance malware analysis, it is thread-safe by design, embeddable in firmware or OS kernels, and includes special handling for x86 obfuscation techniques.

HN Discussion: A well-established staple in the reverse engineering community that attracted quiet appreciation rather than heated debate.

Pluto.jl 1.0 release – reactive notebook for Julia

Summary: After six years of development, Pluto.jl has reached version 1.0 as a reactive notebook environment for Julia. The release emphasizes spreadsheet-like cell reactivity, reproducible notebooks, built-in interactivity with sliders and buttons, AI tooling integration, and support for hosting interactive notebooks on the web via SliderServer.

HN Discussion: A recurring complaint: output appears above the input cell, breaking the top-to-bottom reading flow expected in a document. Users praised the SliderServer for sharing interactive analysis, while others debated whether language-specific notebook UIs justify their complexity versus building a full React frontend.

My thoughts after using Clojure for about a month

Summary: A developer reflects on a month of Clojure, praising its composition model and data structures while navigating the JVM ecosystem’s learning curve. The author used Clojure to build a static site generator—continuing the Lisp tradition of inevitably writing your own. The article itself was rate-limited by the host after HN traffic exceeded daily bandwidth limits.

HN Discussion: Discussion ranged across Clojure’s cross-platform reach (ClojureScript, ClojureCLR, ClojureDart, jank, Basilisp, babashka) and whether the language’s value lies in its syntax or the JVM runtime’s concurrency capabilities. Comparisons to Erlang’s runtime model were frequent.

Gleam v1.17.0

Summary: Gleam v1.17.0 adds BEAM escript support, enabling Gleam programs to be compiled into single-file executables on the Erlang VM. The release follows the first-ever Gleam Gathering conference, with talks now on YouTube. It also introduces a “todo” type for placeholder types during development and continues the language’s steady stream of language server improvements.

HN Discussion: The “todo” type drew particular enthusiasm as a formal placeholder mechanism commenters wanted in other languages. Gleam’s language server was praised for its quality. A feature request emerged for single-binary output that bundles the BEAM runtime itself, similar to Deno and Bun’s compile features.

NLAB: The worlds smallest electronics lab

Summary: NLAB is a pocket-sized device combining an oscilloscope, function generator, and power supply—replacing over $1,000 of bench equipment. The starter kit includes 200+ components, a connected laptop app for live feedback, and 12 guided projects ranging from heartbeat monitors to LED circuits.

HN Discussion: The marketing claims drew heavy fire. Community college courses and free online resources are far cheaper than the “$100k” figure cited on the product page. The “AI-proof skills” promise was called irresponsible and unverifiable. Comparisons to classic Radio Shack electronics kits were inevitable.

HP re-releases classic computer science calculator: The HP-16C

Summary: HP has issued a Collector’s Edition of the HP-16C, the programmer’s calculator originally launched in 1982 and beloved for bit manipulation, base conversion, and integer math. The re-release follows a similar treatment of the HP-15C scientific calculator.

HN Discussion: Loyal owners reported their original 1980s HP calculators still work perfectly, questioning the value of a new edition. Several commenters recommended SwissMicros devices (DM16L, DM41X, DM42) as higher-quality alternatives built like “tanks.” Build quality concerns were raised based on reported issues with the 15C Collector’s Edition.

Show HN: Paseo – Beautiful open-source coding agent interface

Summary: Paseo is an open-source coding agent interface that works across phone, desktop, and CLI, providing a unified UI for managing coding agents with multi-model support. The maintainer appeared in the HN thread to answer questions directly.

HN Discussion: Questions arose about how Paseo differs from simply using a coding agent through OpenRouter and switching models per task. A comparison to OpenChamber, a similar web-based PWA and local CLI tool, was drawn. The “ship on the go” mobile coding pitch drew sharp pushback from commenters who argued it reflects unhealthy work culture rather than genuine productivity.

QBE – Compiler Backend – 1.3

Summary: QBE 1.3 is the lightweight compiler backend’s most significant release since 1.0, adding roughly 7,000 lines of code including a new IL matching algorithm and Windows ABI support. Performance improved from around 40% to closer to the 70% of gcc -O2 target, driven by optimizations to coremark functions. New position-independent code generation for shared objects rounds out the release.

HN Discussion: Praise for a lightweight alternative to LLVM and GCC was tempered by criticism that the C codebase is “impenetrable” and arcane. Windows ABI support was seen as a major step toward practical usability beyond Linux and BSD. The absence of source-level debugging info was cited as a remaining blocker.

---

Web & Infrastructure

Agentic Mfw

Summary: A satirical update to the “motherfucking website” meme, reimagined for the era of AI-vibe-coded software. The piece argues that clean code principles have become museum pieces because code is now regenerated rather than maintained, and that complexity has become a proxy for valuation—re-prompting replaces debugging, and a function a junior could read is a function that didn’t burn enough compute to justify a Series A.

HN Discussion: The line “Accessibility doesn’t matter when the content is engineered to be inaccessible to thought” was singled out as a standout. Others expressed fatigue with LLM-generated profanity-laden hyperbole saturating tech discourse, questioning whether the satire captures real trends or simply reinforces cynicism.

Gmail thinks I’m stupid, so I left

Summary: A user chronicles leaving Gmail after the web UI became a gauntlet of unsolicited AI features: auto-summarizing emails, pre-filling reply drafts, and nagging with “Tab to improve” prompts when you pause while writing. The author argues that optional AI writing tools are reasonable, but Gmail’s constant prompting and inability to dismiss these features treats users as incapable of composing their own messages.

HN Discussion: Fastmail was recommended repeatedly as a fast, privacy-respecting alternative. The core objection was summarized as: “If you can tell the LLM what to write, you might as well write the email.” Others shared frustration with Google Messages’ similarly overreaching smart reply suggestions.

Open Repair Data Standard – Open Repair Alliance

Summary: The Open Repair Data Standard (ORDS) defines a shared format for collecting and publishing repair data on small electricals and electronics, aiming to enable global trend analysis by combining data from community repair events across countries. The spec sits at version 0.3 and is designed to identify recurrent product failures and fixes.

HN Discussion: Questions were raised about whether the project is abandoned, with no major changes since 2024. Critics noted that basic product-related fields like “model” are missing from the standard, limiting its practical usefulness for meaningful cross-referencing.

America’s Data Center Build-Out Is Falling Way Behind Schedule

Summary: The Wall Street Journal reports that major US data center construction projects are falling significantly behind schedule. Companies are turning to demand-responsive pricing and paying customers to reduce power consumption during critical periods. Google is exploring partnerships with wind and solar companies as alternative energy pathways.

HN Discussion: Commenters argued that if data centers are as profitable as claimed, operators should guarantee clean self-power and closed-loop cooling rather than fighting permits. AI-related job anxiety was cited as a driver of local resistance to construction. The observation that large-scale US infrastructure projects routinely fall behind schedule tempered the surprise.

---

History & Science

4K years ago, Mohenjo-daro grew more equal over time

Summary: University of York researchers analyzed housing patterns in Mohenjo-daro, one of the largest cities of the Indus Civilization (2600-1900 BC), using Gini coefficients on home sizes. They found lower inequality levels than other ancient urban societies, and the wealth gap between rich and poor residents actually shrank over time. Indus seals for business and administration were found in common homes across the city, not concentrated in elite areas.

HN Discussion: The Indus Valley was discussed as a possible “stateless civilization” with collective governance rather than centralized power. Notably, no weapons or signs of war have been found in Indus Valley excavations, consistent with the egalitarian finding. A thought experiment compared the analysis to how future archaeologists might misinterpret 20th-century TV distribution as inequality data.

Words of Type

Summary: Words of Type is an illustrated encyclopedia of typographic terminology covering concepts from alphabets to alternate glyphs. Each entry includes visual examples with specific typeface attributions, and the coverage extends to both Latin and non-Latin script considerations including Arabic positional glyph variants and case-sensitive punctuation forms.

HN Discussion: The site’s whimsical, children’s-book clarity of design was praised for working equally well as a technical reference—a rare combination.

Loading Sega Games Off a Vinyl Record [video]

Summary: A video demonstrates loading Sega Master System games from audio pressed onto a vinyl record. The project encodes game ROM data as audio signals that the console can read through its audio input, reviving the spirit of cassette-based loading from the 8-bit home computer era in an even more analog form factor.

HN Discussion: Commenters recalled 1980s computer magazines that shipped games on vinyl records or cassette tapes for Commodore 64s and similar machines. The project was described as peak “we did it because it’s stupid” engineering—entertaining, impractical, and technically impressive.

SaySynth: A Brief History of Speaking Machines

Summary: SaySynth is a synthesizer built on macOS’s text-to-speech “say” command, repurposing the system utility as a musical instrument. The accompanying essay traces four eras of speaking machines: mechanical devices using bellows and reeds, formant and rule-based synthesis, sample-based concatenative systems (the GPS and automated phone voices of the ’90s and 2000s), and modern neural and AI-based generation.

HN Discussion: The project attracted interest as a creative repurposing of a built-in system tool that most people use only for accessibility or novelty.

---

Academic & Research

The Unreasonable Redundancy of Nature’s Protein Folds

Summary: An analysis of protein fold space reveals that nature’s structural repertoire is far more redundant than sequence diversity alone would suggest. Using graph-theoretic clustering on predicted structures, the work separates meaningful fold families from noise. The finding is contextualized against recent deep learning breakthroughs like AlphaFold3, Chai-2, and generative antibody design, with implications for how protein design and drug development are approached.

HN Discussion: The research spoke for itself without generating extensive comment-thread debate.

AI outperforms law professors in Stanford Law study

Summary: A Stanford Law blind study found that law professors preferred AI-generated answers to student legal questions over answers written by their peers in 75% of approximately 3,000 head-to-head matchups. Sixteen professors across US law schools evaluated anonymized contract law tutoring responses and flagged AI answers as potentially misleading less often than human-written ones.

HN Discussion: Statistical concerns were raised immediately: with only 16 professors and very high variance in individual ratings, the study may lack meaningful statistical power. The press release title was criticized as overreaching—the study specifically evaluates AI as a tutoring tool for law students, not as a replacement for lawyers. The distinction between tutoring and legal document drafting was emphasized.

---

Business & Industry

CT scans of BYD car parts

Summary: Lumafield performed industrial CT scans of BYD EV components including the key fob, blade battery cells, and drivetrain parts, revealing internal engineering in detail. BYD’s vertical integration from lithium mining to finished vehicles is compared to Ford’s historical model, with BYD producing roughly 75% of its own components. The company now manufactures approximately 4.6 million cars per year, exceeding Ford’s 4.4 million and Tesla’s 1.6 million.

HN Discussion: A mechanic shared hands-on experience disassembling a BYD Shark, noting heavy-duty control arms and subframes that contradict the “cheap Chinese car” narrative. A BYD owner corrected the article’s interpretation of the key fob mechanism based on the CT scan. Munroe Live’s detailed EV teardown videos were recommended as additional reference material.

---

System Administration

Use your Nvidia GPU’s VRAM as swap space on Linux

Summary: nbd-vram is a Linux tool that exposes NVIDIA GPU VRAM as swap space via the network block device protocol. Built primarily for laptops with soldered RAM and no upgrade path, it uses CUDA to manage memory allocations and presents VRAM as a block device the kernel can swap to, putting idle graphics memory to practical use.

HN Discussion: Benchmarks showed only approximately 1.3 GB/s sequential throughput on an RTX 3070 Laptop—far below the PCIe 4.0 x16 theoretical 64 GB/s, and actually slower than NVMe swap. Users with large idle VRAM pools (32GB+) saw practical value despite the bandwidth limitation. The project was compared to the older Windows-based GpuRamDrive, which attempted a similar concept for both NVIDIA and AMD cards.

Multicore support for DOS is real – partly

Summary: A VOGONS forum user discovered an old DOS multicore demo on a company DVD that demonstrates two CPU cores running simultaneously under plain DOS. The binary uses DPMI protected mode and wakes a second core via APIC, running independent code without interrupts. The thread explores how cross-core communication would work in an operating system with no native thread concept.

HN Discussion: Reference was made to “Pits,” a 2024 DOS assembler demo that uses all hyperthreads and cores for ray-casting at up to 1080p. Technically, multicore under DOS is just APIC initialization—the OS itself neither helps nor hinders. The practical question was whether an application would need to invent its own thread scheduling and message-passing primitives from scratch.