HackerNews Digest

None

Claude Opus 4.7 can attribute unpublished text to its author with high accuracy when the author has a substantial public writing corpus. The tester pasted 125‑word political drafts, a school‑report excerpt, a movie review, fantasy prose, and an old college essay; Opus 4.7 consistently identified the writer as Kelsey Piper, while other models (ChatGPT, Gemini) gave different guesses. The model’s justifications are often incoherent, suggesting it detects subtle stylistic “tics” without true understanding. Deanonymization works best for writers with extensive real‑name publications; it fails on individuals lacking a sizable online footprint. However, even brief excerpts can link anonymous contributors to known acquaintances within a shared subculture. The author warns that as training data grows, the amount of text needed for accurate identification will shrink, threatening anonymity for prolific writers. Mitigation would require deliberately altering one’s style or using AI‑generated rewrites, both of which present practical challenges.

CVE‑2026‑31431 (“CopyFail”) is a Linux kernel local‑privilege‑escalation flaw introduced in kernel 4.14 (commit 72548b093ee38a6d4f2a19e6ef1948ae05c181f7). The issue was patched in the stable branches 6.18.22 (commit fafe0fa2995a0f7073c1c358d7d3145bcc9aedd8), 6.19.12 (commit ce42ee423e58dffa5ec03524054c9d8bfd4f6237) and upstream 7.0 (commit a664bf3d603dc3bdcf9ae47cc21e0daec706d7a5). Older long‑term kernels—6.12, 6.6, 6.1, 5.15, 5.10—remain unpatched; backporting is complicated by API changes. An attempted backport failed, and a temporary mitigation was provided as a patch disabling the “authencesn” crypto module (attached as 0001‑crypto‑disable‑authencesn‑module‑for‑CVE‑2026‑31431.patch). The author notes that kernel vulnerability notices are not automatically forwarded to distribution mailing lists unless the reporter does so.

The PyPI package **lightning** (versions 2.6.2 and 2.6.3, published 2026‑04‑30) was compromised in a supply‑chain attack. The malicious releases contain a hidden `_runtime` directory with an obfuscated 14.8 MB JavaScript payload that executes automatically on module import. The payload: * Exfiltrates GitHub, npm, AWS, Azure, and GCP credentials, environment variables, CI/CD secrets, and local token files (e.g., `ghp_`, `gho_`, `npm_`). * Sends data via four parallel channels: HTTPS POST to an encrypted C2 URL, GitHub commit‑search dead‑drop (prefix `EveryBoiWeBuildIsAWormyBoi`), attacker‑controlled public GitHub repos (Dune‑themed names), and direct pushes to the victim’s own repository when a `ghs_` token is present. * Propagates to npm by injecting a `setup.mjs` dropper and `router_runtime.js` into packages the compromised npm token can publish, setting `scripts.preinstall` to execute the dropper. Persistence is achieved through developer‑tool hooks: a Claude Code `settings.json` hook and a VS Code `tasks.json` task that run `setup.mjs` (installing Bun if needed). The malware may also add a malicious GitHub Actions workflow to dump repository secrets. Indicators of compromise include commit messages prefixed with `EveryBoiWeBuildIsAWormyBoi` and public repos described “A Mini Shai‑Hulud has Appeared”. Remediation requires auditing for the listed files, rotating all discovered tokens, and rescanning projects with Semgrep rules.

The post describes “local.vibe,” a macOS‑only, open‑source tool (MIT licensed) that eliminates the need to remember local development port numbers. Implemented as a single Go binary, it installs dnsmasq, a pf port‑forwarding rule, and a trusted local CA, then runs as a daemon communicating via a Unix‑socket reverse proxy. For each project, a `vibe.json` defines a name and command; when started, local.vibe auto‑assigns an unused port, injects it as `$PORT`, and creates a `.vibe` hostname (e.g., `https://blog.vibe`) that proxies to the service over HTTPS. A dashboard at `https://local.vibe` lists running services, supports start/stop, editing, emoji icons, and grid or list views. It also provides built‑in proxies such as `tailscale.vibe` and `hass.vibe`. An HTTP API (e.g., `http://localhost:7999/setup.md`) enables AI agents to query or control the environment. Installation is a one‑line `setup.sh` after cloning the repository.

The Rivian Support Center page includes a “Reserving and configuring” section, which provides guidance for customers on how to reserve a vehicle and set up its configuration options. The page also features visual content presented as four images, each labeled with descriptive alt text: “Purchasing,” indicating steps or information related to buying a Rivian; “Products,” highlighting the range of vehicles and accessories; “Ownership,” covering topics such as maintenance, warranties, and user responsibilities; and “Company,” likely referencing corporate information or brand identity. These elements are organized to assist users in navigating the reservation process and understanding key aspects of Rivian’s product lineup and ownership experience.

The author describes “maladaptive frugality,” a pattern where excessive cost‑avoidance leads to missed opportunities and unnecessary stress. A personal example involves paying for an iPhone repair without realizing AppleCare would have covered it, illustrating how hesitation over a modest expense can hinder larger projects. The behavior traces back to childhood lessons that framed frugality as a moral virtue and spending as sinful, a mindset reinforced by parents who emigrated from Hong Kong—a culture where historical economic instability fosters deep‑rooted saving habits. While such prudence can yield benefits like low‑cost travel, it also creates procrastination on essential purchases, resulting in resource shortages. The author recommends recognizing this bias, shifting focus to present‑moment decisions, and treating frugality as a tool rather than a controlling principle, especially for high‑impact choices. This mindfulness aims to balance cost‑consciousness with strategic investment in quality‑of‑life improvements.

- **Scope**: CVE‑2026‑41940 is an authentication‑bypass flaw in all currently supported cPanel & WHM versions. It resides in the session handling code (Cpanel/Session.pm, Session/Load.pm, Session/Encoder.pm). - **Root cause**: `saveSession` fails to strip CR / LF characters and only encrypts the `pass` field when a per‑session secret (``) is present. When the cookie omits the `` segment, the encoder is skipped, allowing a raw password containing `\r\n` to be written directly to the on‑disk session file. The injected line breaks create new top‑level entries (e.g., `hasroot=1`, `tfa_verified=1`, `cp_security_token=…`). - **Exploitation**: An attacker can (1) trigger a pre‑auth session via a failed login, (2) resend the cookie without the `` part, and (3) send a Basic‑auth header whose password includes `\r\n` payload. The crafted session file is then used by cPanel to grant elevated privileges. - **Patch**: Updated releases (110.0.x → 11.110.0.97, 118.0.x → 11.118.0.63, 126.0.x → 11.126.0.54, 132.0.x → 11.132.0.29, 134.0.x → 11.134.0.20, 136.0.x → 11.136.0.5) add a mandatory `filter_sessiondata` call inside `saveSession` and enforce `` validation. - **Mitigation**: Upgrade to the patched versions immediately; apply network‑edge active‑defense rules to block malformed Basic‑auth headers and ensure session cookies include the `` component.

A software engineer built “Fame Boy,” a functional‑style Game Boy emulator in F# to learn computer hardware. After completing a NAND‑to‑Tetris course and a CHIP‑8 emulator, he designed a core that interacts with desktop and web front‑ends via four simple elements: a 160×144 framebuffer, a 32 768 Hz ring audio buffer, a stepEmulator() function that executes one CPU instruction and returns cycles, and a getJoypadState callback. The Sharp LR35902 CPU is modeled with pure F# discriminated unions, reducing 512 opcodes to 58 typed instructions and preventing illegal states at compile time. Memory.fs provides the RAM and bus; IoController.fs abstracts hardware registers, while the stepper function sequentially runs CPU, timers, serial, APU (4× CPU cycles), and PPU (4× CPU cycles) to emulate the parallel hardware on a single thread. Mutability is used for performance‑critical arrays. Unit tests—generated with AI prompts—drive test‑driven development. The PPU renders whole scanlines instead of a pixel FIFO, simplifying implementation but missing timing‑sensitive effects. Joypad handling required read‑on‑demand updates to emulate the register’s dual‑read behavior. An APU was added later, with timing driven by frame rate rather than audio sampling, highlighting challenges in accurate audio emulation.

The page displays a generic error notice indicating that an operation failed and advises the user to retry (“Something went wrong, but don’t fret — let’s give it another shot”). No additional context, instructions, or content is provided beyond this brief message. The only visual element referenced is a single image, identified solely by its alternative text, which consists of a warning emoji (⚠️). No further description, caption, or functional information about the image is included. Consequently, the page offers no substantive information, data, or technical details beyond the error prompt and the placeholder image reference.