HackerNews Digest

The post details a vulnerability in VS Code’s web‑based editor (github.dev) that lets an attacker steal a user’s GitHub OAuth token and obtain full repository access with a single click. GitHub Dev loads a lightweight VS Code instance in the browser, which receives an OAuth token via a POST request; the token is scoped to the user’s entire GitHub account, not just the opened repository. VS Code webviews are sandboxed in an iframe (origin vscode‑webview://) and communicate with the host window via window.postMessage. A default handler forwards all keydown events from the webview to the host, enabling the webview to simulate keyboard shortcuts. By injecting malicious JavaScript (e.g., via a markdown‑cell image onerror payload) an attacker can: 1. Trigger the “Notifications: Accept Notification Primary Action” shortcut (Ctrl‑Shift‑A) to approve a recommended‑extension notification. 2. Use a custom keybinding (Ctrl‑F1) defined in a local workspace extension to call workbench.extensions.installExtension with skipPublisherTrust enabled, installing a malicious extension that reads the OAuth token and queries https://api.github.com/user/repos. The exploit works on both github.dev and the desktop VS Code (requiring the victim to open a crafted notebook). Mitigation includes clearing site data for github.dev and avoiding use of the web interface; VS Code’s CSP and DOMPurify limit broader attack vectors. The author disclosed the issue to GitHub and VS Code on June 2 2026.

US missile stockpiles have fallen sharply since the Cuban Missile Crisis, with analysts warning that a Pacific conflict could exhaust munitions in days. The primary bottleneck is solid‑rocket motor (SRM) production, which depends on ammonium perchlorate (AP) as oxidizer. After the 1988 PEPCON explosion, US AP capacity contracted to a single plant (AMPAC, Utah); new facilities require >1 year for approval and up to a decade to build, making rapid scale‑up infeasible. SRM manufacture also faces strict DoD Hazard Class 1.3 safety regulations and a dwindling contractor base. Parallel material constraints include reliance on foreign rare‑earths, titanium sponge (Japan), and niobium (Brazil). Compared with China, Russia, and Iran—who employ both solid and liquid propellants—the US remains solid‑dominant. Liquid‑propulsion missiles offer throttling, higher specific impulse (300‑450 s vs ~250 s for solids), and production advantages because missiles can be assembled empty and fueled shortly before launch, enabling gigafactory‑style scaling. Developing an independent liquid‑propulsion supply chain is presented as the most viable path to restore a resilient national munitions stockpile.

A daemon (nbd‑vram) allocates NVIDIA GPU VRAM through the CUDA driver API and presents it as a block device via the kernel’s NBD driver, allowing the VRAM to be used as a Linux swap device (/dev/nbdX). The solution avoids the NVIDIA P2P API, which is restricted to Quadro/datacenter GPUs, by using cuMemcpyHtoD/DtoH for data transfer, requiring only libcuda.so.1 (no full CUDA toolkit). It runs on any consumer RTX/GTX card, Linux kernel 3.0+, and the built‑in nbd module; no custom kernel modules or NVIDIA kernel symbols are needed, so it survives driver and kernel updates. Typical configuration (e.g., RTX 3070 Laptop, 8 GiB VRAM) allocates up to 7 GiB for swap, placed ahead of zram and SSD swap (priority 1500). Overflow order: RAM → VRAM (PCIe, ~1.3 GB/s sequential throughput) → zram (CPU‑compressed) → SSD. The service installs via `install.sh`, starts automatically via systemd, and can be limited by battery state. Configuration variables (`VRAM_SETUP_SIZE_MB`, `VRAM_SWAP_PRIORITY`) are editable in `/etc/nbd-vram.conf`. The daemon backs off in 512 MiB steps if insufficient free VRAM remains.

The page presents a deliberately minimalist HTML site while satirically contrasting it with contemporary development trends. It argues that traditional clean‑code principles—lightweight assets, cross‑browser consistency, accessibility, semantic markup, and HTTPS—are now treated as historical artifacts. Modern practice, it claims, favors high complexity, large dependency trees, and massive bundles as signals of technical sophistication and investment potential. The author critiques the shift toward “agentic” pipelines that spin up numerous micro‑services, vector databases, and retrieval‑augmented generation (RAG) systems, intentionally consuming large token volumes to attract venture funding. Business logic is framed as token burning rather than profitability, with buzzwords such as “native” and “agentic” used to justify high compensation. Open‑source contribution processes are described as dominated by automated bots that indiscriminately merge or dismiss pull requests, rendering manual effort ineffective. The overall message is a cynical assessment of current web‑development economics and the devaluation of maintainable, accessible code.

MAI‑Code‑1‑Flash is a coding model optimized for real‑world developer workflows rather than benchmark‑only performance. It was trained using GitHub Copilot production data, enabling it to interact with surrounding tools and perform agentic coding tasks. The model incorporates adaptive solution‑length control, allowing concise responses for simple queries and deeper reasoning when needed, which reduces token consumption by up to 60 % and improves latency and cost. Evaluation on the production harness compared MAI‑Code‑1‑Flash with Claude Haiku 4.5 across SWE‑Bench Verified, SWE‑Bench Pro, SWE‑Bench Multilingual, and Terminal Bench 2. MAI‑Code‑1‑Flash achieved higher pass rates on all four benchmarks, including a 16‑point advantage on SWE‑Bench Pro (51.2 % vs 35.2 %). It also required fewer solution tokens, demonstrating that increased accuracy can be achieved without higher token usage. The reported results emphasize both improved quality and efficiency for developers using Copilot‑style environments.

The post analyzes why expanding sequence‑derived training data does not proportionally increase structural diversity for deep‑learning protein design. AlphaFold3’s scaling converts billions of metagenomic sequences into predicted 3D structures, but natural proteins reuse a limited set of folds. By filtering low‑confidence residues (pLDDT < 65), fragmenting confident regions, and applying recursive spectral bisection (Fiedler vector on a residue‑nearest‑neighbor graph) to split multi‑domain chains, the authors isolate compact structural units. Foldseek clustering of ~2 M MGnify fragments (≈30 % sequence identity) followed by a TM‑align audit (merge if min(tm_norm) ≥ 0.7) reduces the dataset to ~25 k distinct structural neighborhoods; 71.5 % of fragments reside in the top 1 000 clusters. Uniform cluster sampling over‑represents common folds, while uniform fragment sampling repeatedly revisits them. A reweighting exponent γ (≈0.5) balances natural abundance against fold diversity. The findings suggest that enzyme‑design models will see diminishing returns from merely adding more natural sequences and must address the inherent redundancy of protein fold space.

The article traces the engineering evolution of disposable beverage containers, emphasizing how extensive design, materials science, and manufacturing infrastructure underlie even the simplest plastic bottles. Early bottling used glass (e.g., Coca‑Cola 1899, Pellegrino 1900) before synthetic plastics emerged; Coca‑Cola’s 1975 acrylonitrile‑copolymer “Easy‑Goer” failed due to leaching and FDA ban in 1977. DuPont’s development of polyethylene terephthalate (PET) enabled lightweight, transparent, food‑safe bottles, with injection stretch blow molding (ISBM) forming preforms that are heated, stretched, and blown to align polymer chains for strength and clarity. PET bottle walls thinned from ~0.3‑0.4 mm (early 2‑L soda bottles) to ~0.2 mm for water, cutting mass by up to 50 % and allowing designs such as petaloid bases that eliminate glued bottoms. Major brands (Aquafina, Dasani, Smartwater) drove cost‑engineering, while companies like Niagara Bottling claim 60 % plastic reduction since the late 1990s. Despite recyclability, PET bottles often become mixed waste, highlighting ongoing challenges in post‑consumer handling.

None

Capstone is a lightweight, multi‑platform disassembly framework written in pure C and released under the BSD license. It supports a wide range of architectures—including ARM/ARM64, x86 (16/32/64), MIPS, PowerPC, RISC‑V, WebAssembly, SPARC, SystemZ, and many legacy CPUs—through a single, architecture‑neutral API that returns detailed instruction information and implicit register semantics. The library is thread‑safe, suitable for embedding in firmware or OS kernels, and offers bindings for D, Clojure, F#, Common Lisp, VB, PHP, PowerShell, Haskell, Perl, Python, Ruby, C#, Node.js, Java, Go, C++, OCaml, Lua, Rust, Delphi, Free Pascal, and Vala. Recent releases (2025‑2026) focus on security patches, ISA extensions, and performance improvements: - **6.0.0‑Alpha9** – fixes GHSA‑5m9f‑vqcm‑g5pr and GHSA‑jrw4‑wj52‑2vw8, adds pre‑release header. - **6.0.0‑Alpha8** – adds ColdFire ISA, expands M680X, refines RISC‑V details, speeds x86 decoding, introduces x86 MOVSXD. - **5.0.9** – corrects CS_VERSION_EXTRA, backports CVE fixes. - **5.0.8** – x86 speedups, RTLD_DEEPBIND for Python, MOVSXD support. - **6.0.0‑Alpha7** – major RISC‑V update, 32‑bit build support, consistent CS_ERR_MEM, x86‑64 segment‑override fixes. - **5.0.7** – CMake build fixes, CVE‑2025‑68114/67873 patches. - **6.0.0‑Alpha6** – improved x86 register semantics, cross‑build, M68K handling, Alpha immediates, PIC static libs, CVE remediation. - **6.0.0‑Alpha5** – SPARC module to LLVM 18, Apple‑specific AArch64 instructions, ABI3 Python wheels, decoder/detail fixes.

A Stanford Law School study directed by Professor Julian Nyarko evaluated whether large language models (LLMs) can serve as tutors for contract‑law questions. Sixteen law professors from U.S. schools generated 40 representative questions, wrote answers, and then blind‑rated AI‑generated responses versus peer answers across nearly 3,000 anonymized pairings. AI responses were preferred in 75 % of head‑to‑head comparisons, and only 3.5 % of AI answers were flagged as pedagogically harmful versus 12 % for human answers. The study calibrated AI output to match length and structure of human replies and included several models, such as commercial tutoring systems and Google’s Notebook LM, which all performed comparably to the top human instructor. Researchers conclude that AI can provide high‑quality, on‑demand support in judgment‑rich fields like law, though they caution that optimal implementation and safeguards remain open questions. The work was conducted through Stanford’s Legal Innovation through Frontier Technology Lab (liftlab), which aims to expand access to advanced legal services via AI.