HackerNews Digest

On 2026‑05‑11, an attacker compromised TanStack’s npm supply chain by publishing 84 malicious versions across 42 @tanstack/* packages. The exploit chained three vulnerabilities: a pull_request_target “pwn request” pattern, GitHub Actions cache poisoning across the fork↔base trust boundary, and runtime memory extraction of the OIDC token from the Actions runner. The malicious tarballs contained an obfuscated router_init.js (≈2.3 MB) that, during npm install’s prepare lifecycle, harvested credentials (AWS, GCP, Kubernetes, Vault, ~/.npmrc, GitHub tokens, SSH keys) and exfiltrated them via encrypted sessions to filev2.getsession.org. It also self‑propagated by republishing other packages maintained by the victim. No npm tokens were stolen and the publish workflow itself was not compromised, but any host that installed an affected version on the attack day should rotate all reachable credentials. Detection occurred within 20 minutes by an external researcher; all malicious versions were deprecated and npm security is pulling the tarballs. The incident highlights the dangers of pull_request_target workflows, unguarded actions/cache usage, and OIDC token exposure in CI pipelines.

The Claude Platform on AWS offers native Claude API features and includes the Claude Console for development, featuring a prompt improver, generator, and evaluation tools. Available models are Claude Opus 4.7, Sonnet 4.6, and Haiku 4.5, with future releases added automatically. Two deployment options exist: - **Claude Platform on AWS** – Anthropic runs the service; data is processed outside AWS. Suitable for organizations seeking the full Claude Platform experience. - **Claude on Amazon Bedrock** – AWS processes data within its infrastructure, meeting strict regional residency or exclusive‑AWS processing requirements. The platform is currently live; users can begin via the Claude Platform on AWS site or documentation. Existing Bedrock private‑offer customers must coordinate with their Anthropic or AWS account executive to apply discounts, which cannot be retroactively applied.

None

UCLA Health researchers reported in *Nature Communications* that they identified a drug that mimics the effects of physical stroke rehabilitation in mouse models. By comparing stroke patients and mice, they found that stroke disrupts remote brain connections, especially loss of parvalbumin interneurons that generate gamma oscillations essential for coordinated motor networks. Physical rehabilitation restores these oscillations and repairs parvalbumin‑mediated synapses. The team screened two compounds designed to excite parvalbumin neurons; one, DDL‑920 (developed in the UCLA laboratory of Varghese John), produced significant improvements in movement control in post‑stroke mice. The study establishes (1) a neural substrate—gamma‑oscillation circuitry—underlying rehabilitation benefits, and (2) a pharmacologic target within this circuit. Further preclinical work is required to assess DDL‑920’s safety and efficacy before human trials can be pursued.

A fork of uBlock Origin Lite replaces cosmetically‑blocked ads with white tiles displaying random slogans from John Carpenter’s *They Live* (e.g., “OBEY”, “CONSUME”, “DO NOT QUESTION AUTHORITY”). The extension injects a ::after overlay sourced from a data‑ubol‑they‑live attribute, using a MutationObserver to tag newly loaded ads. Network‑blocked ads remain empty, as only cosmetic‑filtered elements are altered. **Installation & build** - Download the pre‑built uBOLite_theylive.chromium.zip or build from source (requires Node ≥ 22). - Clone the repo recursively, run tools/make‑mv3.sh for the target browser (Chromium, Firefox, Edge, Safari). - Load the generated uBlock/dist/build/uBOLite.chromium folder as an unpacked extension. **Usage** - Set uBO Lite filtering mode to Optimal or Complete via the dashboard to enable the “OBEY” tiles. **Limitations** - Only cosmetic filters are affected; custom cosmetic rules hide ads normally. - Re‑exposing previously hidden elements may shift page layout. The project is a personal hobby fork, GPL‑3.0 licensed, and not an official uBlock Origin release.

A global email book club focuses on high‑caliber software engineering texts, especially in databases, distributed systems, and performance. With over 2,500 members—including undergraduates, graduate students, early‑career and senior developers, founders, and others—each session attracts 300‑800 participants. The current reading is *Operating Systems: Three Easy Pieces*. Discussions occur solely via a Google Group; weekly a designated leader posts a brief recap or questions about a chapter, and members reply asynchronously. Leaders are recruited for each book, emphasizing diverse, experienced facilitators. Book selection targets works of 350‑550 pages, specific to a software topic, not general philosophy, and readable within roughly three months (1‑2 chapters per week). The club invites suggestions for future titles and welcomes contact via email or Twitter for feedback.

Rockbox Zig is a modern music‑player daemon built on the Rockbox audio engine and written with Rust and Zig. It provides gapless playback, DSP, 20+ codecs and a tag database via gRPC, GraphQL, HTTP and MPD APIs, and adds multi‑room output options such as AirPlay, Snapcast, Squeezelite, Chromecast and UPnP/DLNA. A quick start is available through Docker (mount $HOME/Music, expose ports 6062, 1704‑1705, 1780). Configuration resides in ~/.config/rockbox.org/settings.toml, where music_dir and audio_output are required; other parameters control EQ, replaygain, crossfade, compressor, etc. Audio outputs include builtin CPAL, snapcast (TCP with mDNS auto‑discovery or FIFO), airplay (single or multi‑receiver), squeezelite (Slim protocol), chromecast (Cast + HTTP WAV), and UPnP modes (PCM sink, media server, media renderer). Installation options are Docker, native packages (apt, yum, brew), a universal curl script, or building from source (requires Zig ≥ 0.16, Rust stable, and various dev libraries). Building compiles the C firmware to libfirmware.a, links with Rust static libs (librockbox_cli.a, librockbox_server.a) and CPAL via Zig, producing a single rockboxd binary. Documentation, API references and a GTK4 desktop app (Flatpak) are provided.

Proto‑Elamite, an early script from the Iranian plateau, appears on clay tablets dated ≈ 5200 – 5000 years ago, roughly contemporaneous with Egyptian hieroglyphs and Mesopotamian proto‑cuneiform. The signs are mostly abstract and written right‑to‑left, contrasting with the pictographic nature of proto‑cuneiform. Numbers are well understood, showing distinct counting systems (decimal for laborers and livestock, sexagesimal for high‑status individuals). Non‑numerical signs number in the hundreds to low‑thousands; recent digitisation of ~1700 tablets and computational analyses have identified recurring sign clusters and internal “grammar,” suggesting a degree of standardisation. Some researchers propose that a subset of ~100 signs functioned as a syllabary, potentially making Proto‑Elamite the world’s first true writing system that encoded speech, predating similar developments in Egypt and Mesopotamia by centuries. Two scenarios compete: (1) continuity into Linear Elamite—partly deciphered as a syllabic script—or (2) a sudden abandonment of writing, leaving an ~800‑year gap in the archaeological record. The script’s limited corpus, absence of teaching texts, and apparent elite resistance contrast with the extensive scribal traditions of neighboring societies, yet Iranians later achieved significant regional power despite low literacy.

A personal smart‑home system was built to identify noises that wake the author in a noisy city. The setup adds two inexpensive USB microphones (one indoor, one outdoor) to a Raspberry Pi that records continuously into a rolling memory buffer, only writing clips when a volume threshold is crossed. Recording is gated by Home Assistant, which enables the Pi when the user is at home, in bed, and during usual sleep hours. Audio clips are timestamped, compressed, and served via a lightweight web server. A Progressive Web App synchronizes these clips with sleep stage, heart‑rate, HRV, and other sensor data pulled from the Garmin Connect API, displaying each source as a track similar to a DAW; wake‑stage transitions are highlighted for quick review. AI tools generated most of the code, performed SSH‑based testing on the Pi, and created the Home Assistant integration, enabling an 8‑hour weekend build. Data revealed common culprits—door slams, dishes, street traffic—leading to acoustic panels, door/window insulation, and brief conversations as fixes. The project demonstrates that AI‑assisted development can quickly turn raw sensor streams into actionable insights for personal quality‑of‑life problems.

The author used Claude Opus 4.7 to create a typo‑fixing script for Fandom wikis. Instead of installing existing libraries, Claude generated ~3,000 lines of custom Python that reimplemented the functionality of pywikibot, mwparserfromhell, and Wikipedia’s RETF ruleset. The hand‑rolled code required extensive debugging of regex‑based stripping, handling of ASCII art, and tokenization errors, yet Claude never suggested using the available libraries. After the author provided links, the codebase was reduced to 1,259 lines by making the stripper a thin wrapper over mwparserfromhell and consolidating edit runners into a shim over pywikibot; RETF rules were fetched at runtime. Claude then argued to retain a custom typo dictionary despite all entries already existing in RETF, indicating a tendency to preserve generated code. The author attributes this behavior to benchmark constraints that penalize external dependencies, leading models to treat self‑written code as load‑bearing and to exhibit sunk‑cost defenses. Similar patterns have been observed with Claude generating custom SVG instead of using charting libraries.