HackerNews Digest

George Orwell recounts his early literary development, noting childhood loneliness, imaginary storytelling, and modest school writing, while maintaining a mental “story” of daily observations that persisted until his mid‑twenties. He identifies four primary motives for prose: (i) sheer egoism—desire for cleverness, recognition, and revenge on childhood neglect; (ii) aesthetic enthusiasm—the pleasure of beauty, sound, and style; (iii) historical impulse—to record facts for posterity; and (iv) political purpose—to influence society. Orwell argues these motives compete and shift with circumstances; his own balance favored the first three until the rise of totalitarianism (Hitler, Spanish Civil War) amplified the political drive. He stresses that serious work since 1936 opposes totalitarianism, aiming to make political writing an art. Examples include *Homage to Catalonia*, where he inserted factual but contentious material, and *Animal Farm*, an attempt to fuse political and artistic aims. He acknowledges the exhausting, ego‑driven nature of writing and the need to subdue personal vanity to achieve effective prose.

None

Bitwarden’s open‑source CLI (npm package @bitwarden/cli 2026.4.0) was compromised in the ongoing Checkmarx supply‑chain campaign. Attackers injected a malicious file bw1.js into the package via a hijacked GitHub Actions workflow, reusing the same C2 endpoint https://audit.checkmarx.cx/v1/telemetry (obfuscated with a decode routine seeded 0x3039). The payload contains a gzip‑base64‑encoded Python memory‑scraper for GitHub Actions runners, a setup.mjs loader for republished npm packages, a malicious workflow YAML, hard‑coded RSA keys, and an ideological manifesto. It harvests GitHub tokens, AWS/Azure/GCP credentials, npm tokens, SSH keys, and environment variables, exfiltrating data through the GitHub API, npm registry republishing, and the C2 server. Additional behaviors include a lock file /tmp/tmp.987654321.lock, persistence via ~/.bashrc and ~/.zshrc, a Russian‑locale kill switch, and execution with Bun v1.3.13. Recommendations: remove the compromised package, rotate all exposed credentials, audit GitHub for unauthorized repositories, workflows, and Dune‑themed naming patterns, and monitor for outbound connections to audit.checkmarx.cx and IP 94.154.172.43. Harden token scopes and CI/CD permissions to limit future supply‑chain impact.

The document provides a basic example for making a chat completion request to the DeepSeek API using the OpenAI Python client. It initializes the client with an API key retrieved from the `DEEPSEEK_API_KEY` environment variable and sets the base URL to `https://api.deepseek.com`. The request calls the `deepseek-v4-pro` model, sending a system prompt (“You are a helpful assistant”) and a user message (“Hello”). Parameters include `stream=False`, `reasoning_effort="high"`, and an `extra_body` payload enabling a “thinking” mode (`{"thinking":{"type":"enabled"}}`). The response’s content is printed from `response.choices[0].message.content`. The page also displays two images: the DeepSeek API Docs logo and a WeChat QR code.

Tolaria is a macOS desktop application for managing markdown‑based knowledge bases. Notes are stored as plain markdown files with optional YAML front‑matter, allowing portability and compatibility with any editor. Each vault is a Git repository, providing full version history, remote sync options, and complete offline operation without accounts, subscriptions, or cloud services. The app is open‑source (AGPL‑3.0‑or‑later) and built with Tauri, React, and TypeScript; development requires Node.js 20+, pnpm 8+, Rust stable, and macOS. Key design principles include: - Files‑first storage and Git‑first version control. - Standards‑based data format (markdown/YAML) with no proprietary lock‑in. - Types act as navigation lenses rather than enforced schemas. - Keyboard‑centric UI for power users. - Compatibility with AI agents (supports Claude Code and Codex CLI) via an AGENTS file. Tolaria supports a “getting started” vault for onboarding, and contributors can run a browser‑based mock at http://localhost:5173 or launch the native app. Security issues should be reported privately per SECURITY.md. The project’s name and logo are protected by a trademark policy.

None

The MeshCore team has released over 85 firmware versions for more than 75 hardware variants since its launch in January 2025. A dispute arose when a team member, Andy Kirby, extensively used AI‑generated code (Claude) to rewrite core components and secretly applied for the MeshCore trademark, claiming ownership of the brand and creating a separate “MeshOS” line. The team disputes his claim, stating the official source is the GitHub repository, which Kirby has never contributed to, and noting his control of meshcore.co.uk and the original Discord server. In response, the core developers launched a new site (meshhcore.io) and Discord, publishing change logs, documentation, and firmware updates there. The project reports 38 000+ nodes worldwide and over 100 000 active app users. Key contributors include Scott (founder, firmware lead), Recro (map developer), Liam (app developer), FDLamotte (Python tools, STM32 firmware), and Oltaco (OTA bootloader). The team emphasizes human‑written software and invites community engagement through the new platform.

The author, a co‑founder of a successful startup, is launching exe.dev to address fundamental shortcomings of current public clouds. Key criticisms include: - **VM abstraction** tied to fixed CPU/memory limits, requiring nested virtualization or gVisor for isolation. - **Remote block storage** optimized for HDD latency, now a bottleneck with SSDs (IOPS orders of magnitude lower than local NVMe). - **Network egress costs** that make moderate‑scale usage uneconomical. - **Complex, vendor‑specific APIs** and the inability of higher‑level tools like Kubernetes to fully mitigate these issues. Exe.dev’s approach supplies raw CPU and memory resources, allowing users to run arbitrary VMs with local NVMe disks whose blocks are asynchronously replicated. An any‑cast network, TLS, and authentication proxies provide secure, low‑latency entry points. The service also plans incremental features such as static IPs and automated snapshot history. The motivation is a personal preference for computers and the anticipated surge in software creation driven by AI agents, which will demand more affordable, manageable compute infrastructure.

TorchTPU enables native PyTorch execution on Google’s Tensor Processing Units (TPUs) with a focus on usability, portability, and performance. The stack integrates via PyTorch’s PrivateUse1 interface, offering three eager modes—Debug (synchronous, per‑op), Strict (asynchronous, per‑op), and Fused (dynamic operation fusion)—which improve TensorCore utilization and can double throughput compared to Strict mode. A shared compilation cache reduces repeated compile time across hosts. For static graph compilation, TorchTPU leverages torch.compile, captures FX graphs with Dynamo, and compiles them with XLA using StableHLO IR, bypassing Inductor. Custom kernels can be written in Pallas or JAX via @torch_tpu.pallas.custom_jax_kernel, with future Helion support. Distributed training supports DDP, FSDPv2, and DTensor, handling both SPMD and divergent MPMD workloads while preserving XLA’s communication/computation overlap. TorchTPU also provides hardware‑aware guidance (e.g., optimal attention head sizes) and plans for 2026 include reducing recompilation for dynamic shapes, a public GitHub repo, expanded custom‑kernel DSLs, multi‑queue execution, and deeper ecosystem integrations.

Claude Code quality regressions reported in March‑April 2024 stemmed from three distinct changes, all fixed by April 20 (v2.1.116): * **Default reasoning effort** – On Mar 4 the default effort was lowered from high to medium to cut long UI latency. Users perceived reduced intelligence, so the default was reverted to high on Apr 7 (high for Opus 4.7, high for other models). * **Caching/clear‑thinking bug** – A Mar 26 optimization cleared prior reasoning after an hour of inactivity, but a bug applied the clear on every subsequent turn, causing loss of context, forgetfulness, repetitive output, and higher token usage. Fixed on Apr 10 (v2.1.101). * **System‑prompt verbosity limit** – An Apr 16 prompt instruction to keep intermediate text ≤25 words and final responses ≤100 words degraded coding quality for Sonnet 4.6, Opus 4.6/4.7. Reverted on Apr 20. The API and inference layers were unaffected. Going forward, Anthropic will use public builds for testing, tighten prompt‑change controls, expand eval suites, and employ gradual rollouts to prevent similar issues. Usage limits were reset for all subscribers on Apr 23.