HackerNews Digest

The repository provides a single CLAUDE.md file that, when placed in a project root, instructs Claude models to suppress default verbosity—removing greetings, restating questions, unnecessary suggestions, smart quotes, and other formatting noise. Benchmarks on Claude (not statistically controlled) show roughly a 63 % reduction in output tokens, e.g., a 384‑token saving across four prompts, with the same factual content preserved. Net token savings occur only in high‑output scenarios because the file itself adds input tokens to each request. It is most beneficial for automation pipelines, repeated structured tasks, and persistent sessions; it is less useful for short queries, casual use, or tasks requiring deep reasoning or guaranteed parseable output (where JSON or tool schemas are preferred). The file can be layered (global ~/.claude/CLAUDE.md, project‑level, subdirectory) to keep rules scoped. Community members can submit rule fixes via GitHub issues; contributions are merged under an MIT license. Installation options include direct curl, cloning the repo, or copying the file.

StepSecurity discovered two compromised axios releases (axios @1.14.1 and axios @0.30.4) published on 31 Mar 2026 using a hijacked maintainer account (jasonsaayman → [email protected]). The attacker added a malicious dependency, plain‑crypto‑js @4.2.1, which contains a postinstall script (setup.js) that drops a cross‑platform remote‑access trojan (RAT). The trojan contacts C2 server sfrclak.com:8000/6202033 and delivers platform‑specific payloads: an AppleScript‑based binary on macOS (saved to /Library/Caches/com.apple.act.mond), a PowerShell script on Windows (saved to %PROGRAMDATA%\wt.exe) and a Python script on Linux (saved to /tmp/ld.py). After execution the dropper self‑deletes, replaces its package.json with a clean stub, and removes its own files to evade detection. **Indicators of compromise** - Malicious package shasums: axios @1.14.1 (2553649f…), axios @0.30.4 (d6f3f62…), plain‑crypto‑js @4.2.1 (07d889e2…). - Network: C2 domain sfrclak.com (IP 142.11.206.73). - Files: /Library/Caches/com.apple.act.mond, %PROGRAMDATA%\wt.exe, /tmp/ld.py. **Remediation** - Downgrade to safe versions (axios @1.14.0 or @0.30.3). - Remove plain‑crypto‑js, reinstall with --ignore-scripts, and add overrides/resolutions to lock versions. - Rotate all secrets, block C2 traffic, and treat affected systems as fully compromised.

The article documents extensive data‑collection practices in dozens of U.S. federal agency Android apps, coining the term “Fedware.” It notes that the White House app (v 47.0.1) requests precise GPS, biometric fingerprint, storage modification, auto‑start, overlay, Wi‑Fi, and badge‑notification access, and embeds three trackers, including Huawei Mobile Services Core. Similar over‑permissions are found in other apps: the FBI’s myFBI Dashboard requests 12 permissions and includes four trackers (one from Google AdMob); FEMA’s app requests 28 permissions; IRS2Go has three trackers and ten permissions; and TSA’s MyTSA uses nine permissions with location access. Border‑control apps (CBP Mobile Passport Control, CBP One, Mobile Fortify) request numerous “dangerous” permissions, retain facial‑recognition data for up to 75 years, and share it across DHS, ICE, and the FBI. ICE’s SmartLINK, built by a GEO Group subsidiary, collects geolocation, facial images, voice prints, medical data, and contacts, granting unlimited data‑use rights. The government also purchases bulk location data from brokers such as Venntel, circumventing the Carpenter warrant requirement. A 2023 GAO report found that about 60 % of privacy and security recommendations issued since 2010 remain unimplemented, highlighting systemic oversight gaps.

The text argues that relying on large language models (LLMs) to draft documents, essays, or specifications sacrifices critical thinking and credibility. Writing is framed as a process of posing a question, structuring understanding, and enhancing personal capability—analogous to exercise that strengthens mental faculties. Using an LLM to produce content bypasses this reflective work, diminishing both the writer’s comprehension and the trust others place in them. The author warns that LLM‑generated prose can signal superficial engagement, potentially undermining leadership credibility. While LLMs have legitimate roles—research assistance, fact‑checking, quick transcription, and idea generation—they should not replace the core act of writing. Effective use involves leveraging LLMs for peripheral tasks while maintaining personal responsibility for analysis, synthesis, and articulation, thereby ensuring that efficiency gains are matched by an increase in thoughtful reasoning.

Android developer verification is being rolled out to all developers via the Android Developer Console and Play Console to add a security layer against malware, especially from sideloaded sources. Key points: - Developers distributing outside Google Play can create an account now; Play Console users should check for upcoming updates. Verified developers will have their apps automatically registered; otherwise a manual claim process applies. - User download experience remains unchanged until September 2026, when enforcement begins in Brazil, Indonesia, Singapore, and Thailand, expanding globally in 2027. Unregistered apps will require ADB or an advanced sideloading flow. - Integration enhancements: Android Studio will display app registration status during signed bundle/APK generation; Play Console will show per‑app status. - Special provisions: a free “limited distribution” account (no government ID) for students/hobbyists to share with up to 20 devices (early access June 2026). Power users retain choice to install from any source. - Timeline: Android Developer Verifier appears in system settings April 2026; registration deadline September 30 2026; global rollout in 2027.

Artemis II will be the first crewed flight of Orion and the second launch of the SLS. Post‑flight analysis of Artemis I revealed severe heat‑shield damage: Avcoat panels suffered deep gouges and spalling, large fragments detached, and four separation bolts partially melted, exposing the capsule structure and creating potential burn‑through, hot‑spot formation, and possible impact on the parachute compartment. An OIG report highlighted these three failure modes as crew‑risk hazards. NASA attributed the spalling to trapped gases in insufficiently permeable Avcoat and planned to mitigate it by altering the re‑entry trajectory, while a new shield design is slated for Artemis III. The agency faced schedule and budget constraints that precluded replacing the shield or conducting an uncrewed test, prompting criticism that safety margins were reduced to meet launch dates. Experts argue that an additional uncrewed flight would be needed to validate the heat‑shield performance before risking astronauts.

Railway experienced a CDN‑caching incident on 30 March 2026. Between 10:42 UTC and 11:34 UTC a configuration change unintentionally enabled caching for ~0.05 % of domains that had CDN disabled. During this 52‑minute window GET responses, including those containing authenticated data, were stored in edge caches and could be served to users other than the original requester. The issue was first detected at 11:14 UTC via internal monitoring and user reports; the change was reverted and all cached assets were purged globally at 11:34 UTC. Affected users will receive email notification. Railway has added automated tests for caching behavior, implemented staged CDN rollouts over hours, and committed to prioritizing safety over new feature development to prevent recurrence. The incident details are posted on Railway’s status page.

Project Sistine demonstrates a low‑cost method to convert a MacBook into a touchscreen using a $1 mirror assembly placed before the built‑in webcam. The setup consists of a small mirror, rigid paper plate, door hinge, and hot glue, angled so the webcam captures the screen and its reflection. Finger detection relies on classical computer‑vision steps: skin‑color filtering, binary thresholding, contour extraction, selecting the two largest overlapping contours, and defining the touch/hover point as the midpoint between contour extremes. Touch versus hover is distinguished by the vertical gap between contours. A homography matrix maps webcam coordinates to screen coordinates; it is calibrated by prompting the user to touch known points and estimating the transformation with RANSAC. The system translates detected contacts into mouse events, enabling existing applications to respond to touch. The prototype uses a 480p webcam; higher‑resolution cameras and a curved mirror could improve coverage, making the approach a viable, open‑source, MIT‑licensed low‑cost touchscreen solution.

A Linux‑based router can be built from any device that runs Debian (or similar) and provides at least two network interfaces—either built‑in Ethernet ports or USB‑to‑Ethernet adapters. The setup uses only base‑install packages plus: - **hostapd** – creates a Wi‑Fi access point on a USB dongle. - **dnsmasq** – supplies DHCP and DNS services on the internal bridge. - **bridge‑utils** – merges LAN ports and the wireless interface into a single bridge (br0). - **nftables** – implements firewall/NAT rules, with a default drop policy, permitting established/related traffic, ICMP, and DNS/SSH on the LAN, and masquerading outbound traffic on the WAN interface (eth0). Configuration steps include disabling PXE, fixing interface names via systemd‑link files, enabling IPv4 forwarding (`net.ipv4.ip_forward=1`), and creating `/etc/nftables.conf` and `/etc/dnsmasq.conf` with the appropriate bridge, address range, and DNS options. After enabling and starting the services (`hostapd`, `dnsmasq`, `nftables`), the router can be tested with `brctl show`, `nft list ruleset`, and DNS lease logs. Optional serial‑console access is enabled through GRUB and a getty service. Extensions such as VLANs, VPNs, IPv6, or advanced monitoring can be added, but the core system remains a lightweight, fully functional router.

Learn Claude Code Interactively provides a browser‑based environment where users can practice Claude’s slash commands, hooks, and skills without installing software or supplying an API key. The interactive terminal simulator lets learners try commands directly in the browser. As users progress, form‑driven modules generate ready‑to‑copy configuration files—including CLAUDE.md, hook definitions, and plugin settings—that can be inserted into real projects. Each instructional module concludes with a quiz; incorrect answers trigger explanatory feedback rather than just the correct response, reinforcing comprehension. The platform emphasizes hands‑on experimentation, automated config generation, and immediate assessment to facilitate practical mastery of Claude code.