Engineering &
Security Wire

A bidirectional typechecking puzzle

Comments

AI Product Graveyard

Article URL: https://tooldirectory.ai/ai-graveyard Comments URL: https://news.ycombinator.com/item?id=48021968 Points: 164 # Comments: 71

Community firmware for the Xteink X4 e-paper reader

11 points, 3 comments on Hacker News

A Caddy Cert Expired Because systemd-resolved Was Selectively Broken

Comments

iOS 27 is adding a 'Create a Pass' button to Apple Wallet

Article URL: https://walletwallet.alen.ro/blog/ios-27-wallet-create-pass/ Comments URL: https://news.ycombinator.com/item?id=48021561 Points: 236 # Comments: 192

Show HN: I built a new word game, Wordtrak

Hi HN! Looking for feedback on this 1v1 and daily word dueling game I've built over the last few months. Play here: https://wordtrak.com/ Or on iOS here: https://apps.apple.com/us/app/wordtrak/id6760442363 (Android version soon!) Comments URL: https://news.ycombinator.com/item?id=48021420 Points: 37 # Comments: 20

GitHub Enhances CodeQL with Declarative Security Modeling for Faster, More Flexible Analysis

GitHub has introduced a significant update to its CodeQL engine, enabling developers to define custom sanitizers and validators directly through "models-as-data," a move that simplifies how teams extend security analysis across their codebases. By Craig Risi

The Back Door Attackers Know About — and Most Security Teams Still Haven’t Closed

Every AI tool, workflow automation, and productivity app your employees connected to Google or Microsoft this year left something behind: a persistent OAuth token with no expiration date, no automatic cleanup, and in most organizations, no one watching it. Your perimeter controls don't see it. Your MFA doesn't stop it. And when an attacker gets hold of one, they don't need a password. OAuth

MetInfo CMS CVE-2026-29014 Exploited for Remote Code Execution Attacks

Threat actors are actively exploiting a critical security flaw impacting an open-source content management system (CMS) known as MetInfo, according to new findings from VulnCheck. The vulnerability in question is CVE-2026-29014 (CVSS score: 9.8), a code injection flaw that could result in arbitrary code execution. "MetInfo CMS versions 7.9, 8.0, and 8.1 contain an unauthenticated PHP code

A polynomial autoencoder beats PCA on transformer embeddings

44 points, 14 comments on Hacker News

We Scanned 1 Million Exposed AI Services. Here's How Bad the Security Actually Is

While the software industry has made genuine strides over the past few decades to deliver products securely, the furious pace of AI adoption is putting that progress at risk. Businesses are moving fast to self-host LLM infrastructure, drawn by the promise of AI as a force multiplier and the pressure to deliver more value faster. But speed is coming at the expense of security. In the wake of the

Post-Quantum VPN Based on QUIC

Comments

Mistral Adds Remote Agents and Work Mode to Le Chat

Mistral has released Mistral Medium 3.5, a 128-billion parameter model designed to handle instruction following, reasoning, and coding within a single system, and introduced new cloud-based agent capabilities in its Vibe and Le Chat products. By Daniel Dominguez

Unlocking large scale AI training networks with MRC (Multipath Reliable Connection)

OpenAI introduces MRC (Multipath Reliable Connection), a new supercomputer networking protocol released via OCP to improve resilience and performance in large-scale AI training clusters.

GPT-5.5 Instant System Card

GPT-5.5 Instant: smarter, clearer, and more personalized

GPT-5.5 Instant updates ChatGPT’s default model with smarter, more accurate answers, reduced hallucinations, and improved personalization controls.

When everyone has AI and the company still learns nothing

Article URL: https://www.robert-glaser.de/when-everyone-has-ai-and-the-company-still-learns-nothing/ Comments URL: https://news.ycombinator.com/item?id=48020063 Points: 168 # Comments: 103

ScarCruft Hacks Gaming Platform to Deploy BirdCall Malware on Android and Windows

The North Korea-aligned state-sponsored hacking group known as ScarCruft has compromised a video game platform in a supply chain espionage attack, trojanizing its components with a backdoor called BirdCallto likely target ethnic Koreans residing in China. While prior versions of the backdoor have primarily targeted Windows users only, the supply chain attack is assessed to have enabled the

Article: Three Pillars of Platform Engineering: A Virtuous Cycle

Platform engineering succeeds when reliability and ergonomics reinforce each other rather than compete. This article explores three foundational pillars: automated reliability, developer ergonomics, and operator ergonomics. Together, they establish a virtuous cycle that strengthens system stability, reduces operational burden, and empowers teams to scale infrastructure with confidence. By Pratik Agarwal

MacBook Neo Deep Dive: Benchmarks, Wafer Economics, and the 8GB Gamble

Comments

Weaver E-cology RCE Flaw CVE-2026-22679 Actively Exploited via Debug API

A critical security vulnerability in Weaver (Fanwei) E-cology, an enterprise office automation (OA) and collaboration platform, has come under active exploitation in the wild. The vulnerability (CVE-2026-22679, CVSS score: 9.8) relates to a case of unauthenticated remote code execution affecting Weaver E-cology 10.0 versions prior to 20260312. The issue resides in the "/papi/esearch/data/devops/

Google Chrome silently installs a 4 GB AI model on your device without consent

223 points, 230 comments on Hacker News

The Frog for Whom the Bell Tolls

11 points, 2 comments on Hacker News

Lessons for Agentic Coding: What should we do when code is cheap?

52 points, 46 comments on Hacker News

Figma Builds In-House Redis Proxy to Hit Six Nines Uptime

Figma has published a detailed account of how it built an in-house Redis proxy service called FigCache, replacing a fragmented caching stack that had become a liability for site availability. The system, described in a post by Kevin Lin, has been in production since the second half of 2025 and has delivered what the company describes as six nines of uptime across its caching layer. By Matt Saunders

Microsoft Details Phishing Campaign Targeting 35,000 Users Across 26 Countries

Microsoft has disclosed details of a large-scale credential theft campaign that has leveraged a combination of code of conduct-themed lures and legitimate email services to direct users to attacker-controlled domains and steal authentication tokens. The multi-stage campaign, observed between April 14 and 16, 2026, targeted more than 35,000 users across over 13,000 organizations in 26 countries,

Cloudflare Introduces Flagship: an Edge-Native Feature Flag Service Built on OpenFeature

Cloudflare recently announced the closed beta of Flagship, a new feature flag service built directly into its global edge platform. The service lets teams control feature rollouts and experiment with changes without redeploying code, while evaluating flags locally in Cloudflare Workers rather than calling external flag services. By Renato Losio

How do I inform Windows that I'm writing a binary file?

36 points, 32 comments on Hacker News

Kids bypass age verification with fake moustaches

Article URL: https://www.theregister.com/2026/05/04/uk_online_safety_act_age_checks_subvert/ Comments URL: https://news.ycombinator.com/item?id=48018080 Points: 99 # Comments: 56