Engineering &
Security Wire
Curated from Hacker News, Lobsters, Krebs on Security, and other top sources. Updated every 6 hours.
PraisonAI CVE-2026-44338 Auth Bypass Targeted Within Hours of Disclosure
Threat actors have been observed attempting to exploit a recently disclosed security vulnerability in PraisonAI, an open-source multi-agent orchestration framework, within four hours of public disclosure. The vulnerability in question is CVE-2026-44338 (CVSS score: 7.3), a case of missing authentication that exposes sensitive endpoints to anyone, potentially allowing an attacker to invoke the
The European Union backs Italy's right to make Meta pay for news
Article URL: https://www.niemanlab.org/2026/05/the-eu-backs-italys-right-to-make-meta-pay-for-news/ Comments URL: https://news.ycombinator.com/item?id=48134014 Points: 70 # Comments: 48
Hoot 0.9.0 released
Comments
How AI Hallucinations Are Creating Real Security Risks
AI hallucinations are introducing serious security risks into critical infrastructure decision-making by exploiting human trust through highly confident yet incorrect outputs. When an AI model lacks certainty, it doesn’t have a mechanism to recognize that. Instead, it generates the most probable response based on patterns in its training data, even if that response is inaccurate. These outputs
Myths about /dev/urandom (2014)
56 points, 29 comments on Hacker News
Show HN: Running the second public ODoH relay
89 points, 28 comments on Hacker News
Pipes, Forks, and Zombies
27 points, 3 comments on Hacker News
High-Entropy Alloy
29 points, 2 comments on Hacker News
Pinterest Engineers Eliminate CPU Zombies to Resolve Production Bottlenecks
Pinterest identified and resolved CPU starvation issues that affected machine learning training jobs on its Kubernetes-based platform, PinCompute. The engineers traced the problem to an unused Amazon ECS agent, which caused memory cgroup leaks. By disabling the agent, they stabilised performance. This case illustrates the importance of understanding system defaults for effective troubleshooting. By Mark Silvester
Browsers Treat Big Sites Differently
Comments
Windows Zero-Days Expose BitLocker Bypasses And CTFMON Privilege Escalation
An anonymous cybersecurity researcher who disclosed three Microsoft Defender vulnerabilities has returned with two more zero-days involving a BitLocker bypass and a privilege escalation impacting Windows Collaborative Translation Framework (CTFMON). The security defects have been codenamed YellowKey and GreenPlasma, respectively, by the researcher, who goes by the online aliases Chaotic Eclipse
Anthropic Traces Six Weeks of Claude Code Quality Complaints to Three Overlapping Product Changes
Anthropic published a postmortem tracing six weeks of Claude Code quality complaints to three overlapping product-layer changes: a reasoning effort downgrade, a caching bug that progressively erased the model's own thinking, and a system prompt verbosity limit that caused a 3% quality drop. The API and model weights were unaffected. All issues were resolved April 20. By Steef-Jan Wiggers
Rewrite Bun in Rust has been merged
63 points, 44 comments on Hacker News
Kubernetes v1.36: Security Defaults Tighten as AI Workload Support Matures
Kubernetes v1.36, released in 2026, includes 70 enhancements focused on security, AI workloads, and API scalability. Key features graduating to General Availability are User Namespaces, Mutating Admission Policies, and Fine-Grained Kubelet API Authorization. The release also addresses workload management and introduces new features for AI resource allocations. By Matt Saunders
After 8 years, I rewrote my open-source PyTorch curvature library
18 points, 1 comments on Hacker News
The bird eye was pushed to an evolutionary extreme
42 points, 7 comments on Hacker News
New Fragnesia Linux Kernel LPE Grants Root Access via Page Cache Corruption
Details have emerged about a new variant of the recent Dirty Frag Linux local privilege escalation (LPE) vulnerability that allows local attackers to gain root access, making it the third such bug to be identified in the kernel within a span of two weeks. Codenamed Fragnesia, the security vulnerability is tracked as CVE-2026-46300 (CVSS score: 7.8) and is rooted in the Linux kernel's XFRM
Classic 7 is a Windows 10 LTSC mod to look 1:1 to Windows 7
52 points, 40 comments on Hacker News
18-Year-Old NGINX Rewrite Module Flaw Enables Unauthenticated RCE
Cybersecurity researchers have disclosed multiple security vulnerabilities impacting NGINX Plus and NGINX Open, including a critical flaw that remained undetected for 18 years. The vulnerability, discovered by depthfirst, is a heap buffer overflow issue impacting ngx_http_rewrite_module (CVE-2026-42945, CVSS v4 score: 9.2) that could allow an attacker to achieve remote code execution or cause a
Claude for Small Business
Article URL: https://www.anthropic.com/news/claude-for-small-business Comments URL: https://news.ycombinator.com/item?id=48130950 Points: 8 # Comments: 1
Sculpt OS release 26.04
Comments
Arena AI Model ELO History
Hi HN, I built a live tracker to visualize the lifecycle and performance changes of flagship AI models. We've all experienced the phenomenon where a flagship model feels amazing at launch, but weeks later, it suddenly feels a bit off. I wanted to see if this was just a feeling or a measurable reality, so I built a dashboard to track historical ELO ratings from Arena AI. Instead of a massive spaghetti chart of every single model variant, the logic plots exactly ONE continuous curve per major AI lab. It dynamically tracks their highest-rated flagship model over time, which makes both the sudden generational jumps and the slow performance decays much easier to see. It took quite a lot of iterations to get the chart to look nice on mobile as well. Optional dark mode included. However, I have a specific data blindspot that I'm hoping this community might have insights on. Arena AI largely relies on testing API endpoints. But as we know, consumer chat UIs often layer on heavy system prompt
A Claude Code and Codex Skill for Deliberate Skill Development
47 points, 12 comments on Hacker News
Microsoft BitLocker – YellowKey zero-day exploit
Article URL: https://www.tomshardware.com/tech-industry/cyber-security/microsoft-bitlocker-protected-drives-can-now-be-opened-with-just-some-files-on-a-usb-stick-yellowkey-zero-day-exploit-demonstrates-an-apparent-backdoor Comments URL: https://news.ycombinator.com/item?id=48130519 Points: 32 # Comments: 11
Gaining control of every projector and camera on campus
28 points, 4 comments on Hacker News
Show HN: Nibble
An attempt at a single pass LLVM frontend in ~3000 lines of C without external dependencies, malloc, or an AST. Included are some graphical examples. The IR isn't perfect, and the README touches on one particular downfall Comments URL: https://news.ycombinator.com/item?id=48130186 Points: 13 # Comments: 0
Cisco Workforce Reductions
Article URL: https://blogs.cisco.com/news/our-path-forward Comments URL: https://news.ycombinator.com/item?id=48130123 Points: 72 # Comments: 36
delta time
51 points, 30 comments on Hacker News
Avoiding and reducing microplastic false positives from dry glove contact
Article URL: https://pubs.rsc.org/en/content/articlelanding/2026/ay/d5ay01801c Comments URL: https://news.ycombinator.com/item?id=48129934 Points: 9 # Comments: 0
Mystery Microsoft bug leaker keeps the zero-days coming
Article URL: https://www.theregister.com/security/2026/05/13/disgruntled-researcher-releases-two-more-microsoft-zero-days/5239758 Comments URL: https://news.ycombinator.com/item?id=48129789 Points: 78 # Comments: 14
Aggregated from public RSS feeds & the Hacker News API · All links point to original sources · Clawship does not republish full articles