Socket researchers discovered Bitwarden CLI's npm package (@bitwarden/cli 2026.4.0) was compromised via a GitHub Actions supply chain attack, part of the broader Checkmarx campaign. The malicious payload in bw1.js shares infrastructure with mcpAddon.js, using the same C2 endpoint (audit.checkmarx[.]cx/v1/telemetry), obfuscation scheme, gzip+base64 structure, and Python memory-scraper targeting GitHub Actions Runner.Worker. The malware harvests GitHub tokens, AWS/Azure/GCP credentials, npm tokens, SSH keys, and Claude/MCP config files, exfiltrating through GitHub API commits and npm republishing under Dune-themed repository names. Unique features include a Russian locale kill switch, shell profile persistence via ~/.bashrc and ~/.zshrc, and ideological "Butlerian Jihad" branding suggesting a different operator or splinter group using shared infrastructure. Only 334 users downloaded the malicious version; the Chrome extension, MCP server, and other distributions were unaffected. Organizations should rotate all credentials, audit GitHub for Dune-themed unauthorized repositories, check for /tmp/tmp.987654321.lock, and review CI/CD workflows for injected actions.

OpenAI has released GPT-5.5, rolling it out gradually in ChatGPT and Codex starting with Pro and Enterprise accounts before reaching Plus users to maintain service stability. The model improves on GPT-5.4's benchmark scores while using fewer output tokens — achieving a 56.7 on the AI Index with only 22 million output tokens, compared to Opus 4.7's 57 score requiring 111 million tokens. Terminal Bench hit 82.7%, though SWE-Bench Pro improved only slightly from 57.7% to 58.6% versus Opus 4.7's 64.3%. A standout feature is that Codex itself was used to analyze weeks of production traffic and write custom heuristic algorithms to optimize GPU work partitioning, boosting token generation speeds by over 20%. A 3D dungeon arena demo built with Codex using TypeScript and Three.js was highlighted, with third-party tools generating character meshes and textures. Pricing is set at $5 per million input tokens and $30 per million output tokens — roughly double GPT-5.4's rates, though OpenAI claims efficiency gains offset the increase. ARC-AGI 3 scores are absent from published benchmarks. A system card is available at deploymentsafety.openai.com/gpt-5-5.

GitHub experienced a multi-service outage on April 23, 2026, beginning around 16:12 UTC when degraded availability was reported for Copilot and Webhooks. By 16:19 UTC, multiple services were listed as unavailable, and by 16:34 UTC, Actions was confirmed degraded. The root cause was identified at 16:52 UTC, with Actions and Copilot mitigated by 17:03 UTC, most remaining services validated by 17:04 UTC, and Webhooks confirmed normal at 17:10 UTC. The incident was fully resolved at 17:30 UTC — roughly 78 minutes after initial reports. Affected services included Webhooks, Actions, and Copilot. GitHub committed to publishing a detailed root cause analysis at a later date.

France Titres (ANTS), the French agency managing passports, driver's licenses, national ID cards, and immigration documents, detected a security breach on April 15, 2026, affecting user accounts on its ants.gouv.fr portal. Potentially exposed data includes login IDs, full names, email addresses, dates of birth, and unique account identifiers, with postal addresses, places of birth, and phone numbers exposed for some users. A threat actor using the moniker "breach3d" claimed responsibility on April 16, alleging 19 million records were stolen and offering them for sale at an undisclosed price — though no broad leak has occurred yet. ANTS confirmed the exposed data does not enable unauthorized portal access, but warns it can enable phishing and social engineering attacks, urging users to treat suspicious SMS, calls, or emails with extreme caution. The agency has notified France's data protection authority (CNIL), the Paris Public Prosecutor, and the national cybersecurity agency (ANSSI).

MeshCore, launched in January 2025, has grown rapidly to 38,000+ nodes and 100,000+ active users across Android and iOS. Team member Andy Kirby heavily used Claude Code to "vibe code" — majority AI-generated — standalone devices, mobile app, web flasher, and web config tools without disclosing this to the core team, which had been wary of AI-generated code. More critically, Andy secretly filed for the MeshCore trademark on March 29 without notifying anyone, prompting a complete breakdown in communication. The core team disputes Andy's "official" branding claims, asserting the true official MeshCore is the GitHub repository, to which Andy has never contributed. Andy controls the meshcore.co.uk domain and original Discord server, while the remaining team — Scott, Liam, Recrof, FDLamotte, and Oltaco — launched meshcore.io as their official home; Andy subsequently copied the new site's design using AI despite being asked not to. The team describes the situation as "a slap in the face" and remains committed to human-written firmware, bug fixes, and community management through the new site and a fresh Discord server.

LILYGO's T-Watch Ultra is a hackable smartwatch built around an ESP32-S3 dual-core Tensilica LX7 (240 MHz), 16MB flash, and 8MB PSRAM — more memory than typical hobbyist wearables and enough for edge AI tasks via built-in vector instructions. Its 2.01-inch AMOLED (410×502) with capacitive touch, IP65 weatherproofing, and 1,100mAh battery address the durability gap that has made prior DIY smartwatches impractical. Connectivity spans Wi-Fi, Bluetooth 5.0 LE, a Semtech SX1262 LoRa transceiver for off-grid/Meshtastic use, u-blox MIA-M10Q GNSS, and ST25R3916 NFC. A Bosch BHI260AP handles motion and AI sensor fusion; additional hardware includes a DRV2605-driven vibration motor, MAX98357A audio amplifier, microphone, RTC, microSD slot, and AXP2101 power management — all accessed via USB-C. Compatible with Arduino, MicroPython, and ESP-IDF, it targets hackers wanting a capable, programmable platform without building from scratch. Pre-orders launched at $78.32 across three variants, all of which sold out quickly.

Tailscale co-founder David Crawshaw is launching exe.dev, motivated by deep frustrations with cloud primitives. His core argument: VMs are the wrong abstraction because they bundle CPU, memory, and disk rather than letting users buy raw compute and carve it up. Cloud storage economics broke when SSDs cut seek times from 10ms to 20 microseconds, making remote block device overhead balloon from ~10% to over 10x vs. local storage, yet cloud pricing never adapted. Egress runs ~10x above data center rates by design to enforce lock-in. Kubernetes cannot fix these problems because it's an abstraction layered on broken abstractions. The AI/agent era amplifies the pain — more software means more compute demand, and every token an agent wastes contorting cloud APIs is wasted context. exe.dev's solution: a flat $20/month buys 2 CPUs, 8GB RAM, and 25GB disk, splittable into up to 25 VMs, backed by local NVMe with async off-machine block replication, built-in TLS and auth proxies, and anycast networking globally.

Honker is a SQLite extension and Rust crate bringing Postgres-style NOTIFY/LISTEN to SQLite without Redis or a separate broker. It monitors the WAL file via stat(2) at 1ms intervals instead of polling, delivering cross-process notifications in single-digit milliseconds. Three primitives are provided: ephemeral pub/sub, durable work queues with retries and dead-letter tables, and event streams with per-consumer offsets. All are row inserts inside transactions, enabling atomic commits with business writes -- rollback drops both together. The queue supports priority, delayed jobs, visibility timeouts, exponential backoff, named locks, rate-limiting, and crontab-style periodic tasks. Event streams track per-consumer offsets with at-least-once delivery and replay from any saved offset. WAL mode is required and the design is single-machine/single-writer, not intended for multi-server replication or DAG orchestration. Bindings exist for Python, Node.js, Rust, Go, Ruby, Bun, Elixir, and C++, all wrapping the same loadable extension. Modeled after Huey, pg-boss, and Oban, it is currently alpha with a potentially changing API.

NYPD officer James Giovansanti, 33, accumulated 547 speed camera and red-light tickets since 2022 on his 4,800-pound RAM 1500 truck across Staten Island, averaging one ticket every other day in 2025. Cameras caught his truck exceeding 41 mph near P.S. 22 elementary school and Port Richmond High School, with 20 red-light violations, some logged within a minute of simultaneous speeding tickets. His truck's flat-faced hood raises pedestrian fatality risk, and visible right-side damage is notable. Policing expert Michael Alcazar called the pattern evidence of "indifference to public safety" warranting serious discipline, but NYPD dismissed action, calling tickets unrelated to his duties. Camera violations carry no license points under New York law, so Giovansanti faces no suspension as long as he pays the $36,650 in fines. His precinct inspector oversees 33 other officers with multiple camera tickets. Advocates back Albany's "Stop Super Speeders Act" mandating speed limiters for repeat offenders, but Assembly Speaker Carl Heastie's opposition clouds passage. Gov. Hochul backed the bill, citing a small group of reckless drivers causing disproportionate harm.

Apple released an iOS/iPadOS update fixing CVE-2026-28950, a bug where notification content for deleted or auto-expiring messages from apps like Signal was cached on-device for up to a month. The FBI exploited this to recover deleted Signal messages from a suspect's iPhone using forensic tools, because when Signal displayed a notification, the OS independently stored that plaintext in its own notification database — outside Signal's encryption and deletion controls. Signal president Meredith Whittaker publicly called on Apple to fix it. Apple classified it as a "logging issue addressed with improved data redaction" and backported the fix to iOS 18. The fix addresses failure to purge cached notifications when marked for deletion or when the originating app was uninstalled, but the broader issue — notification text transiting Apple and Google push servers in readable form — remains unresolved. Signal already offers a generic "You've received a message" notification mode that prevents message content from reaching the OS notification layer.

Economist Sam Peltzman's 2026 paper documents a 10-15 point post-2020 US happiness decline across all demographics — a "regime change" corroborated by Fed worker satisfaction and University of Michigan consumer sentiment both hitting historic lows. Despite strong employment and wages, the author argues feelings matter because they drive politics and policy. Three culprits emerge: cumulative inflation triple the historical norm since 2020 (hitting upper-income households hardest as full employment raised service costs), collapsing institutional and interpersonal trust alongside rising social isolation and algorithmically amplified negativity, and a permacrisis decade of pandemic, geopolitical wars, polarization, and AI/climate fears fueling historically negative news coverage. Anglophone countries show disproportionate declines tied to individualism, expanded mental health diagnostics, and toxic media ecosystems, while low-inflation southern European nations saw happiness rise. Quebec's French speakers experiencing smaller happiness declines than English-speaking Canadians partially confirms the Anglophone media hypothesis.

CSS specificity ties force browsers to use source order as a tiebreaker, making overlapping states like hover-and-disabled unpredictable and fragile to extend. Tasty is a CSS-in-JS library replacing competing selectors with a declarative priority-ordered state map: developers list states from highest to lowest priority, and the compiler generates mutually exclusive selectors using :not() chains so no two branches ever match simultaneously. A disabled button gets a plain selector; :active adds :not([disabled]); hover adds :not(:active):not([disabled]); the default excludes all three. This eliminates source-order bugs and lets developers extend components without re-deriving the full selector matrix. Tasty supports pseudo-classes, attributes, media queries, container queries, root-level state, and typed APIs. Development took several years and hundreds of iterations to handle real design-system complexity. It powers Cube UI Kit (100+ components) and Cube Cloud enterprise product. Additional features include SSR, zero-runtime extraction, editor tooling, linting, tokens, and recipes. Best suited for complex long-lived component systems, not small landing pages.

A developer wrote a series of blog posts documenting the construction of "paella," a C compiler implemented in Zig, following Nora Sandler's book "Writing a C Compiler." The project served dual purposes: learning Zig and filling time while unemployed. The writeup spans 10 chapters, progressing from foundational compiler concepts (intro, unary and binary operations) through control flow (logic, conditions, loops), variables, blocks, functions, and linking. The author notes they plan to continue posting writeups if they resume working through the book. Commenters note that the author appeared to later abandon the project around chapter 19 due to frustration with lower-level language challenges in Zig.

Jiga is a B2B manufacturing sourcing platform that connects engineers directly with vetted manufacturers, consolidating quoting, communication, and order tracking in one place with AI-powered administrative workflows. The platform targets the pain points of traditional parts sourcing — weeks-long email chains, fragmented spreadsheet tracking, customs complexity, and repeated supplier Q&A — compressing that cycle from weeks to hours. Clients reportedly include NASA, Tesla, and Google. The company describes itself as cashflow positive and growing revenue 3x year-over-year, with no reliance on emergency fundraising. Culturally, Jiga operates fully remote and async, holds only a weekly all-hands and one team sync, and flies the entire team to an annual offsite. Decision-making is pushed to whoever is closest to the problem, with no approval chains. The company emphasizes radical internal transparency: all team members see revenue, runway, valuation, and the sales pipeline. Hiring philosophy centers on senior, self-directed talent who ship fast and iterate in production rather than debate theoretical solutions.

Researchers found Firefox's indexedDB.databases() returns database names in an order derived from internal hash table structure, not creation order, creating a stable process-lifetime fingerprint. The root cause is in ActorsParent.cpp: private browsing maps names to UUIDs in a global StorageDatabaseNameHashtable shared across all origins, then iterates results from an unsorted nsTHashSet, exposing bucket order as a deterministic identifier. Because the mapping is process-scoped, unrelated websites can independently observe identical permutations to link activity across domains without cookies. With 16 controlled names, the fingerprint space reaches ~44 bits (16! permutations), enough to uniquely identify concurrent browser instances. In Firefox Private Browsing, the identifier persists after all private windows close; in Tor Browser, it survives "New Identity," defeating its core isolation guarantee. The fix — lexicographically sorting results before returning — was released in Firefox 150 and ESR 140.10.0 as Mozilla Bug 2024220; Qubes-Whonix users are reportedly unaffected.

Citizen Lab uncovered two surveillance campaigns exploiting known vulnerabilities in global telecom infrastructure, with vendors operating as "ghost" cellular providers to geolocate targets via legitimate networks. The campaigns abused SS7 — the 2G/3G backbone protocol lacking authentication and encryption — and Diameter, its 4G/5G successor, which remains exploitable when providers skip protections or fall back to SS7. Three telecoms served as repeated surveillance entry points: Israeli 019Mobile, British Tango Networks U.K., and Airtel Jersey (now Sure). Sure denied knowingly enabling tracking; 019Mobile said it could not confirm the identified infrastructure was theirs. The first campaign combined SS7 and Diameter exploits against targets worldwide over several years, implying multiple government clients; clues point to an Israeli-based geo-intelligence firm. The second used SIMjacker attacks — silent SMS commands sent directly to a target's SIM card that invisibly convert the device into a location tracker. Researcher Gary Miller called SIMjacker fairly common but geographically targeted, and emphasized these two campaigns are a fraction of millions of global attacks.

Arch Linux has achieved a bit-for-bit reproducible Docker image, distributed under a new "repro" tag, following a similar milestone for its WSL image earlier this year. The key caveat is that pacman's keyring is stripped from the image to ensure reproducibility, so users must run pacman-key --init && pacman-key --populate archlinux before installing packages — either interactively or via a Dockerfile RUN statement; Distrobox users can handle this via a pre-init hook. Reproducibility is verified through digest equality across builds using podman inspect and the diffoci tool. The main technical challenges involved setting SOURCE_DATE_EPOCH and honoring it in OCI image labels, removing the non-deterministic ldconfig auxiliary cache file, and normalizing timestamps during docker build/podman build using --source-date-epoch and --rewrite-timestamp flags. The rootFS build system is shared with the WSL image. Future plans include setting up an automated rebuilder to periodically verify the image's reproducibility status and publish build logs publicly.

Ursa Ag, a Canadian startup, sells mechanically simple tractors using remanufactured Cummins 12-valve diesel engines — $129,900 CAD (~$95K USD) for 150hp and $199,900 CAD (~$146K USD) for 260hp, roughly half comparable John Deere pricing. The tractors avoid modern ECUs, DEF/DPF emissions systems, and proprietary software, making them repairable by any mechanic with basic tools. EPA regulations mandating DEF/DPF on farm equipment since 2014 are a key reason conventional tractors became complex and expensive — not solely corporate greed — and force this startup to remanufacture rather than source new engines. The Cummins 12-valve is among the most widely understood diesel engines in North America. The pitch resonates with right-to-repair advocates, arriving just as John Deere settled a right-to-repair lawsuit for $99 million. Ursa Ag targets independent farmers who never wanted the complexity large agri-industrial operations demand. One structural constraint is dependence on a finite supply of remanufactured and no-longer-available parts. Founder Wilson is quoted saying he "saw the gap and drove a tractor through it." Details and video are at ursa-ag.com.

A hand-crafted 5x5 pixel font designed for tiny microcontroller screens stores all characters in just 350 bytes, making it ideal for 8-bit devices like the AVR128DA28. Characters fit within a 5-pixel square and are safe on a 6x6 grid, with fixed monospace width simplifying programming since string length always equals 6 times the character count. The font is derived from lcamtuf's 5x6 font-inline.h, itself inspired by the ZX Spectrum's 8x8 font. The author argues 5x5 is the minimum no-compromise size: 4x4 can't render E, M, or W properly, while 3x3 is technically possible but unreadable. Smaller experimental variants are explored — 3x5, 3x4, 3x3, 2x3, 3x2, and 2x2 — with readability degrading significantly below 3x5. On real hardware, subpixel rendering creates a pleasing pseudo-dropshadow effect that improves legibility beyond what simulations suggest. The font compares favorably to antialiased vector fonts at similar scales, which require megabytes of code and data. Practical display targets are 160x128 or 128x64 OLEDs, where pixel-efficient hand-drawn fonts outperform software-rendered alternatives.

Isopod Site is a hobbyist resource dedicated to scientifically rigorous isopod identification, a group of crustaceans considered understudied relative to other invertebrates. Species identification is based on peer-reviewed literature rather than superficial visual similarities, aiming to reduce misidentification common in the keeping hobby. Macro photography, captured with an Olympus E-M10 Mark IV, Laowa 50mm 2:1 lens, and a DIY flash diffuser, documents key anatomical characters of each species; all images are copyrighted and automatically monitored across social media and websites for unauthorized use. The site covers isopods as low-maintenance pets, with growing hobby popularity driving practical keeping content. Advanced keepers can find guidance on selective breeding for unique morphs, where individuals with distinctive traits are isolated to establish new lineages. A taxonomic discussion section invites corrections on species placements, openly acknowledging that photo-based identifications carry inherent limitations.

Nilay Patel argues that "software brain" — seeing the world as databases controllable via code — explains why tech loves AI while the public increasingly doesn't. Polls are stark: NBC News found AI with worse favorability than ICE, Quinnipiac found over half of Americans think AI will do more harm than good, and Gallup found only 18% of Gen Z hopeful (down from 27%), with angry respondents rising to 31%. Patel contends AI doesn't have a marketing problem — ChatGPT has 900 million weekly users — but that tech is asking people to "flatten themselves into databases," which is fundamentally backwards. He draws parallels between software brain and lawyer brain (both use formal structured language to guide complex systems), cites DOGE's failure as proof databases don't equal reality, and notes enterprise AI genuinely fits the model since businesses already operate as data loops. CEOs like Dario Amodei openly warning of mass job displacement, combined with demands to integrate AI into every life domain, creates helplessness Patel ties to political violence. His conclusion: computers must adapt to people, not the reverse.

Ars Technica has published a reader-facing AI policy stating all reporting, analysis, and commentary is human-authored, with humans making every editorial decision. Reporters may use AI tools to assist research — navigating large volumes of material, summarizing background documents, and searching datasets — but AI output is never treated as authoritative and must always be verified. The creative team may use AI for certain visual material under human creative direction. Any staff member using AI bears full personal responsibility for accuracy, and AI must never be used to generate material attributed to a named source. The policy covers text, research, source attribution, images, audio, and video, stemming from two convictions: that AI cannot replace human insight, and that AI tools used well can help professionals do better work. The policy was prompted in part by a recent incident in which a reporter was fired after AI fabricated quotes in a published article.

A Turkish novelist reflects on initially dismissing Leylâ Erbil (1931–2013) before recognizing her significance. Erbil, of the "1950s generation" of Turkish modernists, is known for A Strange Woman (1971) and What Remains (2011), an experimental verse bildungsroman translated into English in 2024. What Remains follows narrator Lahzen through Istanbul's layered history of ethnic erasure and political violence, weaving personal trauma with Turkey's historical atrocities: the Armenian genocide, Dersim Kurdish massacres, 1955 pogroms, and the 2007 assassination of journalist Hrant Dink. Erbil's "Leylâ signs"—triplet commas and minimal capitalization—force readers to confront difficult history. Istanbul's stones and ruins serve as the novel's central metaphor, preserving what official history erases. The author ultimately concludes Erbil's autobiographical method was not self-indulgent but deeply political, collaging personal life with national history to dramatize centuries of state violence against minorities.

Raylib 6.0, its biggest release in 12 years, adds 20+ API functions (total: 600), 70+ examples (total: 215+), and 2,000+ commits from 210+ new contributors. The headline feature is rlsw, a CPU-only software renderer implementing OpenGL 1.1+ as a single-file header library — enabling raylib on GPU-less devices like ESP32 and emerging RISC-V hardware with no user-side code changes. Three new platform backends arrive: a headless memory framebuffer (rcore_memory) for server-side rendering, a native Win32 backend removing GLFW/SDL dependencies, and a direct Emscripten web backend replacing libglfw.js. Fullscreen and High-DPI scaling were redesigned from scratch and tested across Windows, Linux (X11/Wayland), and macOS including 4K multi-monitor setups. The skeletal animation system gains blending between frames and across different animations with improved GPU skinning. The filesystem API was consolidated into rcore (removing the utils module) with 40+ functions, and a new text management API adds 30+ string utilities. A new rexm tool automates examples management. Development was funded by NLnet and NGI Zero Common Fund, with platinum sponsors puffer.ai and comma.ai.