A supply chain attack compromised PyPI package "lightning" versions 2.6.2 and 2.6.3 with Dune-themed malware that stole credentials, auth tokens, and cloud secrets upon import. The malware also established persistence by injecting hooks into developer tools like Claude Code and VS Code, reactivating whenever developers opened their projects. Any machine that imported the package during the affected window should be considered fully compromised.
Users report that Claude Code exhibits unusual behavior — immediate disconnects and full quota consumption — when git repositories contain the word "OpenClaw" in commit history. The detection mechanism allegedly triggers on the mere presence of the term regardless of context, with some users reporting unexpected charges from single interactions. The HN discussion debates whether this constitutes justified platform moderation or deceptive billing, with critics noting the lack of any documented disclosure.
Apple posted $111.2 billion in Q2 2026 revenue, up 17% year-over-year, with diluted EPS of $2.01 — a 22% jump. Record iPhone revenue was driven by strong iPhone 17 demand, and Services hit another all-time high. New products include the iPhone 17e, M4 iPad Air, and MacBook Neo.
LinkedIn silently probes browsers for 6,278 installed extensions on every visit using fetch requests to chrome-extension:// URLs, without user consent or disclosure. This extension inventory is correlated with verified professional identities — employment history, job titles, and networks — enabling LinkedIn to infer sensitive signals like whether users are secretly job hunting. The data feeds into a broader fingerprinting system called APFC that collects 48 additional browser characteristics per visit.
Belgium has reversed its previous policy of shutting down nuclear power plants, representing a major shift in national energy strategy. The decision reflects the broader European trend of reconsidering nuclear energy's role in meeting climate goals and energy security demands — increasingly relevant as AI-driven data center power consumption surges.
The Senate passed a resolution barring members from trading on prediction markets like Kalshi, using broad language prohibiting contracts dependent on specific event outcomes. HN commenters note the rule doesn't extend to stock trading, where insider information is far more lucrative, and question enforcement given it's an ethics rule rather than law. Many view it as performative action that sidesteps the larger issue of congressional stock trading.
Rivian now lets vehicle owners disable data collection and internet connectivity, though the process differs by region — Canadian owners get an in-vehicle toggle while others must schedule a service appointment to disable the eSIM. The trade-off is significant: disabling connectivity eliminates navigation, lane-keeping assistance, and over-the-air updates. Subscriptions like Connect+ must be cancelled separately.
CVE-2026-31431, dubbed CopyFail, is a critical Linux kernel privilege escalation vulnerability introduced in kernel 4.14 that allows local attackers to gain root access. Fixes exist in newer kernels but haven't been backported to older LTS versions, and the reporter never submitted details to the linux-distros mailing list, leaving distributions like Gentoo blindsided. Gentoo's workaround was to disable the vulnerable authencesn crypto module entirely rather than attempt complex backports.
This MIT Press book excerpt details how AT&T technician Mark Klein discovered Room 641A — a secret server closet in San Francisco where the NSA was diverting all telephone and internet traffic for mass domestic surveillance. Klein reported his findings to the EFF in January 2006, years before Snowden, exposing how intelligence agencies circumvented legal restrictions through telecom partnerships. Unlike Snowden, Klein faced no criminal charges, though Congress later passed legislation shielding AT&T from liability.
Developer Nick Kossolapov built Fame Boy, a fully functional Game Boy emulator in F# that runs on desktop and web with sound, capable of playing games like Pokémon Blue. The project leveraged F#'s type system for domain modeling CPU instructions, but required sacrificing some functional programming purity for performance — eliminating discriminated unions in hot paths pushed execution past 1000 FPS. Key challenges included the PPU, APU, and discovering that bitwise operations needed special handling when transpiling to JavaScript via Fable.
