Published on April 23, 2026 at 18:00 CEST (UTC+2)
Bitwarden CLI Compromised in Ongoing Checkmarx Supply Chain Campaign (170 points by tosh)
Bitwarden CLI Compromised in Ongoing Checkmarx Supply Chain Campaign
Socket researchers discovered that Bitwarden CLI version 2026.4.0 was compromised as part of a broader supply chain attack campaign attributed to Checkmarx. Attackers abused a compromised GitHub Action in Bitwarden’s CI/CD pipeline to inject malicious code into the bw1.js file. The incident highlights how open-source CI/CD workflows can become vectors for injecting malware into widely used tools, affecting millions of users and enterprises.
I am building a cloud (746 points by bumbledraven)
I am building a cloud
The author announces fundraising for a new cloud platform called exe.dev, explaining his motivation not as a grand social mission but simply because he enjoys working with computers—from microcontrollers to servers. He reflects on the personal challenge of starting another company despite already being a successful co-founder, and emphasizes that his drive comes from genuine fascination with computing itself.
Show HN: Honker – Postgres NOTIFY/LISTEN Semantics for SQLite (126 points by russellthehippo)
Show HN: Honker – Postgres NOTIFY/LISTEN Semantics for SQLite
Honker is a SQLite extension plus language bindings that brings PostgreSQL-style NOTIFY/LISTEN semantics to SQLite, enabling durable pub/sub, task queues, and event streams without requiring a separate broker or client polling. It allows developers to build real-time, event-driven applications using SQLite as the backend, combining the simplicity of an embedded database with the messaging capabilities of a full-scale DBMS.
Your hex editor should color-code bytes (332 points by tobr)
Your hex editor should color-code bytes
The author argues that traditional hex editors present raw bytes in a monotonous monochrome list, making it hard to spot patterns or anomalies. By color-coding bytes based on value ranges, data types, or file format structures, a hex editor can significantly speed up reverse engineering, debugging, and forensic analysis. The post includes interactive examples showing how color enhances readability.
Alberta startup sells no-tech tractors for half price (1994 points by Kaibeezy)
Alberta startup sells no-tech tractors for half price
Ursa Ag, a small Canadian manufacturer, builds tractors using remanufactured 1990s 12-valve Cummins diesel engines with zero electronics, selling them for roughly half the price of comparable modern John Deere models. The 150-hp model starts at $129,900 CAD (~$95,000 USD). The company has received hundreds of inquiries from American farmers, signaling growing demand for simple, repairable machinery over high-tech, proprietary systems.
Investigation uncovers two sophisticated telecom surveillance campaigns (281 points by mentalgear)
Investigation uncovers two sophisticated telecom surveillance campaigns
Citizen Lab revealed two spying campaigns that exploit known weaknesses in global telecom infrastructure (e.g., SS7) to track phone locations. Surveillance vendors operated as “ghost” companies that impersonated legitimate cellular providers to piggyback on network access. The report suggests these are just a small sample of widespread exploitation, raising serious concerns about privacy and the weaponization of telecom protocols.
Apple fixes bug that cops used to extract deleted chat messages from iPhones (742 points by cdrnsf)
Apple fixes bug that cops used to extract deleted chat messages from iPhones
Apple released a software update fixing a bug that caused notifications containing message content to remain cached on devices for up to a month, even after the messages were deleted from apps like Signal. Law enforcement had been using forensic tools to recover these cached notifications. The fix addresses a long-standing privacy vulnerability that allowed deleted data to persist outside the app’s control.
Writing a C Compiler, in Zig (2025) (71 points by tosh)
Writing a C Compiler, in Zig (2025)
The author documents their journey writing a C compiler (named “paella”) in the Zig programming language, following Nora Sandler’s “Writing a C Compiler” book. The series covers chapters from unary operators to linking, serving both as a learning exercise for Zig and as a constructive way to spend time while between jobs. It highlights Zig’s suitability for low-level systems programming.
The Onion to Take over InfoWars (408 points by lxm)
The Onion to take over InfoWars
The satirical news organization The Onion is set to acquire InfoWars, the controversial media platform owned by Alex Jones. While full details are not available in the preview, the acquisition marks a notable shift in which a parody news outlet takes control of a conspiracy-theory-driven network, potentially transforming its content direction.
A Renaissance gambling dispute spawned probability theory (48 points by sohkamyung)
A Renaissance gambling dispute spawned probability theory
The article recounts the “problem of points,” a 17th-century puzzle about how to fairly divide a pot in an interrupted game of chance. This dispute led mathematicians like Pascal and Fermat to develop the foundations of probability theory, which later became essential for risk assessment, insurance, and modern AI/ML algorithms (e.g., Bayesian inference, probabilistic models).
Supply-chain security is an urgent AI/ML infrastructure risk
The Bitwarden compromise via a compromised GitHub Action in CI/CD pipelines reflects a growing attack vector that directly threatens the software supply chains that AI/ML tools depend on. As ML pipelines increasingly rely on open-source packages and CI automation, attackers can inject malicious models, data poisoning, or credential theft. Implication: AI/ML teams must audit their own CI/CD workflows, pin dependency versions, and use runtime security tools (like Socket) to detect anomalous code in third-party packages.
Demand for “no-tech” simplicity may spill over into AI/ML hardware
The popularity of mechanically injected tractors without electronics (Ursa Ag) signals a broader backlash against over-engineered, proprietary systems. In AI/ML, this parallels the push for simpler, more repairable hardware (e.g., open-source RISC-V accelerators, modular edge devices) and away from black-box ASICs. Implication: Expect growing interest in frugal, transparent compute hardware for inference and on-device ML, especially in regulated or resource-constrained environments.
Real-time event-driven architectures are expanding to embedded databases
Honker brings PostgreSQL-style pub/sub to SQLite, enabling lightweight, real-time data processing without a broker. This trend aligns with AI/ML needs for low-latency inference on edge devices, where full database servers are too heavy. Implication: Developers can build AI agents, streaming analytics, and reactive systems on a single file database, reducing infrastructure complexity while maintaining durability and ordering guarantees.
Privacy vulnerabilities in mobile OS notification caching create ML training data leakage
Apple’s fix for cached notifications reveals that OS-level notification stores can be exploited to recover deleted messages—a direct privacy risk for end users and organizations. For AI/ML, this highlights that training data derived from device logs (e.g., for recommendation systems or debugging) may inadvertently contain sensitive, non-deleted content. Implication: ML practitioners must sanitize any data extracted from notification caches or system logs, and design models that assume no permanent deletion.
Probability theory’s Renaissance roots are a reminder of foundational math for modern AI
The article on the problem of points underscores that probability theory—a core pillar of modern AI (Bayesian networks, stochastic gradient descent, uncertainty quantification)—originated from practical gambling disputes. Implication: Understanding the historical context helps demystify ML math; more importantly, it encourages AI researchers to revisit fundamental probabilistic fairness and risk analysis in high-stakes applications (e.g., autonomous driving, medical diagnosis).
Compilers as AI/ML training tools: Zig’s rise for systems programming
The C compiler written in Zig reflects a growing trend of using modern systems languages for building ML infrastructure (kernels, compilers, runtime engines). Zig’s emphasis on safety, performance, and cross-compilation makes it attractive for optimizing ML model deployment. Implication: AI/ML engineers should consider Zig for low-level tooling (e.g., custom GPU kernels, model compilers like TVM), where C++ verbosity is a hindrance.
Surveillance campaigns highlight the need for AI-driven network anomaly detection
The telecom surveillance campaigns (SS7 exploitation) show how legacy protocols can be abused at scale. AI/ML techniques—especially anomaly detection in signaling traffic—could help identify ghost carriers or abnormal location queries in real time. Implication: Telecom operators and security vendors should invest in ML-based monitoring of network metadata, training models on normal SS7 patterns to flag potential surveillance vendor abuse.
Analysis generated by deepseek-reasoner