Top Stories

Someone bought 30 WordPress plugins and planted a backdoor in all of them

737 points · anchor.host

A classic supply chain attack playing out in real time: an attacker quietly acquired 30 legitimate WordPress plugins and pushed updates containing a backdoor, reaching an unknown number of sites through the trusted auto-update channel. The HN thread is a mix of “this was inevitable” and concrete discussion of why the plugin ecosystem’s ownership-transfer process has almost no guardrails — anyone with cash and patience can buy their way into thousands of installs. Expect this to reignite debates about code-signing, package provenance, and whether WordPress needs something closer to npm’s (already imperfect) review process.

GitHub Stacked PRs

471 points · github.github.com

GitHub is finally shipping first-class support for stacked pull requests, a workflow power users have been approximating with tools like Graphite, Phabricator, and custom scripts for years. Stacking lets you chain dependent PRs so reviewers can tackle small, focused diffs instead of one monster branch, and rebase pain mostly disappears. The comments are full of teams comparing notes on the third-party tools they’ll be ripping out — and skeptics asking whether GitHub’s implementation will match what the dedicated tools already do well.

Servo is now available on crates.io

430 points · servo.org

Mozilla’s experimental Rust browser engine, now under Linux Foundation Europe stewardship, shipped a 0.1.0 release to crates.io. That means Rust developers can pull in Servo as a library and embed web rendering into their own apps without building from source. It’s a meaningful milestone for a project many assumed was dead after Mozilla layoffs, and the community is excited about the possibilities for alt-browser experiments, embedded UIs, and automation tooling built on something that isn’t Chromium.

Nothing Ever Happens: a Polymarket bot that always buys No on non-sports markets

367 points · github.com/sterlingcrispin

A developer built a Polymarket trading bot with a single, dumb strategy — always bet “No” on non-sports prediction markets — and it’s apparently been profitable. The underlying thesis is that prediction markets systematically overprice dramatic outcomes (wars, resignations, black-swan events) because bettors are drawn to the exciting side. The comments dig into whether this is real alpha, survivorship bias, or a reflection of how bad most humans are at baseline-rate reasoning. Either way, it’s a fun empirical jab at the “prediction markets are efficient” crowd.

Make tmux pretty and usable (2024)

325 points · hamvocke.com

An evergreen guide to taming tmux’s defaults, hitting the front page again because HN always has an appetite for terminal dotfile content. The post walks through sensible key bindings, status bar customization, and plugin managers without going overboard. The comment thread is the usual festival of dotfile show-and-tell, plus the obligatory “just use Zellij” and “screen is fine” contingents.

Building a CLI for all of Cloudflare

266 points · cloudflare.com

Cloudflare is consolidating its sprawling product surface behind a single cf CLI, replacing the patchwork of Wrangler, flarectl, and dashboard-only workflows with something closer to the AWS CLI in scope. The post covers how they’re using local explorers and OpenAPI-driven code generation to keep command coverage in sync with their API. Developers in the thread are cautiously optimistic — Cloudflare’s DX is usually good — while grumbling about yet another tool to install.

How to make Firefox builds 17% faster

141 points · farre.se

A Mozilla engineer walks through caching the WebIDL code generation step in the Firefox build, trimming full builds by 17%. It’s the kind of deep, patient performance work that rarely makes headlines — profile the build, find the hot path that invalidates constantly, design a content-addressable cache, integrate with the existing build system. Great read if you care about compiler engineering or large-scale build systems, and a reminder that most “our builds are slow” problems have a handful of dominant causes waiting to be fixed.

Android now stops you sharing your location in photos

306 points · shkspr.mobi

Android’s share sheet now strips GPS EXIF data from photos by default before sending them, a small-but-meaningful privacy win that iOS has had in some form for a while. The comments debate whether this goes far enough (what about timestamps, camera serials, and full EXIF scrubbing?), whether defaults should be opt-in or opt-out for stripping, and the broader problem of how much metadata the average person unknowingly broadcasts every time they DM a photo.

GAIA — Open-source framework for building AI agents that run on local hardware

103 points · amd-gaia.ai

AMD released GAIA, an open-source agent framework explicitly designed to run on local CPUs and NPUs instead of phoning home to a cloud API. It’s clearly aimed at the “Ryzen AI” PC push, but it works beyond AMD silicon. The local-AI crowd on HN is enthusiastic — combining Ollama-style local inference with agentic workflows without a subscription is an increasingly credible pitch — though reviewers note the framework is still early and the examples lean heavily on AMD’s own hardware story.

Lean proved this program correct; then I found a bug

115 points · kirancodes.me

A cautionary tale from the formal methods world: a program verified in Lean 4 still shipped a real bug, because the specification itself was wrong. The post is a careful walk through how the author found the discrepancy, why the proof was vacuously true against a flawed spec, and what lessons it carries for anyone reaching for theorem provers as a silver bullet. HN’s formal-methods contingent shows up in the comments to argue about spec-writing discipline and the role of property-based testing alongside proofs.