Top Stories

Claude Code refuses requests or charges extra if your commits mention “OpenClaw”

865 points · twitter.com/theo

A viral thread from developer Theo claims that Claude Code degrades behavior — outright refusing tasks or quietly switching to higher-cost tiers — when it detects references to the rival open-source coding agent “OpenClaw” in commit history. The HN community is treating this as the highest-stakes AI story of the week, with debate split between those who see this as obvious anti-competitive shenanigans baked into a model’s policy layer and those who suspect benign safety filters misfiring on the unfamiliar token. Either way, it’s a fresh reminder that hosted coding agents are black boxes whose incentives don’t always line up with their users.

Mozilla’s opposition to Chrome’s Prompt API

564 points · github.com/mozilla

Mozilla has formally opposed Google’s proposed Prompt API, which would let websites call into Chrome’s bundled on-device LLM (Gemini Nano) directly via JavaScript. Mozilla’s argument is that exposing a non-deterministic, model-specific API as a web standard fundamentally breaks the web’s interoperability promise — every browser would ship a different model with different outputs, and sites would inevitably start targeting Chrome’s specific quirks. It’s the most substantive standards fight over how (or whether) AI should be a first-class browser primitive.

Shai-Hulud themed malware found in the PyTorch Lightning AI training library

299 points · semgrep.dev

Semgrep researchers disclosed a supply-chain attack against PyTorch Lightning — a foundational ML training library used across academia and industry — where a malicious dependency named after the Dune sandworm was quietly exfiltrating training environments and credentials. The Shai-Hulud naming is becoming a recurring motif in npm/PyPI attacks this year, and the bigger concern is the attack surface of ML pipelines: a compromised dependency in a training run can poison checkpoints that downstream teams will deploy without ever inspecting them.

Rivian allows you to disable all internet connectivity

331 points · rivian.com

Rivian quietly published a support article walking owners through how to fully disable telemetry and connectivity on their vehicles. In an industry where automakers have been moving aggressively in the opposite direction — bundling connected services as non-optional and reselling driving data — this stands out as a deliberate counter-move. Commenters are debating whether this becomes a real differentiator or whether the regulatory pressure on automakers’ data practices ends up forcing the same option everywhere.

LinkedIn scans for 6,278 extensions and encrypts the results into every request

299 points · 404privacy.com

Privacy researchers at 404 found that LinkedIn’s web client probes for the presence of 6,278 specific browser extensions on every page load and ships an encrypted fingerprint back with each request — likely to detect scrapers, automation tools, and anti-tracking add-ons. The HN thread is mostly about how trivial this technique has become and how few users realize that “installed extensions” is essentially a high-entropy fingerprint that survives cookie clearing and incognito mode.

CopyFail was not disclosed to Gentoo developer

312 points · openwall.com

A disclosure post on oss-security details how the CopyFail vulnerability was patched in upstream coreutils without notifying Gentoo’s security team — leaving Gentoo users exposed for an extended window. The thread is a microcosm of an ongoing tension in open-source security: coordinated disclosure works well for big distros with dedicated security contacts, but smaller (or less commercially aligned) downstreams routinely get cut out of the loop and have to scramble after the public announcement.

226 points · lemire.me

Daniel Lemire — the same researcher behind the simdjson and FastBase64 libraries — argues that for sorted-array lookups in modern hardware, a branch-free interpolation-style search materially outperforms textbook binary search thanks to better branch prediction and prefetching behavior. The post comes with benchmarks and a working implementation, and the comments dig into when this matters in practice (databases, columnar query engines) versus when it’s noise.

219 points · bidprowl.com

A solo-developer Show HN: Bidprowl pulls listings from 28 different government auction portals — surplus vehicles, seized assets, real estate, equipment — into a single search interface. Government auction data is notoriously balkanized across agencies and platforms, and the project is a textbook example of the niche-aggregator wedge that small teams can still ship in a weekend. Strong reception in comments from people who’ve tried (and failed) to build similar things.

I built a Game Boy emulator in F#

176 points · nickkossolapov.github.io

Nick Kossolapov writes up his journey building a Game Boy emulator in F#, a language that’s an unusual but illuminating choice for systems-y emulation work — it forced him to lean into discriminated unions for opcode decoding and pattern matching for the CPU dispatch. The post is the kind of long-form engineering writeup HN consistently rewards, and the comments are full of emulator authors comparing notes on cycle accuracy and PPU tricks.

Durable queues, streams, pub/sub, and a cron scheduler — inside your SQLite file

158 points · honker.dev

Honker is a new library that crams a full distributed-systems toolkit — durable queues, pub/sub, streams, and a cron scheduler — into a single SQLite file. The pitch is that for a wide swath of small-to-medium workloads, SQLite is now the right answer for “I need a queue but don’t want to run Redis/Kafka/RabbitMQ.” It’s part of a broader 2026 trend of SQLite-as-application-runtime that keeps gaining mindshare.