Top Stories

Claude Code refuses requests or charges extra if your commits mention “OpenClaw”

865 points · twitter.com/theo

The HN front page is on fire today over a viral thread alleging that Anthropic’s Claude Code will silently refuse or upcharge tasks when a repo’s commit history mentions “OpenClaw” — a rival coding agent. Whether this is intentional policy, a model-side artifact, or a misunderstanding is hotly debated in the 497-comment thread, but the optics are bad either way: developers are now grep-ing their own git logs to see if their tools are quietly playing favorites.

The episode is a preview of a recurring 2026 problem — closed-model coding agents have huge discretion over what work they’ll accept, and users have almost no way to audit refusals after the fact.

Mozilla’s opposition to Chrome’s Prompt API

564 points · github.com/mozilla

Mozilla has formally come out against Google’s proposed Prompt API — the browser API that lets web pages call a locally-running LLM (Gemini Nano) directly from JavaScript. Mozilla’s argument: shipping a non-deterministic, model-dependent API as a web standard breaks the interop guarantees the web is built on, and effectively forces every browser vendor to ship and maintain a comparable on-device model.

It’s the latest skirmish in the increasingly bitter “what belongs in the browser, what belongs in userland” fight over AI features. Expect Apple to weigh in next.

Shai-Hulud-themed malware found in the PyTorch Lightning AI training library

299 points · semgrep.dev

Semgrep’s research team caught a malicious transitive dependency in PyTorch Lightning — one of the most widely used training frameworks in the ML world. The payload, themed around Dune’s Shai-Hulud, exfiltrates training data and tokens from any environment that imports it. Anyone running fine-tuning jobs on shared infra should check their lockfiles now.

This is the second high-profile Shai-Hulud-branded npm/PyPI supply chain attack this year, and it strongly suggests there’s a coordinated actor (or copycat group) specifically targeting the AI/ML toolchain.

LinkedIn scans for 6,278 browser extensions and encrypts the results into every request

299 points · 404privacy.com

Researchers reverse-engineered LinkedIn’s client-side telemetry and found it probes for nearly 6,300 specific browser extensions on page load, then encrypts the resulting fingerprint and ships it back with every request. The technique gives LinkedIn an extremely durable identifier — far more stable than cookies — that survives clears, incognito, and even partial profile changes.

The privacy community sees this as a textbook case of why client-side fingerprinting needs to be treated as a tracking vector at the browser level, not just at the cookie level.

Belgium stops decommissioning nuclear power plants

712 points · dpa-international.com

Belgium has reversed its long-running plan to shutter its nuclear fleet, citing energy security and the still-mounting demand from AI data centers and electrification. The decision joins similar reversals already underway in Germany-adjacent debates and signals that the “nuclear winter” for Western reactor fleets is, for now, over.

656 comments on HN, mostly arguing about whether the existing reactors can actually be life-extended cost-effectively and what this means for grid-tied AI compute siting decisions over the next decade.

Durable queues, streams, pub/sub, and a cron scheduler — inside your SQLite file

158 points · honker.dev

Honker is a new project that crams the entire messaging-and-scheduling stack you’d normally reach for Redis/RabbitMQ/Cron+systemd to assemble into a single SQLite file: durable queues with retries, streams with consumer groups, fan-out pub/sub, and a built-in cron scheduler. For small-to-medium apps, this is the kind of “boring tech, one file” answer the SQLite ecosystem has been steadily delivering.

The comments are notably skeptical about pub/sub-on-SQLite at any real fan-out scale, but most people seem ready to ship it for internal tools.

Rivian allows you to disable all internet connectivity on your car

331 points · rivian.com

Rivian published a support article confirming owners can fully disable all data collection and external connectivity — including over-the-air updates and telemetry — from their vehicles. This is unusual in 2026: most EV makers treat the data pipe as a non-negotiable revenue and product feature.

HN is reading this as both a privacy win and a quiet bet by Rivian that “you own the car you bought” is becoming a marketable position as the rest of the industry tightens its grip.

226 points · lemire.me

Daniel Lemire is back with another performance-engineering post showing that for many real-world workloads, a carefully written linear or interpolation search actually beats textbook binary search — once you account for branch prediction, cache lines, and SIMD. Classic Lemire: short, code-heavy, and ends with benchmarks that make you question every algorithms course you took.

The comments include the usual ritual debate about whether “binary search is optimal” is a useful teaching simplification or actively misleading.