Hacker News Roundup

VS Code 1.118 silently tags Copilot as co-author; dav2d AV1 decoder surges on HN; Utah SB 73 targets VPN users for age verification starting May 6. Plus Ladybird April update and Mercury's 2M-line Haskell codebase.

Vercel's April security incident aftermath, Claude Code's quiet spread inside Microsoft, multi-year RAM shortage implications for devs, plus a Show HN in-browser Gemma 4 demo and Notion's public-page email leak.

Uber torched its 2026 AI budget by April, PyTorch Lightning 2.6.2-2.6.3 ships credential-stealing malware, Canonical fights off 313 Team DDoS, cPanel CVE-2026-41940 hits all supported versions, plus Grok 4.3 and Rivian privacy tradeoffs.

Supply-chain worm Shai-Hulud found in PyTorch Lightning, Meta dismisses employees over smart-glasses privacy breach, and GCC 16 release status stays murky days after branch freeze. Security, wearables, and compiler drama in one shot.

Linux 7 scheduling halves PostgreSQL TPS on Graviton4, AWS quietly ships OpenAI+Codex on Bedrock, and the BBC piece HN loved argues AI doomism is a market strategy. Infrastructure reality vs. AI hype in one shot.

LocalSend hits 474pts as the AirDrop killer nobody asked Google for. Google signs classified DoD AI deal. Anthropic drops €240k on Blender. GitHub meters Copilot reviews starting June 1. Android sideloading fights back.

Cover Mistral's new code-focused LLM Codestral and its benchmark performance, then pivot to the EU AI Act officially entering force and what compliance means for startups. Rapid takes on both stories, no fluff.

Cover Mistral's new code-focused LLM Codestral and its benchmark performance, then pivot to the EU AI Act's first enforcement phase kicking in and what it means for startups shipping AI products in Europe.

Google locks in $10B now + $30B more for Anthropic at a $350B valuation; OpenAI pays researchers to crack GPT-5.5 biosafety guardrails; a popular audio interface shipped with SSH wide open. Plus: agent hype backlash and YC S26 apps closing soon.

DeepSeek V4 tops HN with 1,200+ comments challenging OpenAI's freshly launched GPT-5.5. Bitwarden CLI 2026.4.0 compromised via GitHub Actions. Meta slashes 10% of staff. Tesla quietly discloses a $2B AI hardware acquisition with no name attached.

Bitwarden CLI hijacked via Checkmarx CI/CD attack, GitHub multi-service outage hits devs, Apple patches notification cache exposing deleted chats to cops, France ID agency breach hits 19M records, and raylib 6.0 drops with 2,000+ commits.

NSA uses Anthropic's Mythos despite Pentagon ban (344pts), GitHub's purchasable star economy collapses trust, Atlassian reverses its own AI data pledge, plus Deezer's 44% AI-upload flood and EU's 2027 replaceable-battery deadline closing in.

Vercel confirms unauthorized internal access; Notion allegedly exposes editor emails on public pages; HN erupts over Claude Opus 4.7 token bloat vs 4.6; plus NIST any-wavelength lasers and Blizzard kills Turtle WoW.

Claude Opus 4.7 pricing is up ~45%, HN erupts. Anthropic launches Claude Design to rival Canva/Figma. Devs flee DigitalOcean for Hetzner. Amazon kills Fire TV sideloading on Vega OS. Kdenlive thrives. AI ROI skepticism peaks.

Anthropic's Claude Design tops HN at 323pts, but Opus 4.7's $25/M output tokens sparks backlash. OpenAI Codex hits 961pts. NIST quietly retreats from CVE enrichment. Google's Android CLI promises 3x faster app builds.

Anthropic launches Opus 4.7 for long-running engineering tasks; Qwen3.6-35B-A3B goes open-weight; IPv6 crosses 50% of Google traffic; Cloudflare adds email for agents; dev loses €54k to exposed Firebase key.

Google ships Gemini Robotics-ER 1.6 via API, Claude hits its second April outage, a court ruling strips AI chats of legal privilege, Gemma 4 crosses 400M downloads, and TrackSuccession goes live on SEC filings.

30+ WordPress plugins weaponized post-acquisition with RCE backdoors; GitHub's native stacked PR preview hits HN's top; Blackmagic brings pro color grading to photos; Google bans back-button hijacking in Search spam policy.

Collabora lands mainline video capture for Rockchip RK3588 after five-plus years of upstream work. A quiet but massive win for open embedded Linux. Why does open hardware take this long, and is the pace finally accelerating?

Android quietly strips EXIF geotags on photo share. 252 HN points, 215 comments, and a furious debate: is Google protecting users or removing power-user choice? The paternalistic defaults war heats up.

Cloudflare drops a universal CLI preview during Agents Week, collapsing its entire platform into one command surface. Bold simplification or deeper lock-in dressed as developer ergonomics? HN has opinions.

EE Times confirms AMD's ROCm now runs out-of-the-box on Strix Halo laptops after 2.5 years of investment. HN erupts with 177 comments. Is CUDA lock-in finally cracking, and what does that mean for AI infra costs?

Servo v0.1.0 lands on crates.io as an embeddable library, challenging Chromium's stranglehold on web rendering. What does a Rust-native browser engine with an LTS track mean for the future of the open web?

Claude outages hit Anthropic on the same day HN buzzes with a solo founder shipping a SaaS in 3 weeks using AI tools. Meanwhile Microsoft quietly walks back Copilot. Is AI maturing from hype into operational reality—and what does that mean for builders?