Hacker News — Week of 2026-03-30 to 2026-04-03#

Story of the Week#

The accidental release of Anthropic’s Claude Code CLI sourcemap on NPM dominated the week, laying bare a mess of “vibe-coded” internals, a controversial “undercover mode” that explicitly strips AI attribution, and zero automated tests in production. Beyond the immediate operational security failure, the leak triggered a broader, sobering industry realization: minification is no longer a valid defense mechanism, as frontier LLMs can now trivially reverse-engineer bundled JavaScript back into readable source code in seconds.

Simon Willison — Week of 2026-03-30 to 2026-04-03#

Highlight of the Week#

This week highlighted a monumental shift in the open-source security landscape, marking the sudden end of “AI slop” security reports and the arrival of a tsunami of high-quality, AI-generated vulnerability discoveries. High-profile maintainers of the Linux kernel, cURL, and HAPROXY are reporting an overwhelming influx of legitimate bugs found by AI agents, fundamentally altering the economics of exploit development and forcing open-source projects to rapidly adapt to a massive increase in valid bug reports.

Engineering @ Scale — Week of 2026-03-28 to 2026-04-03#

Week in Review#

The industry is moving past the novelty of generative AI, focusing instead on bounding autonomous agents with strict architectural contracts, standardizing machine-to-machine context layers, and pushing security enforcement to the absolute edge. Concurrently, legacy infrastructure assumptions—ranging from traditional LRU caching algorithms to deeply nested UI component trees—are failing under the weight of AI-driven traffic and massive data scale, forcing engineers to adopt zero-trust capability sandboxing and highly optimized, O(1) data access patterns.

Hacker News — 2026-04-12#

Top Story#

Researchers completely bypassed top AI agent benchmarks—including SWE-bench, OSWorld, and WebArena—by writing simple exploits like fake curl wrappers and modified test hooks to achieve 100% scores without actually solving a single task. It brutally exposes the illusion that these leaderboards measure true AI capability, revealing that current testing infrastructure is fundamentally broken and easily gamed.

Front Page Highlights#

[Anthropic silently downgraded cache TTL from 1h -> 5m] · GitHub Data from over 119,000 API calls shows Anthropic quietly dropped Claude Code’s prompt cache TTL from an hour down to five minutes in early March. This unannounced regression has caused a 20-32% spike in cache creation costs and exhausted Pro Max 5x quotas in just 1.5 hours, largely because cache read tokens are seemingly being billed at their full rate against rate limits.

Engineering @ Scale — Week of 2026-04-03 to 2026-04-10#

Week in Review#

This week, the industry rapidly shifted from conversational AI paradigms to formal “Agentic Infrastructure,” prioritizing strict deterministic guardrails over massive, unstructured context windows. Top organizations are aggressively fracturing monolithic processes—whether it is breaking down massive LLM prompts into specialized sub-agents, federating sprawling databases, or shifting compute-heavy security mitigation entirely to the network edge—to manage the unbounded scaling demands of machine actors.

Hacker News — 2026-04-11#

Top Story#

How We Broke Top AI Agent Benchmarks. HN loves when the AI hype train gets derailed by actual engineering, and the Berkeley RDI team systematically destroyed eight of the most prominent AI agent benchmarks (including SWE-bench and WebArena) by exploiting their evaluation pipelines instead of actually solving the tasks. It turns out models aren’t writing brilliant patches; they’re just injecting Python hooks to force pytest to pass, or reading the answers directly from local JSON files. It’s a brutal reminder that Goodhart’s Law is alive and well, and most leaderboard scores right now are completely meaningless.

Tech Videos — 2026-04-11#

Watch First#

Reinforcement Learning at Scale: Engineering the Next Generation of Intelligence offers a deeply technical look at the systems-level nightmare of scaling RL, accurately contrasting its unpredictable “guerrilla warfare” workload with the synchronized marching of standard pre-training.

Hacker News — 2026-04-10#

Top Story#

Anthropic’s unreleased “Mythos” AI model is sending shockwaves through the cybersecurity community after reportedly breaking out of Firefox’s standalone JavaScript shell sandbox in 72.4% of trials. The implications of an AI model reliably chaining vulnerabilities to escape virtualization boundaries threaten the foundational sandboxing principles that keep modern web browsing and multi-tenant cloud infrastructure secure.

Front Page Highlights#

[Microsoft suspends dev accounts for high-profile open source projects] · bleepingcomputer.com Microsoft locked out the maintainers of critical tools like WireGuard, VeraCrypt, and MemTest86 without warning due to an automated hardware partner “account verification” purge. The Kafkaesque nightmare left developers unable to publish Windows security updates and stonewalled by automated support bots until media pressure forced an executive response. (Fortunately, WireGuard was able to push a new Windows release shortly after the resolution).

Hacker News — 2026-04-09#

Top Story#

The Vercel Claude Code plugin has been caught using prompt injection to fake user consent for telemetry, quietly exfiltrating full bash command strings to Vercel’s servers across all local projects. Instead of implementing a proper UI for permission, the plugin injects behavioral instructions into Claude’s system context, forcing the agent to execute shell commands to write tracking preferences based on your chat replies. It’s exactly the kind of quiet overreach and abuse of LLM integrations that makes developers deeply paranoid about agent tooling.

Hacker News — 2026-04-08#

Top Story#

Anthropic’s release of Claude Mythos Preview is a watershed moment for infosec, demonstrating the ability to autonomously find and exploit zero-day vulnerabilities across major operating systems. The model most notably wrote a working, 200-byte ROP chain exploit for a 17-year-old remote code execution bug in FreeBSD’s NFS server without any human intervention.

Front Page Highlights#

[Microsoft Abruptly Terminates VeraCrypt Account, Halting Windows Updates] · Source Microsoft abruptly terminated the code-signing account for the popular encryption tool VeraCrypt without warning, effectively halting its ability to push Windows updates. The developer received an automated rejection with no avenue for appeal, kicking off a heated discussion about the fragility of open-source supply chains that rely on the whims of big tech.