From 30 items, 7 important content pieces were selected

---

1. lightning PyPI compromise steals credentials and poisons repos ⭐️ 9.0/10
2. Ladybird’s April 2026 Browser Engine Update ⭐️ 8.0/10
3. VideoLAN Releases dav2d AV2 Decoder ⭐️ 8.0/10
4. VS Code Commit Trailer Sparks Copilot Controversy ⭐️ 8.0/10
5. White House Opposes Anthropic’s Mythos Access Expansion ⭐️ 8.0/10
6. Artemis II Laser Link Sends 484 GB from the Moon ⭐️ 8.0/10
7. DeepSeek-V4 Preview Launches with Open-Source Release ⭐️ 8.0/10

---

lightning PyPI compromise steals credentials and poisons repos ⭐️ 9.0/10

Socket reported that lightning 2.6.2 and 2.6.3 on PyPI were trojanized with malicious code that runs on import, downloads an obfuscated JavaScript payload, and steals GitHub tokens, cloud credentials, and environment variables. The stolen access was then used to inject fake commits into repositories and poison local npm packages, with behavior resembling the Shai-Hulud worm. This is a high-impact supply-chain incident because lightning is a widely used deep learning package, so compromised installations can expose developer accounts, cloud infrastructure, and downstream projects. The apparent ability to reuse stolen credentials for further repository poisoning raises the risk of broader propagation across software and ML ecosystems. The malware triggers during normal package import rather than requiring a separate execution step, which makes detection harder and increases the chance of accidental exposure. The recommended response is to remove versions 2.6.2 and 2.6.3, downgrade to 2.6.1, and rotate all potentially affected keys and tokens.

telegram · zaihuapd · May 2, 00:36

Background: PyPI is the main package index for Python, and many projects install libraries from it directly as part of development or deployment. Supply-chain attacks abuse that trust by hiding malicious behavior inside legitimate-looking packages, often activating during install, import, or runtime. In this case, the report says the package also attempted to exfiltrate credentials and modify repositories, which can turn one compromise into many.

References

• How to Detect and Recover From a Compromised PyPI Package
• The Shai-Hulud 2.0 npm worm: analysis, and what you need to know | Datadog Security Labs
• PYPI Security: How to Prevent Supply Chain Attacks in Python Projects

Tags: #supply-chain security, #PyPI, #machine learning, #credential theft, #malware

---

Ladybird’s April 2026 Browser Engine Update ⭐️ 8.0/10

Ladybird’s April 2026 newsletter reports continued progress on its from-scratch browser engine. The update reflects ongoing work toward a truly independent browser stack based on web standards rather than Chromium, Firefox, or WebKit code. Ladybird is one of the few serious efforts to build a modern browser engine independently, which matters because browser engines shape web compatibility, security behavior, and standards adoption. If it matures, it could become an important alternative in a market dominated by a small number of engines. Ladybird describes itself as a new browser engine built from scratch, not a fork, and says it does not use code from Blink, WebKit, Gecko, or other browser engines. The project also emphasizes that it is funded by donations and sponsorships, with no ads, search deals, or data collection.

hackernews · richardboegli · May 2, 20:46

Background: A browser engine is the core software that renders web pages, applies layout, handles navigation, and enforces browser behavior such as security policies and script interaction. Modern websites are built around web standards, but real-world compatibility is complicated because browsers often need to support nonstandard behavior and site-specific quirks. Building a new engine from scratch is therefore a long-term effort, especially for a project that wants to work across the modern web.

References

• Ladybird is a truly independent web browser , backed by a non-profit.
• GitHub - LadybirdBrowser/ ladybird : Truly independent web browser
• Ladybird (web browser) - Wikipedia

Discussion: Commenters were broadly optimistic about Ladybird’s progress, with some saying it is becoming “pretty usable” and comparing its development pace to game emulator updates. Others raised practical concerns about browser competition, especially artificial compatibility barriers, Chromium-only site behavior, and DRM like Widevine making it hard for new browsers to compete.

Tags: #browser-engine, #web-standards, #open-source, #systems-software, #hacker-news

---

VideoLAN Releases dav2d AV2 Decoder ⭐️ 8.0/10

VideoLAN has published dav2d, an early open-source CPU-based decoder for the AV2 video codec. The project is designed to be small, portable, and very fast, with performance-critical assembly used on key paths. AV2 is the next-generation successor to AV1, so an early decoder from VideoLAN is a meaningful signal that the ecosystem is starting to prepare for the format. Fast software decoders matter for players, streaming tools, and infrastructure that need AV2 support before hardware implementations become widespread. The project is CPU-based rather than hardware-accelerated, and the maintainers emphasize assembly in performance-critical paths to maximize speed. The AV2 specification is still early, so dav2d should be viewed as a work-in-progress decoder rather than a final production baseline.

hackernews · dabinat · May 2, 17:32

Background: AV2 is the next-generation video coding specification from the Alliance for Open Media, the same consortium behind AV1. Like AV1, it is intended to be royalty-free and to improve compression efficiency, which means delivering similar visual quality at lower bitrates. A decoder is the software that turns compressed video bitstreams back into playable frames, so decoder availability is a key step for adoption. VideoLAN is best known for VLC and has a history of building highly optimized media components, including dav1d for AV1.

References

• VideoLAN Publishes Dav2d For Open-Source AV2 Decoder - Phoronix
• VideoLAN publishes dav2d, an early CPU decoder for AV2 video codec - VideoCardz.com
• AV2 Specification

Discussion: Commenters were broadly positive about the release and noted that using assembly for performance-critical paths follows the successful pattern of dav1d. Several also framed AV2 as the next big codec milestone, while pointing out that the codec is still immature and that a usable encoder may take time to arrive.

Tags: #AV2, #video codecs, #systems programming, #performance optimization, #open source

---

VS Code Commit Trailer Sparks Copilot Controversy ⭐️ 8.0/10

A VS Code pull request appeared to enable adding “Co-Authored-by Copilot” to Git commits by default, even when Copilot was not actually used. The change triggered debate because it affects commit metadata that developers expect to reflect real authorship. Git commit messages are part of the technical record, so automatically attributing work to Copilot raises trust and integrity concerns. The controversy also highlights a broader tension in developer tools between AI branding goals and standards-driven, accurate project history. The discussion centers on Git commit trailers, which are convention-based lines such as “Co-Authored-by” used to attribute contribution in commit history. According to the comments, the PR was approved but later criticized for being enabled by default without sufficient validation, and one commenter noted an inconsistency between the configuration default and runtime fallback behavior.

hackernews · indrora · May 2, 19:57

Background: In Git, commit metadata is meant to capture who made a change and how it was authored, even though “co-author” itself is a convention rather than a core Git feature. Tools like VS Code and Copilot can surface or insert these trailers when generating or assisting with commits. Because developers often rely on commit history for auditing, blame, and accountability, changes to attribution behavior can have outsized impact.

References

• VS Code inserting ' Co - Authored - by Copilot ' into commits regardless...
• Staging and committing changes
• How do I add a co-author to latest pushed git commit? - Stack Overflow

Discussion: Commenters were strongly critical overall, with several arguing that inserting Copilot attribution into commits is misleading and harms trust in the developer log. One approving reviewer apologized for enabling the feature by default, while another commenter pointed out that Copilot itself reportedly flagged the inconsistency in the code change.

Tags: #VS Code, #Git, #Copilot, #AI ethics, #developer tools

---

White House Opposes Anthropic’s Mythos Access Expansion ⭐️ 8.0/10

Anthropic reportedly proposed expanding access to its Mythos AI model from about 50 entities to roughly 120, but the White House opposed the plan on national security grounds. Officials also worried that available compute would not be enough to serve the additional entities while meeting government needs. This highlights growing government scrutiny over advanced AI models that can help discover software vulnerabilities, especially when broader access could increase misuse risks. It also shows how AI deployment decisions are becoming a national-security issue, not just a product or enterprise-policy question. Mythos is described as having the ability to find and exploit software vulnerabilities, which has raised security concerns in recent weeks. The model had previously been limited to critical infrastructure operators and some government agencies, and the report says the Trump administration is trying to expand government usage even as tensions over military AI use remain high.

telegram · zaihuapd · May 2, 01:48

Background: Software vulnerability-finding models can assist defenders by uncovering flaws before attackers do, but the same capability can also be abused to launch attacks. That dual-use nature is why access to such models is often tightly controlled, especially when they are powerful enough to identify and exploit zero-day vulnerabilities.

References

• Project Glasswing: Securing critical software for the AI era
• Claude Mythos Preview \ red.anthropic.com

Tags: #AI policy, #national security, #model safety, #cybersecurity, #Anthropic

---

Artemis II Laser Link Sends 484 GB from the Moon ⭐️ 8.0/10

NASA reportedly used the Orion Artemis II Optical Communications System (O2O) to downlink 484 GB of data from the Moon at speeds up to 260 Mbps. The system sent large volumes of lunar data, including high-bandwidth media, across Earth-based ground stations in a short time window. This is an important demonstration of deep-space optical communications, which can move far more data than traditional radio-frequency links. If sustained on future missions, it could improve real-time science return, support richer crew communications, and help lunar and Martian exploration missions transmit images and video much more efficiently. The O2O system was developed by MIT Lincoln Laboratory, and the downlink was supported by ground stations including NASA’s Jet Propulsion Laboratory, White Sands Complex, and the Mount Stromlo Observatory at the Australian National University. The report also says one ground station received 26 GB in under an hour, highlighting the system’s high throughput.

telegram · zaihuapd · May 3, 00:50

Background: Optical communications use laser beams instead of radio waves to send data, which usually allows much higher bandwidth. In space missions, that means spacecraft can return more images, video, and scientific measurements in less time, as long as the beam can be precisely aimed and received on Earth.

References

• NASA 's Orion Artemis II Optical Communications System ... - NASA
• Laser communication in space - Wikipedia
• Artemis II - Wikipedia

Tags: #NASA, #laser communications, #space systems, #deep space networking, #Artemis II

---

DeepSeek-V4 Preview Launches with Open-Source Release ⭐️ 8.0/10

DeepSeek-V4’s preview release has reportedly gone live and been open-sourced, with DeepSeek-V4-Pro described as having significantly stronger Agent capabilities than the previous generation. The announcement also highlights DeepSeek-V4-Flash, a smaller and faster variant aimed at cheaper API usage. If accurate, this would give developers a more capable open-source model for agentic workflows, math, STEM, and competitive coding tasks. A cheaper Flash variant could also lower the cost of deploying LLM-based applications at scale, especially for teams optimizing latency and API spend. The post claims DeepSeek-V4-Pro outperforms currently publicly evaluated open-source models on math, STEM, and competition coding benchmarks, while approaching the capability of top proprietary models. The V4-Flash variant is said to use fewer parameters and less activation, which is why it can offer faster and more economical API service.

telegram · zaihuapd · May 3, 02:21

Background: An LLM is a large language model, and an Agent is a system built around an LLM that can take actions, use tools, and work toward a goal with some autonomy. “Agentic” models are especially relevant for coding assistants, task automation, and systems that need to reason through multi-step workflows. Benchmarks in math, STEM, and coding are commonly used to judge whether a model can do more than generate fluent text.

References

• deepseek-ai/ DeepSeek - V 4 - Pro · Hugging Face
• A terminal-based coding agent

Tags: #LLM, #open-source AI, #agentic systems, #model release, #benchmarking

---