TanStack's NPM packages were compromised in a supply-chain attack, exposing a systemic vulnerability in the NPM ecosystem's trust model. The postmortem details how the compromise occurred and its downstream impact on dependent projects.
Tuesday 12 May 2026
Hacker News
4Debate about whether language choice matters when AI is generating most of the code, raising questions about the role of developer tooling, language ecosystems, and AI code generation quality across different languages.
Criminal hackers used AI to discover and exploit a major software vulnerability (in curl), highlighting the offensive use of AI in cybersecurity and the challenge of defending against AI-assisted vulnerability discovery.
Practical account of using AI to build a real-world diagnostic tool, likely surfacing friction points around AI-generated code quality, iteration loops, and limitations when handling noisy real-world data.
GitHub
5Claude Code silently reduced the max tokens per file from 25,000 to 10,000 without announcement, causing severe degradation in code generation quality and forcing excessive back-and-forth for users working with large files.
Claude Code's 2KB preview truncation of large Bash tool output can split UTF-16 surrogate pairs, producing invalid JSON that permanently breaks the session with unrecoverable 400 errors from the API. A regex-based manual session-file repair script is needed as workaround.
Claude Code's session picker degrades severely at scale (10,000+ sessions): recent sessions don't surface, search only matches titles (not UUIDs), and older-format sessions fail to open entirely — forcing users to manually archive files to restore usability.
Claude Code made three consecutive wrong CSS selector guesses for a third-party plugin and deployed each to a live production site, despite having browser MCP access that could have identified the correct selector in one step; it also failed to follow the user's CLAUDE.md rule to stop after two failed attempts.
Claude Code's terminal strips ANSI escape sequences, breaking tqdm progress bar animations so they render as one line per iteration instead of an in-place animated bar; Claude itself cannot fix the issue.
Lobsters
3An AI system (Mythos) autonomously found a real exploitable vulnerability in curl, raising discussion about the security implications of AI-assisted offensive vulnerability research and what it means for open-source software maintainers.
Developer documents friction and trade-offs when migrating from lsp-mode to Eglot in Emacs, indicating ongoing pain points with LSP client configuration and behavior differences between the two implementations.
Argument that reliance on cloud-hosted AI services creates privacy, availability, and cost friction that makes local AI models a necessary default, highlighting pain around data sovereignty and dependency on external API providers.
Stack Exchange
0no items
no items