A malicious VSCode extension compromised 3,800 GitHub repositories, exposing the attack surface created by the VSCode extension ecosystem and the risk of supply-chain attacks through developer tooling.
Thursday 21 May 2026
Hacker News
3Railway's entire GCP account was suspended by Google Cloud without adequate warning, causing a major platform outage; highlights fragility and lack of recourse when cloud providers take unilateral account actions against infrastructure-dependent services.
Google's AI search results are being actively manipulated via prompt injection and adversarial content; Google is quietly working on defenses, but the attack surface remains a systemic problem for AI-driven search and retrieval systems.
GitHub
5Ollama's gemma4 tool call parser fails on valid but non-trivially-formatted outputs (e.g. backticks or single quotes in content), causing tool calling to be broken even after a supposed fix in v0.20.1; affects multiple agentic coding tools using the OpenCode interface.
Ollama's model push fails with "max retries exceeded" on slow or unstable connections when uploading large files (7-8 GB), with no retry-from-checkpoint or resume capability, forcing users to restart uploads from scratch.
Qwen2.5-VL models in Ollama produce severe token repetition during OCR tasks regardless of repeat_penalty settings, while the same model on Hugging Face works correctly; the repeat_penalty parameter appears to have no effect in Ollama's implementation.
Nemotron-3-nano model in Ollama crashes with an assertion failure in llama-sampling.cpp during inference on Apple Silicon (Metal backend), making the model completely unusable via the API.
Custom Qwen3VLMoE GGUF models that run correctly in llama.cpp and HuggingFace Transformers crash Ollama with a nil pointer dereference and missing architecture keys, indicating incomplete or broken support for custom/non-standard model variants of supported architectures.
Lobsters
3A threat actor (TeamPCP) claims to have gained access to GitHub's internal source code repositories, raising concerns about the security of the platform that hosts the majority of open-source and private developer projects.
Chromium published a "fixed" exploit writeup after 4 years, but the underlying vulnerability is reportedly still unpatched; highlights systemic gaps in responsible disclosure and patch verification processes in major browser security workflows.
Broad discussion on the pervasiveness of undefined behavior in C, arguing that nearly all real-world C code relies on behavior that is technically undefined, creating persistent and hard-to-detect bugs and security vulnerabilities in systems software.
Stack Exchange
0no items
no items