Today on HN felt like a day of reckoning. The AI discourse has shifted from "can it write code?" to "what do we lose when we stop asking whether it should?" That tension played out across a tweet that went viral, a memory-safety scandal, and a beloved competition declared dead. In the quieter lanes, researchers found a root-level phone exploit in 2 hours of auditing, California inched toward protecting digital purchases, and Project Gutenberg — which started in 1971 on an ARPANET mainframe — quietly got better.

Mitchell Hamilton — creator of the terminal emulator Ghostty — posted a thread arguing that entire companies have entered a kind of "AI psychosis": a collective state where teams ship AI-generated code without maintaining any real understanding of what they've deployed. The specific flashpoint in his post: the claim that shipping bugs is fine because "agents will fix them so quickly and at a scale humans can't do." The body wasn't available, so the comments are the substance here — and 672 of them piled in.

The Bun JavaScript runtime landed in the same conversation. Bun made headlines weeks ago with a rapid AI-assisted rewrite from Zig to Rust, framed as a move toward memory safety. A GitHub issue filed this week reveals the rewrite "fails basic miri checks, allows for UB in safe Rust." Undefined behavior (UB) in safe Rust is a significant failure mode: one of Rust's core guarantees is that code marked "safe" cannot exhibit undefined behavior — the compiler enforces this by design. Choosing Rust specifically for memory safety and then shipping code that violates that guarantee is the kind of irony that doesn't go unnoticed. The issue author didn't soften it: "Please consider not vibe coding rust as AIs are not good at writing Rust."

Meanwhile, Kabir — a competitive security researcher who joined TheHackersCrew and consistently placed top 10 globally — declared that frontier AI has "broken the open CTF format." A CTF (Capture the Flag) is a cybersecurity competition where teams solve cryptography, reverse engineering, and exploitation puzzles for flags. When Claude Opus 4.5 dropped, Kabir writes, "almost every medium difficulty challenge, and some hard challenges, became agent-solvable." Teams that wired up orchestrators to auto-solve easy and medium challenges with Claude Code could redirect human expertise only to the genuinely hard problems. The scoreboard started measuring "orchestration and willingness to use frontier models alongside, and sometimes above, security skill."

The community split immediately on all 3 fronts. On Mitchell's thread, weinzierl argued agents fixing bugs quickly is actually fine — which taffydavid gleefully noted was "exactly that, arguing 'but the agents are so fast!'" tacostakohashi described their BigCo using AI for writing, tests, and code review simultaneously: "once it gets used for everything, people have lost the plot." CodingJeebus offered the darkest framing: "More money has been spent on AI commercialization than the atomic bomb, the US interstate build-out, the ISS and the Apollo program combined. Failure is going to be catastrophic." On the Bun issue, Jcampuzano2 defended the approach — the goal was a mechanical port, not idiomatic Rust; having the code in Rust gives them compiler tooling to surface exactly these problems. NooneAtAll3 summarized the full saga with dark efficiency: "AI's Zig fork, suffers from memory bugs / Well I'm moving! / AI's code into Rust, suffers from memory bugs." On CTFs, amingilani said the format will just evolve — "just like sports persist despite performance enhancing drugs" — while walletdrainer noted the CTF scene had already changed dramatically before 2021, when Kabir started playing.

Tim Abbott, CEO of Kandra Labs and the architect of the Zulip team chat platform, announced he's stepping back from Zulip leadership to join Anthropic — along with 3 senior team members. Rather than selling or simply departing, Abbott is donating the company itself to a newly created Zulip Foundation, modeled structurally on Mozilla, Signal, and Wikipedia. Kandra Labs will remain a going concern under the Foundation's ownership, with Kim Vandiver joining as Interim President. Zulip 12.0 shipped just weeks earlier with 5,500 commits from 160 contributors. Abbott's stated rationale: navigating "this strange adolescence of technology" matters enough to require being inside a frontier lab.

Scott Alexander of Astral Codex Ten simultaneously published an essay taking aim at the "all exponentials eventually become sigmoids" argument — a standard retort when AI capability curves are extrapolated. A sigmoid (S-curve) is a growth pattern that starts slow, goes exponential, then flattens. Alexander's case: the argument is technically true but practically useless because it can't tell you when the flattening occurs. He illustrates this with 3 historical misses: UN birthrate projections (predicted leveling off annually in countries that kept declining), solar power deployment (the World Energy Organization predicted a plateau every year for a decade while solar kept compounding), and METR's AI capability benchmarks. The essay's proposed heuristic — "Lindy's Law" — holds that if we don't understand a trend's fundamental limits, our best guess is that it will continue for roughly as long as it already has.

The Zulip announcement drew sharp community reactions. csb6 noted that Anthropic compensation "is certainly much better than a FOSS nonprofit." nightski: "Gotta love the frontier labs annihilating open source projects left and right either by acquiring them directly or stealing the teams." Abbott's prose drew mockery from sergiotapia: "bro just say 'Anthropic is going to pay me a beefy salary'" instead of invoking "remarkable commitment to the responsible development of AI." dijit, who had successfully pushed Zulip adoption at 2 organizations, raised the sharpest concern: "The Mozilla comparison cuts both ways — technically excellent product, foundation that drifted considerably from 'make the browser good.'" On the sigmoids piece, btilly found the Lindy's Law heuristic "an absolute gem," while LarsDu88 added a wrinkle: AI is accelerating just as Moore's Law hits physical limits, but current silicon implementations of models "are still inefficient as hell" — leaving significant room for hardware-level gains even if algorithmic scaling slows.

Google Project Zero published a detailed write-up of a 0-click exploit chain for the Pixel 10 — meaning full device compromise with no user action required. Building on an earlier Dolby audio decoder vulnerability patched in January 2026, the team needed a new local privilege escalation step for Pixel 10 (the old one relied on a BigWave GPU driver that doesn't ship on the device). They found a replacement in the VPU (video processing unit) driver for the Tensor G5 chip. The bug is brutally simple: an mmap handler (a system call for mapping memory) is bounded only by the requested mapping size, not by the actual size of the hardware register region it's supposed to expose. Any caller can request a huge mapping and read arbitrary physical memory. Working with Jann Horn, Project Zero found this vulnerability in 2 hours of auditing.

The community response centered less on the exploit mechanics and more on what 2 hours implies. phuff: "It does make me scared for what other dangers lurk since this was a really bad one and it was so little work to find." greesil found one silver lining — Project Zero notes this is the first Android driver bug they reported that was patched within 90 days — but added: "it makes me kind of frightened of the rest of Android." mschuster91 widened the frame: "This is against a device whose BSP is actually open source and available for research! Now imagine the dark horrors hiding in the BSPs of other Android devices." NooneAtAll3 flagged that GrapheneOS achieves high security on the same Pixel hardware — specifically because it implements kernel hardening that Google missed, like randomizing the kernel's physical address.

Project Gutenberg — founded in 1971, now hosting tens of thousands of volunteer-proofread public domain ebooks — announced recent improvements to the site. JSeiko, one of the programmers, posted to flag the changes: mobile styling has been fixed, the browsing experience has improved, and more is coming. The body text confirms the core mission unchanged: "thousands of volunteers digitized and diligently proofread the eBooks, for you to enjoy." It's the kind of quietly good internet infrastructure that only gets noticed when someone does the work to make it better.

California's Protect Our Games Act cleared the Assembly appropriations committee 11-2 this week, setting up a full floor vote. Drafted with input from Stop Killing Games — the UK advocacy group that formed after Ubisoft's 2024 shutdown of The Crew — the bill would require publishers ending an online game to either give full refunds or provide a version "that enables its continued use independent of services controlled by the operator," with 60 days advance notice. The Entertainment Software Association countered that consumers receive a "license to access" a game, not ownership, and that shutting down obsolete software is "a natural feature of modern software."

Gutenberg's reception was warm and nostalgic. seizethecheese: "A big pet peeve of mine was the lack of mobile styling. Looks like it's been fixed!" brcmthrowaway offered unintentional comedy: "I can't read anymore due to fear of not being productive with AI." The games bill split harder. kgwxd argued the right fix is reverse-engineering immunity — "the community will take care of the rest." phyzix5761 worried the compliance burden would crush small studios for whom standalone server infrastructure is "a massive engineering, financial, and legal headache." imzadi spotted an obvious loophole: "So they just make their game free 2 months before they want to close?" johnea asked why the protection doesn't extend to all software, citing AutoCAD users whose "lifetime licenses" were killed by a subscription migration.