Hacker News Digest
Friday, April 3, 2026
In This Issue
- Hacker News
- Claude Code's source code has been leaked via a map file in their NPM registry
- Axios compromised on NPM – Malicious versions drop remote access trojan
- LinkedIn Is Illegally Searching Your Computer
- Copilot edited an ad into my PR
- Google releases Gemma 4 open models
- The Claude Code Source Leak: fake tools, frustration regexes, undercover mode
- Claude Code Unpacked : A visual guide
- Ollama is now powered by MLX on Apple Silicon in preview
- GitHub backs down, kills Copilot pull-request ads after backlash
Zipper Data Brief
April 03, 2026
Your daily digest of the best from Hacker News
Top 6 Trending
#1
2070 points
· treexs
· comments
# Summary
Claude Code's source code was leaked via an NPM source map, exposing unreleased features, architectural decisions, and security mechanisms like anti-distillation defenses—though opinions vary on the severity, with some noting that TypeScript code obfuscation is trivial to reverse and questioning whether the CLI warrants being closed-source in the first place.
#2
1925 points
· mtud
· comments
# Summary
The compromise of the widely-used Axios package highlights systemic vulnerabilities in JavaScript package management, with commenters advocating for solutions like disabling post-install scripts by default, implementing minimum release age delays, minimizing dependencies, and restricting network access—though many acknowledge these are band-aids on a fundamentally broken system vulnerable to sophisticated supply chain attacks.
#3
1773 points
· digitalWestie
· comments
# Summary
LinkedIn scans users' installed browser extensions without consent, ostensibly to detect data-scraping tools, though critics argue this is invasive fingerprinting that reveals sensitive information about users' beliefs and interests. The core issue is that browsers shouldn't expose extension detection APIs to websites in the first place, and users should consider switching to non-Chromium browsers or using container extensions for privacy.
#4
1597 points
· pavo-etc
· comments
# Summary
Microsoft's GitHub Copilot was automatically injecting product tips/ads into pull requests, which developers found inappropriate and deceptive. Microsoft acknowledged the mistake and has disabled the feature, though commenters expressed broader concerns about AI tools being used for advertising, data collection, and potential future manipulation of code suggestions.
#5
1540 points
· jeffmcjunkin
· comments
# Summary
Google's Gemma 4 release offers impressive performance across multiple sizes (E2B, E4B, 26B MoE, 31B dense) with Apache 2.0 licensing, but real-world performance is mixed—while small models excel for mobile/edge deployment and the 26B MoE shows strong inference speed, the larger 31B model underperforms benchmarks, tool-calling consistency is inconsistent, and Qwen 3.5 appears to have claimed performance superiority overall despite Gemma's technical innovations.
#6
1360 points
· alex000kim
· comments
# Summary
A leak of Claude Code's source revealed Anthropic's architectural decisions including session compaction, anti-distillation fake tools, and an "undercover mode" that strips AI attribution from commits—sparking debate over whether hiding AI authorship in public repositories is deceptive, plus criticism of the company's closed-source approach despite the source ultimately being exposed via a missing `.map` file in npm packaging.
AI / Machine Learning
1097 points
· autocracy101
· comments
# Summary
The discussion centers on a visual guide to Claude Code's leaked source, with commenters divided on its value: engineers debate the 500K LOC codebase bloat (attributed to defensive programming for LLM reliability), while non-technical users praise Claude Code's accessibility for building production software without coding experience. Most agree the architecture itself isn't revolutionary—the real innovation is Anthropic's underlying models rather than the agent framework design.
640 points
· redundantly
· comments
# Summary
The HackerNews discussion celebrates Ollama's adoption of MLX for faster on-device inference on Apple Silicon, with users praising local LLM benefits like privacy and reduced latency, while debating performance comparisons to alternatives like llama.cpp and discussing hardware requirements for practical use.
604 points
· _____k
· comments
# Summary
Commenters are skeptical of GitHub/Microsoft's claim that inserting Copilot ads into pull requests was an unintentional "programming logic issue," viewing it instead as intentional feature testing that signals the company's willingness to monetize through increasingly intrusive means, prompting many to consider migrating to alternative platforms.
573 points
· lpcvoid
· comments
# Summary
Microsoft's "entertainment only" disclaimer for Copilot is widely seen as a cynical legal loophole—a contradiction since the tool is actively marketed as a productivity service, yet the disclaimer shields Microsoft from liability for mistakes, inaccuracy, and copyright infringement while still collecting user data. Critics argue this is deceptive marketing and point out the absurdity of disclaiming products integrated into enterprise software as mere entertainment.
468 points
· killme2008
· comments
# Summary
The discussion is overwhelmingly skeptical of the Claude.md optimization project, with critics arguing it sacrifices model quality and reasoning capability for marginal token savings, noting that output tokens represent only ~4% of total costs and that LLMs perform better with more reasoning—making the effort largely misguided.
Startups / Business
525 points
· surprisetalk
· comments
# Summary
The discussion is heavily skeptical of OpenAI's $852B valuation, with commenters questioning whether the "$122B raised" represents real committed capital or inflated promises, criticizing the company's departure from its non-profit mission, and expressing concerns about unsustainable valuations, unproven profitability, and the broader bubble in AI funding.
239 points
· dherls
· comments
# Summary
The discussion reflects tension between viewing OpenAI's failed projects as healthy experimentation typical of startups versus criticism that the company lacks focus, prioritizes hype over sustained products, and may be losing money on unprofitable ventures. Commenters are divided on whether this represents normal innovation or a sign of deeper structural problems with leadership and business model viability.
162 points
· speckx
· comments
# Summary
The discussion reveals deep skepticism that ATProto or any decentralized protocol can solve social media's inherent problems—toxicity, echo chambers, and algorithmic harms appear structural rather than fixable through technology alone. Most commenters advocate either opting out of social media entirely or returning to small, community-based alternatives rather than betting on new platforms or protocols.
137 points
· helsinkiandrew
· comments
# Summary
The discussion reflects investor skepticism about OpenAI's $850B valuation relative to Anthropic's $380B, with commenters arguing OpenAI is either overpriced or burning cash unsustainably, while Anthropic offers better value despite its own operational challenges.
62 points
· bundie
· comments
OnlyOffice terminated its Nextcloud partnership after Euro-Office forked the project, claiming license violations, but commenters argue OnlyOffice's logo retention requirement violates true open-source principles and may be unenforceable under AGPL's own terms allowing removal of additional restrictions.
More Stories (34)
1080 points
· apitman
· comments
981 points
· alberto-m
· comments
909 points
· pje
· comments
897 points
· idlewords
· comments
772 points
· yabones
· comments
680 points
· speckx
· comments
864 points
· novaRom
· comments
669 points
· elithrar
· comments
743 points
· hkmaxpro
· comments
573 points
· scottlawson
· comments
612 points
· ingve
· comments
494 points
· todsacerdoti
· comments
475 points
· whiteboardr
· comments
418 points
· PrismML
· comments
407 points
· HughParry
· comments
394 points
· fnands
· comments
369 points
· phkahler
· comments
353 points
· mihau
· comments
391 points
· nutjob2
· comments
324 points
· samizdis
· comments
319 points
· codepawl
· comments
332 points
· hauntsaninja
· comments
311 points
· kerblang
· comments
Tell HN: Chrome says "suspicious download" when trying to download yt-dlp
306 points
· joering2
· comments
299 points
· dakshgupta
· comments
279 points
· Philpax
· comments
267 points
· ishqdehlvi
· comments
255 points
· pedro84
· comments
Ask HN: Who is hiring? (April 2026)
269 points
· whoishiring
· comments
353 points
· jaden
· comments
252 points
· janandonly
· comments
289 points
· homelessdino
· comments
235 points
· Hooke
· comments
Created by Zipper Data Co.
· 2026-04-03 12:01 UTC
· Unsubscribe
Get digests like this delivered to your inbox every morning.
Subscribe Free