PyPI lightning supply-chain malware & Linux CopyFail backport dilemma - Hacker News (May 1, 2026)

Please support this podcast by checking out our sponsors:

- Discover the Future of AI Audio with ElevenLabs - https://try.elevenlabs.io/tad

- Lindy is your ultimate AI assistant that proactively manages your inbox - https://try.lindy.ai/tad

- SurveyMonkey, Using AI to surface insights faster and reduce manual analysis time - https://get.surveymonkey.com/tad


Support The Automated Daily directly:

Buy me a coffee: https://buymeacoffee.com/theautomateddaily
Today's topics:

PyPI lightning supply-chain malware - A supply-chain compromise hit the PyPI package "lightning" (PyTorch Lightning), with credential-stealing malware that can leak secrets from dev machines and CI. Keywords: PyPI, supply chain, malware, tokens, CI security.

Linux CopyFail backport dilemma - The Linux kernel "CopyFail" local privilege escalation fix is tricky to backport to older long-term branches, leaving many systems waiting or relying on mitigations. Keywords: Linux kernel, LPE, CVE, backport, mitigation.

Room 641A and NSA spying - EFF recounts how AT&T whistleblower evidence pointed to backbone-level internet traffic copying in a secret room, shaping the modern debate on mass surveillance and legality. Keywords: NSA, AT&T, EFF, mass surveillance, Patriot Act.

Rethinking GitHub-style code forges - A critique argues modern forges overfit the GitHub model, and proposes workflows with earlier feedback, richer review states, and better offline-first collaboration. Keywords: GitHub, GitLab, forge, PRs, CI workflow.

OpenWarp brings your own AI - OpenWarp, a community fork of Warp, aims to make terminal AI provider-agnostic so users can choose their own models and endpoints with a privacy-first posture. Keywords: terminal, AI, BYOP, privacy, open source.

USB-C cable truth on macOS - WhatCable is a macOS menu bar tool that translates USB-C capabilities into plain language, helping diagnose slow charging and mismatched cables. Keywords: USB-C, Thunderbolt, charging, macOS, diagnostics.

Fixing Bluetooth MIDI on Windows - A new Windows utility bridges Bluetooth LE MIDI devices into Windows MIDI Services so keyboards reliably appear in traditional DAWs and Web MIDI apps. Keywords: Windows 11, BLE MIDI, DAW, interoperability, MIDI ports.

Websites derailed by stakeholder taste - A web design essay explains how leadership “taste edits” can slowly override research, turning a site into an internal mood board instead of a tool that converts users. Keywords: UX, research, stakeholders, conversions, usability.

Lost Caedmon’s Hymn manuscript found - Researchers uncovered an early ninth-century manuscript containing Caedmon’s Hymn embedded in the main text, strengthening evidence that Old English was actively valued and copied. Keywords: Caedmon’s Hymn, Old English, manuscript, Bede, discovery.


-Websmith Studio: Why Your Website Should Serve Users, Not Leadership Tastes (https://websmith.studio/blog/your-website-is-not-for-you/)

-Open-source utility bridges Bluetooth LE MIDI into Windows MIDI Services for DAWs (https://news.ycombinator.com/item)

-WhatCable for macOS reveals the real capabilities of USB-C cables and charging setup (https://github.com/darrylmorley/whatcable)

-AT&T Whistleblower Exposed NSA Backbone Surveillance via Secret Room 641A (https://thereader.mitpress.mit.edu/the-whistleblower-who-uncovered-the-nsas-big-brother-machine/)

-xAI Releases Grok-4.3 API Model Documentation with 1M-Token Context and Tooling Features (https://docs.x.ai/developers/models/grok-4.3)

-Ninth-Century Rome Manuscript Reveals Rare Early Copy of Caedmon’s Hymn (https://www.tcd.ie/news_events/articles/2026/caedmons-hymn-discovery/)

-Kernel CopyFail (CVE-2026-31431) Fix Doesn’t Cleanly Backport to Older LTS, Workaround Shared (https://www.openwall.com/lists/oss-security/2026/04/30/10)

-Author Proposes a Modular, Offline-Friendly Replacement for Modern GitHub-Style Forges (https://matduggan.com/if-i-could-make-my-own-github/)

-OpenWarp Fork Lets Warp Users Plug In Custom AI Providers and Keep Keys Local (https://openwarp.zerx.dev/)

-PyTorch Lightning PyPI Package Compromised, Malware Steals Secrets and Spreads via npm (https://semgrep.dev/blog/2026/malicious-dependency-in-pytorch-lightning-used-for-ai-training/)

Episode Transcript
PyPI lightning supply-chain malware
First up in security: researchers are warning about a supply-chain compromise of the PyPI package “lightning,” better known to many as PyTorch Lightning. Two recent versions were published with malicious code that can run simply through normal install-and-import behavior, aiming to siphon off secrets from developer machines and CI—think repo tokens, environment variables, and cloud credentials.

What makes this one especially concerning is the attempted cross-ecosystem spread: the campaign doesn’t just want to steal—it wants to propagate, using whatever publishing credentials it can find to hop into other package registries and workflows. If you...

Видео PyPI lightning supply-chain malware & Linux CopyFail backport dilemma - Hacker News (May 1, 2026) канала The Automated Daily