Digest · 21 stories · 40 sources
2026-06-18
Updated
Top stories
- Leaked OpenAI 2025 financials, verified by the Financial Times, show a 38.5B USD net loss Leaked audited 2025 financial documents, first surfaced by Ed Zitron and independently verified by the Financial Times, report OpenAI revenue of 13.07B USD against total costs of 34B USD, with a net loss of 38.53B USD. Revenue more than tripled from roughly 3.7B USD in 2024. The headline net loss includes a 41.55B USD non-cash charge tied to the nonprofit-to-for-profit conversion; the underlying operating loss was about 20.9B USD, and some analysts put the cash operating loss nearer 8B USD. Research and development was the largest line at 19.18B USD, and OpenAI paid Microsoft 17.2B USD for compute and research. OpenAI has not confirmed or disputed the figures during its pre-IPO quiet period.
- Z.ai publishes GLM-5.2 open weights under MIT on Hugging Face Z.ai (Zhipu) published the GLM-5.2 open-weight checkpoint on Hugging Face under the MIT license, fulfilling the open-weight release promised at the 2026-06-13 announcement. The repository lists a 753B-parameter mixture-of-experts model in BF16 and F32 tensors with a 1M-token context window and an "IndexShare" attention design that reuses one indexer across every four sparse attention layers. Community quantized variants for llama.cpp, Ollama, and LM Studio appeared within hours. Vendor and secondary coding-benchmark numbers remain unreproduced and should be treated as developing.
- Tesco moves to migrate about 40,000 workloads off VMware amid its Broadcom dispute Reporting on 2026-06-17, drawn from Tesco's UK High Court filings against Broadcom and reseller Computacenter, says the retailer is migrating about 40,000 server workloads off VMware and aims to be fully off by the end of 2027, which it describes as its earliest feasible date. Tesco bought VMware perpetual licenses plus Tanzu subscription and support in January 2021 with a four-year extension option; it alleges Broadcom declared the perpetual software end-of-life, moved to subscription-only bundles, and refused the extension. Tesco runs tills, logistics, and supply-chain systems on the estate and seeks more than 100M GBP in damages. The replacement platform is not publicly named; the filings note it is incompatible with Tesco's existing Veeam and Zerto backup and disaster-recovery tooling.
AI
Agentic coding
- Cloudflare opens its Agents SDK primitives to outside frameworks, starting with Flue Cloudflare announced on 2026-06-17 that it is exposing the Agents SDK primitives, including durable execution, to outside agent frameworks and harnesses, with Flue as the first supported framework. Flue is an open-source TypeScript agent framework from the team behind Astro that reached a 1.0 beta on 2026-06-16; it is headless and programmable, triggered by API calls, webhooks, or cron, and deployable to Node.js or Cloudflare Workers. Cloudflare frames a three-layer stack: a framework such as Flue for project structure, a harness for the agentic loop, and the Agents SDK for durable primitives.
- Alex Ellis argues a local Qwen is a different tool from Opus, not a worse one Alex Ellis published a write-up on 2026-06-18 on running local Qwen coding models on owned hardware: an RTX 6000 Pro Blackwell with 96GB VRAM plus two RTX 3090s, two llama.cpp instances at the full 262,144-token context with an F16 KV cache, generating about 67 tokens per second and 130 to 200 with speculative decoding. His thesis is that a local 27B Qwen is not a cheaper near-Opus but a different tool, strong on bounded tasks such as customer diagnostics, telemetry and revenue-anomaly review, and codebase explanation, and weak on long-horizon unsupervised work, concurrency, and some Go generation. He calls infinite looping the model's worst failure mode, where it repeats suggestions or stalls at a capability boundary and needs manual supervision. The post cites Qwen at 77.2 percent on SWE-Bench Verified against 88.6 percent for Claude Opus 4.8; the figures are as stated in the post, not independently reproduced.
Security
- Fortinet FortiSandbox flaws under active exploitation after April patches Three FortiSandbox vulnerabilities are under active exploitation, first reported on 2026-06-16. CVE-2026-39813 (CVSS 9.8) is a path traversal and authentication bypass in the FortiSandbox JRPC API that lets an unauthenticated remote attacker read sensitive system data such as configuration backups, serial numbers, and version details through crafted HTTP requests; CVE-2026-39808 and CVE-2026-25089 are the other two. Affected versions are FortiSandbox 5.0.0 to 5.0.5 and 4.4.0 to 4.4.8. Fortinet patched the flaws in April 2026; fixed releases are 5.0.6 and 4.4.9. Researchers observed exploitation against decoy infrastructure over port 443 via crafted JSON-RPC POST requests. The CVEs are not yet in the CISA KEV catalog.
- Researcher finds about 10,000 GitHub repositories distributing Trojan archives A researcher published a write-up on 2026-06-18 identifying about 10,000 GitHub repositories that distribute Trojan malware through README links to zip archives. Each repository is a fresh non-fork that copies a legitimate repository's commit history and contributor profiles to look credible, then every few hours deletes the previous commit and pushes a new "Update README.md" commit that changes only the README to point at a trojanized zip. Scanning the archive URL on VirusTotal returns nothing, while scanning the zip itself detects the Trojan. The author found the repositories by filtering GHArchive event data for the commit-frequency and README-only pattern, published the full list, and released a Git Malware Finder script. Some repositories have persisted for over a year, and GitHub does not auto-remove them. The author notes API limits mean the true count likely exceeds 10,000.
- Node.js ships coordinated security releases patching 11 CVEs Node.js published coordinated security releases on 2026-06-18 at 04:37 UTC across its maintained lines: v26.3.1 (Current) and the LTS lines v24.17.0 and v22.23.0. They patch 11 CVEs, two rated High: CVE-2026-48618, where the TLS server-identity check failed to normalize the hostname, and CVE-2026-48933, a missing output-length guard in the WebCrypto cipher path. Medium-severity fixes cover case-sensitive TLS SNI context matching (CVE-2026-48928), binding reusable TLS sessions to the authenticated host (CVE-2026-48934), unbounded HTTP/2 originSet memory growth (CVE-2026-48619), rejection of hostnames with embedded NUL bytes in dns and net (CVE-2026-48930), and redaction of proxy credentials in tunnel errors (CVE-2026-48615). Low-severity fixes harden the permission model and fix response-queue poisoning in http.Agent (CVE-2026-48931). The releases also bundle OpenSSL 3.5.7, llhttp 9.4.2, and undici 8.5.0. No active exploitation was reported at release.
- AMD removes TSME memory encryption from consumer Ryzen CPUs in a firmware update A newer AGESA firmware (1.2.7.0) disabled Transparent Secure Memory Encryption (TSME) on consumer Ryzen parts without a visible change in the BIOS, which still shows the TSME toggle. The behavior was found by a Linux user, Ben Kilpatrick, on a Ryzen 7 9700X when Host Security ID reported TSME unsupported despite the BIOS option being enabled; the firmware flag DfIsTsmeEnabled is now set FALSE for consumer parts and remains TRUE for PRO and EPYC parts. TSME encrypts all of RAM under firmware with no OS involvement and, when active, blocks physical attacks such as cold-boot exploits, DRAM-interface snooping, and reading a removed memory module on another machine. AMD declined to answer detailed questions beyond stating that TSME "is a security feature only applied to PRO CPUs as part of AMD PRO Technologies," the first known explicit statement of that restriction; AMD engineers had previously recommended TSME on consumer parts in 2020 and 2025.
Outages
- OpenAI reports ChatGPT load failures and Enterprise SSO errors on 2026-06-18 OpenAI's status history records two incidents on 2026-06-18. ChatGPT failing to load or save conversations began about 03:55 UTC and was later marked fully recovered. SSO login errors for some ChatGPT Enterprise workspaces began about 09:59 UTC; OpenAI reported it had applied a mitigation and was monitoring recovery at fetch time. No root cause was published.
- OpenAI logs mobile-app and FedRAMP-workspace incidents on 2026-06-17 OpenAI's status history records two incidents on 2026-06-17: errors with conversations on Android and iOS devices, later marked fully recovered, and degraded performance for FedRAMP workspaces and API organizations. User-visible impact was failed or degraded conversations on the affected surfaces. No root cause was published.
Developer tools
- Otty, a commercial native macOS terminal, ships with agent-first framing A Show HN surfaced Otty, a native, GPU-accelerated macOS terminal for Apple Silicon and Intel, with Windows, Linux, and iOS waitlists. Marketed features include GPU-accelerated scrolling, ligatures, 24-bit color, inline images, clickable file and URL links, session recovery, tabs and splits, and first-class support for coding agents running in the terminal. The site lists pricing and a license agreement; the project is commercial and does not state that it is open source, unlike Ghostty, WezTerm, and Alacritty. Implementation stack and version are not disclosed.
- Emacs 31.0.90 pretest highlights tree-sitter defaults and an editable xref workflow The first Emacs 31 pretest, 31.0.90, was announced on the emacs-devel list in June 2026. A practitioner write-up that reached the HN front page on 2026-06-18 details the changes being daily-driven: treesit-enabled-modes set to t switches the major modes that have a tree-sitter variant over to it; treesit-auto-install-grammar offers to fetch and build a missing grammar instead of erroring; grammar sources for languages such as TypeScript, TSX, Rust, TOML, YAML, and Dockerfile now live inside the modes; and a new command xref-export-to-grep, bound to E in xref buffers, gives an editable grep-and-dired-style workflow. This is a pretest, not a final release.
Languages and runtimes
Apple platforms
Infrastructure
Engineering posts
Markets and companies
Hacker News
- OpenRouter Royale pits eleven models in a battle-royale agent demo An OpenRouter post titled "Royale: Last Agent Standing" reached the front page on 2026-06-17. It pits eleven models, including Claude Sonnet 4.6, Grok 4.1 Fast, GPT-5.4, Gemini, DeepSeek, Qwen, and Mistral variants, in a 2D battle-royale game across 30 matches, with agents acting through 17 tools and editing persona and memory files between matches. The post reports Grok 4.1 Fast winning 13 of 30 games at about 0.97 USD per win against Claude Sonnet 4.6 at 5 wins and 26.78 USD per win, framing it as cost efficiency.
- Midjourney Medical draws heavy skepticism over false positives and image quality Midjourney, the AI image-generation company, announced a full-body ultrasound imaging concept: submerging a person in water inside a ring of thousands of transducers to produce an AI-reconstructed 3D body scan in about 60 seconds without radiation, aimed at very cheap mass screening. The thread reached the HN front page on 2026-06-18 with 425 points.