Top stories

  1. SharePoint deserialization RCE CVE-2026-45659 added to CISA KEV CISA added CVE-2026-45659 to the Known Exploited Vulnerabilities catalog on 2026-07-01 (catalog version 2026.07.01, count 1631), confirming active exploitation. The flaw is a CWE-502 deserialization of untrusted data in on-premises SharePoint Server Subscription Edition, SharePoint Server 2019, and SharePoint Enterprise Server 2016, CVSS 8.8, network-reachable with low attack complexity and no user interaction. An attacker with Site Member permissions can execute code on the server. Microsoft patched it in the May 2026 Patch Tuesday (KB5002863, KB5002870, KB5002868).
  2. Anthropic redeploys Fable 5 with a new jailbreak classifier Anthropic began restoring Claude Fable 5 globally on 2026-07-01 after the US lifted the export controls imposed 2026-06-12. The redeployment ships a new safety classifier that Anthropic says blocks the reported jailbreak technique in over 99 percent of cases; the jailbreak, reported by Amazon researchers, had prompted the model to identify and in one case show how to exploit a software vulnerability. Anthropic says it is drafting a cross-industry jailbreak-severity framework with Amazon, Microsoft, Google, and other partners. Mythos 5, the same underlying model with fewer restrictions, is being restored to approved US organizations.
  3. Google Android developer verification begins blocking unverified app installs Google's Android Developer Verification requirement reaches its first enforcement milestone on 2026-09-30, when certified Android devices in Brazil, Indonesia, Singapore, and Thailand block installation of apps whose developer has not registered a legal identity with Google; wider rollout follows in 2027. The requirement applies to every install path, including sideloaded APKs and third-party stores such as F-Droid. Google states that advanced users can still install unverified apps after a one-time risk acknowledgment, a free account tier lets students and hobbyists distribute to a limited number of devices without a government ID, and installs over Android Debug Bridge for development are unaffected. An F-Droid post on 2026-07-01 (599 points on Hacker News) argues the program is gatekeeping rather than security, on the grounds that the Developer Console terms let Google decide what counts as "malware" without a published standard.
  4. Cloudflare Monetization Gateway charges for any resource over x402 Cloudflare announced the Monetization Gateway on 2026-07-01, a control plane that lets customers charge for any Cloudflare-protected resource: web pages, datasets, APIs, or MCP tools. Payment verification and enforcement run at the edge to shield origins from payment volume. At launch, payments settle in stablecoins over x402, an open pay-over-HTTP protocol built around the 402 status code where a server answers a request with a price and payment target and the client repeats the request with proof of payment. Customers can price per REST verb or charge variable amounts by task complexity.
  5. Vite+ enters beta as an MIT-licensed unified JavaScript toolchain VoidZero announced the Vite+ beta on 2026-07-02, a single toolchain that manages the runtime, package manager, and frontend tooling for a web project behind one CLI. It bundles Vite 8 for the dev server and build, Vitest for tests, Rolldown and tsdown for bundling, and Oxlint and Oxfmt for linting and formatting, plus a built-in task runner with monorepo support and caching, exposed through commands such as vp dev, vp check, vp test, vp build, and vp run. VoidZero states it decided to release Vite+ fully open source under the MIT license after initially considering a paid licensing model, and reports over 1,300 public repositories already depending on the package since the alpha. VoidZero was acquired by Cloudflare on 2026-06-04 and is building Void, a Vite-native deployment platform on top of Cloudflare.
  6. Jujutsu 0.43.0 adds jj run and drops Git-symbol resolution The jj version control system released 0.43.0 on 2026-07-02. The headline feature is jj run, which runs a command over a set of changes, each with its own private working copy, and propagates working-copy edits and conflicts back into the changes, so jj run -- cargo fix behaves as expected. Breaking changes: the deprecated githead() and gitrefs() revset and template functions are removed, Git-like symbols such as refs/heads/main no longer resolve to revisions (use bookmark or tag syntax), the ui.revsets-use-glob-by-default option is removed, and jj bookmark track/untrack no longer accept <kind>:<bookmark>@<remote> patterns. It also adds jj show --reversed, config discovery in /etc/jj, and jj config gc.

ML research

  1. SynLaD generates synthesizable molecules from 3D pharmacophore profiles SynLaD (Cretu et al., arXiv 2607.01105, dated 2026-07-01, cs.LG) is a latent-diffusion framework for de novo molecule design that jointly targets pharmacophore match and synthesizability. An encoder maps molecules to a shared latent space with two decoder heads, one reconstructing 3D structure and one generating a reaction-based synthetic route, and a diffusion transformer generates novel molecules conditioned on 3D pharmacophore profiles. The authors report outperforming baselines on synthesizable and diverse hit generation.

Agentic coding

  1. Z.ai ships ZCode, an official coding harness for GLM-5.2 Z.ai (Zhipu) released ZCode, its own coding-agent harness for the GLM-5.2 model, for macOS, Windows, and Linux with no manual endpoint configuration. It organizes work as "Goals" with continuous plan, execute, and verify loops, exposes the model's 1M-token context, and can launch and monitor tasks remotely from chat apps including WeChat, Feishu, and Telegram. It is part of the GLM Coding Plan. Capability claims are the vendor's.
  2. Kimi K2.7 Code reaches general availability in GitHub Copilot GitHub made Moonshot AI's open-weight Kimi K2.7 Code model generally available in Copilot on 2026-07-01, rolling out to Copilot Pro, Pro+, and Max plans with Business and Enterprise to follow in the coming weeks. The model appears in the Copilot model picker across VS Code, Visual Studio, JetBrains, Xcode, Eclipse, the Copilot CLI, the cloud coding agent, github.com, and GitHub Mobile. For Business and Enterprise it is off by default until an administrator enables the Kimi K2.7 Code policy, and usage bills under Copilot usage-based billing at provider list pricing.
  3. Senior SWE-Bench scores coding agents on senior-level tasks Researchers at Princeton and the University of Wisconsin-Madison with Snorkel AI published Senior SWE-Bench, an open benchmark (dataset snorkel-ai/senior-swe-bench-v2026.06) that evaluates coding agents on 50 tasks across more than 15 repositories in Python, TypeScript, Go, Rust, Elixir, and other stacks. Tasks use natural-language instructions rather than fully specified requirements, bug and performance tasks are drawn from pull requests that required runtime investigation from logs and behavioral reports, and a "taste" score combines correctness tests with code-quality metrics derived from each codebase's own conventions. Reported solve rates are Claude Opus 4.8 at 24.0 percent, Claude Sonnet 5 at 19.4 percent, and GPT-5.5 at 16.0 percent, and the authors state frontier models fail senior-level correctness on more than 75 percent of tasks.

Developer tools

  1. FFmpeg native AAC encoder rework surfaces for review A rewritten native AAC encoder for FFmpeg drew discussion on 2026-07-02 (327 points), presented as headed for a future release. It is not in a released FFmpeg version: the latest stable release is 8.1, and the reworked encoder is targeted at a future release, which the Hacker News thread frames as FFmpeg 9.1. It currently supports constant bitrate only and is optimized for 48kHz audio. A HydrogenAudio analysis reports it scoring above Apple Core Audio in tested CBR encoding-quality metrics, and the encoder works around a stereo Perceptual Noise Substitution bug present in AAC decoders.

Linux and kernel

  1. Asahi Linux 7.1 extends Apple Silicon support to M3 audio and H.264 decode The Asahi Linux 7.1 progress report, published 2026-06-30, documents work bringing Linux to Apple Silicon. M3 machines gain high-quality audio output (speaker and headphone) plus CPU frequency switching, big.LITTLE task scheduling, and SMC hardware sensors via devicetree additions. The m1n1 bootloader reached v1.6.0, the first version requiring Rust for its stage 2 build, and moved GPU initialization into m1n1 along with SPMI controller and PCIe init improvements. A new V4L2 driver from contributor sofus decodes 10-bit AVC (H.264) video up to 4K through custom AVD firmware and the V4L2 Request API, with VP9, HEVC, and AV1 still pending. Installs from 7.0.12 onward set an APFS metadata flag to fix an issue where macOS 27 dropped Asahi from the boot picker.

Infrastructure

  1. Prometheus 3.13.0 LTS ships security fixes Prometheus 3.13.0, a Long Term Support release, shipped on 2026-07-01. It bumps sanitize-html to fix a UI cross-site scripting issue (CVE-2026-44990) and, via prometheus/common v0.69.0, stops forwarding credentials (Authorization header, basic auth, bearer token, OAuth2, configured headers) when an HTTP client follows a redirect to a different host, affecting scraping, remote read and write, alerting, and service discovery (CVE-2025-4673, CVE-2023-45289). The API now uses SHA-256 instead of SHA-1 for rule-group pagination tokens, and third-party npm license texts are embedded in the binary at /assets/third-party-licenses.txt.
  2. Grafana 13.1.0 feature release Grafana 13.1.0 shipped on 2026-07-01 with accessibility work, including colorblind-safe line-style fill patterns and added ARIA states, and alerting improvements such as Mimir Alertmanager auto-sync configuration on the settings page.

Engineering posts

  1. Probelab makes IPFS content publishing about 10x faster Probelab described an "optimistic provide" change that returns control to the caller after most, not all, of the provider-record PUT RPCs succeed, then finishes the rest asynchronously. Their measurements found that about 15 of the usual 20 announcements suffice for reliable discovery, so the publish call no longer waits on slow or unresponsive peers, cutting perceived publish latency by roughly an order of magnitude. A background Reprovide Sweep still completes full distribution.

Hacker News

  1. Monthly hiring threads for July 2026 The recurring monthly Ask HN hiring threads for July 2026 are live, with the "Who is hiring?" thread at 164 points and the "Who wants to be hired?" thread at 108 points at run time.
  2. Ask HN discussion on becoming a graphics programmer A "What to learn to be a graphics programmer" thread reached the front page (247 points), collecting practitioner recommendations on math, rendering fundamentals, and project paths into graphics work.