March 31, 2026

Tuesday, March 31st, 2026

Probabilistic chaos held in deterministic hands.
Cohesively integrate Norm (a cute white blob creature — short and squat, perfectly circular, NOT tall or oval — with big sparkly eyes, rosy cheeks, and a tiny antenna) into a dynamic scene evoking: probabilistic chaos held in deterministic hands — an AI agent trying to do one thing, accumulating defensive scaffolding around its wandering intent. Show Norm in an active, expressive pose — reaching toward, leaning into, or physically interacting with elements of the environment. Match the lighting and shadows of the surrounding scene. Soft illustration style, vivid colors, strong depth. Do not include any text, letters, or words in the image.

Inspiration

Claude Code Unpacked: A visual guide

Score: 740 | Read article →

A beautifully annotated visual map of Claude Code's half-million-line codebase. The HN thread is a direct companion to the ongoing source-leak story — together they reveal the raw, unglamorous architecture of an AI agent: frustration regexes, context sanitizers, tool-retry loops, and state rollbacks. One commenter put it plainly: "we're still herding cats with massive code volume." Making a probabilistic LLM behave deterministically is a massive state-management nightmare.

Claude Wrote a Full FreeBSD Remote Kernel RCE (CVE-2026-4747)

Score: 125 | Read article →

An AI agent autonomously found a real kernel-level buffer overflow in FreeBSD's RPCSEC_GSS implementation — a stack buffer of 128 bytes into which an entire credential body is copied without bounds checking, yielding remote code execution on an NFS server. This isn't a CTF exploit or a controlled demo. It's a CVE in production kernel code, found by asking a model to look. The tool became the vulnerability researcher.

Is BGP Safe Yet?

Score: 63 | Read article →

A test-your-ISP tool for measuring whether your network operator is vulnerable to BGP route hijacking. The internet's core routing protocol was designed on trust between peers, and decades later that trust is still a surface for exploitation. It runs in your browser — no account, no probe — and tells you in seconds whether your ISP's route announcements are being validated.