IMHO this is BIG! (Links below) Around the time the Bank of International Settlements (BIS - the bank of central banks) published its second consultation on the treatment of cryptoasset exposures $BTC stopped its bleeding decline and entered the 18-22k range Follow the big guys

The ban will fail. But the privacy loss will be permanent. Long after UK teens have bypassed it (just as Australian kids did, by the way)... ...the British will be stuck self-doxxing to surveillance gatekeepers to use the internet. Embarrassing legacy for Starmer, who should know better. And a daily reminder to Brits of government overreach.

‘Adults can still access social media through age checks like facial recognition, digital IDs, passports and credit cards’

Do you realize how impressive it is to have a $3800 average entry on $ETH for like 4.5% of total supply. We barely spent any time up there, it’s actually astounding, the execution is so bad it is impressive. You couldn’t get that bad of an entry with that size if you tried.

Weekly Chart (long form) Over time I try to look at only the things that provide clear signal so I have that shown here at the moment: 6/1/26 Low: $20.89 (so far) 1. Bollinger Band $20.71 2. Cash per Share $20.57 3. Divergence for Many Indicators Triggered 4. Stoch RSI Bottomed 5. PMO is fun too but isn't shown We'll see how things go from here.

Imagine if the 3 biggest IPOs in history actually destroyed passive investing because they will use index funds as exit liquidity. One would imagine the returns would compress a lot after this final hurrah from private markets, a big, bold "fuck you" to the retail investor

Rule changes for the SpaceX $SPCX IPO: Index providers waived the profitability requirement and cut the seasoning window from 90 days to 5. This forces over $30 trillion in passive 401k and retirement money to buy SpaceX at IPO valuations. Bloomberg Intelligence estimates S&P 500 funds must absorb 19% of SpaceX's float within 6 months. Russell 1000 and Nasdaq 100 funds will absorb 24%. The rules built to protect passive investors: 1. S&P 500 has required 12 months of trading and 4 quarters of GAAP profitability since 2002. Both waived. 2. Nasdaq cut its inclusion window from 90 trading days to 15. 3. FTSE Russell cut its to 5. All three benchmarks are now structured to buy SpaceX at IPO pricing.

I think AI coding hype follows roughly four stages: 1. Amazement You try it and can’t believe how much code it generates from a few prompts. 2. Expansion You start more and more projects because shipping suddenly feels cheap and fast. This is also the phase where people start convincing everyone around them: - coworkers - management - friends in other companies because nobody wants to “fall behind” in 6–12 months. That creates a massive snowball/FOMO effect. 3. The grind phase You realize the generated code has architectural issues, sloppy mistakes, weird abstractions, duplicated logic, broken edge cases, etc. So you start: - re-prompting - switching models - increasing reasoning effort - reviewing fixes - generating fixes for previous fixes And suddenly you spend your days reviewing AI-generated pull requests instead of building software. 4. Realization You realize AI coding increases output much faster than it increases certainty. The code still needs: - review - testing - ownership - architectural understanding - long-term maintenance Usually by expensive senior engineers. And the interesting thing is: this whole cycle can take many months or even more than a year because people become socially and professionally invested in the narrative themselves. Once teams, managers, and entire companies have been convinced that this is the future, it becomes psychologically and politically very hard to later say: “Actually, the ROI is much lower than we expected.”

So eBay is willing to pay someone $260,000/year to "shape the voice of eBay’s CEO" in a new job listing titled: Director, CEO Communications. Why not scrap that waste of money and just let Ryan Cohen speak freely and deliver real shareholder value when $GME acquires it?

The situation in Spain where LaLiga can force ISPs to ban any IP range they want without a court order is ridiculous and so aggressively anti-internet that it's causing real harm to Spain's citizens. Docker is one thing, but the other comments in this HN post are way worse (anti-theft alarms, apps for helping people suffering from dementia). It's horrible that clouds that serve multiple sites from the same IPs are being strong-armed into either taking down anything LaLiga wants without a court order or suffering mass ip blocks.

Th vast majority of CISOs do not work at Google-sized companies, and will not have to worry about 0days There’s a disconnect between the Mythos discourse, and what actually happens at most orgs: Still can’t identify assets and IPs, biggest threat is still phishing, lack of defined ID mgmt and access controls, shadow IT, misconfig’d S3 buckets… If you work at one of those companies (applies to most people) you have a LOT of work to do before AI 0days is even on the top 50 things to think about. This is why advice from Google and large company leaders isn’t relevant to most folks out there. Massive scale and attack surface difference. Sure it’s still interesting and fun to speculate at that level, but it’s just not real for most people.

The HLP vault on @HyperliquidX was attacked twice recently. First for 500k and yesterday for 1.5M via pump and dump price manipulation of XPL and Fartcoin. The strategy is pretty straightforward and appears to be sourced from Binance and friends: - Long a target coin that has low liquidity with seven to eight figures - Pump the price high enough until you have sizeable profits - Withdraw your profits from HL until you get margin called - The HLP vault has to take over the large losing position due to lack of counterparties to settle it as the price falls - This leads to a loss for HLP depositors since they are the counterparty I suspect several exchanges or market makers are farming the HLP vault by manipulating prices to their advantage. The key to make this exploit work is for someone to take that bad debt. Since the HLP vault provides liquidity to the exchange, they are the losers here. Luckily, the Hyperliquid team adjuster parameters last year so that such practices are contained in size and only represent a 0.5% loss at this HLP size. Nevertheless, if this happens weekly, it's a concern. However, I don't think this attack vector would be possible unless CEXs gave tacit support to this and helped pump such tokens on their CEX too to make it profitable. CEX insiders make easy money and they hit a direct competitor by draining the HLP vault. As Hyperliquid grows in size and open interest, the needs for the HLP vault becomes less relevant and will likely focus on low liquidity pairs that can't generate enough profits for such attacks. Long term, the HLP vault generates double digit returns on a yearly basis, beating most DeFi yields. The above is one of the risk vectors which you need to account for. Like, share, and follow @duonine for more alpha.

Software horror: litellm PyPI supply chain attack. Simple `pip install litellm` was enough to exfiltrate SSH keys, AWS/GCP/Azure creds, Kubernetes configs, git credentials, env vars (all your API keys), shell history, crypto wallets, SSL private keys, CI/CD secrets, database passwords. LiteLLM itself has 97 million downloads per month which is already terrible, but much worse, the contagion spreads to any project that depends on litellm. For example, if you did `pip install dspy` (which depended on litellm>=1.64.0), you'd also be pwnd. Same for any other large project that depended on litellm. Afaict the poisoned version was up for only less than ~1 hour. The attack had a bug which led to its discovery - Callum McMahon was using an MCP plugin inside Cursor that pulled in litellm as a transitive dependency. When litellm 1.82.8 installed, their machine ran out of RAM and crashed. So if the attacker didn't vibe code this attack it could have been undetected for many days or weeks. Supply chain attacks like this are basically the scariest thing imaginable in modern software. Every time you install any depedency you could be pulling in a poisoned package anywhere deep inside its entire depedency tree. This is especially risky with large projects that might have lots and lots of dependencies. The credentials that do get stolen in each attack can then be used to take over more accounts and compromise more packages. Classical software engineering would have you believe that dependencies are good (we're building pyramids from bricks), but imo this has to be re-evaluated, and it's why I've been so growingly averse to them, preferring to use LLMs to "yoink" functionality when it's simple enough and possible.

🚨Major Unconfirmed Breach🚨A threat actor is claiming to sell a major breach of OVHcloud, one of Europe's largest web hosting and cloud service providers, on a dark web forum. The actor alleges they gained access to one of OVH's parent accounts and servers, enabling them to extract a significant volume of data. The claimed breach includes 1.6 million OVH Fresh customer records and 5.9 million active websites hosted with OVH, encompassing website code, website databases, and server configurations. A sample of a user record from the 1.6 million customers was provided as proof. The seller has not set a minimum price, instead asking buyers to provide an initial offer. They also advertise a 30% commission for client referrals through an intermediary.

Let Me Explain How a State Actor Could Perform a Denial-of-Service Attack on the Entire UK Government in the Wake of Ofcom “Online Safety Act” Client-Side Scanning

There are 19,000 PE firms in the U.S., more than $MCD restaurants

A small but very important distinction to point out because I have seen it mentioned a lot. Ryan Cohen of $GME did NOT say he is acquiring a consumer or retail company. The writer, Lauren Thomas, who wrote that WSJ article, said that herself. Read the article again and see for yourself what is in quotation marks (direct quotes) and what is commentary from the writer.

Claude Code Security is just static application security testing (SAST) where it reviews source code pre-deployment & flags issues like SQL injection; it does not monitor or prevent future attacks.. Claude Code Security simply looks at code before it ships but these platforms protect what happens AFTER, so this selloff is fear-driven and an opportunity. Still the selloff could accelerate if there is further forced selling in the near term…

Two AES libraries ship a default IV that guarantees key reuse. 700K repos depend on aes-js alone. A developer flagged the problem years ago, but it was never fixed. 🧵