Axios npm supply-chain compromise & Apple Silicon LLM speedups - Hacker News (Mar 31, 2026)

First up: a serious supply-chain incident involving axios, one of the most widely used JavaScript HTTP clients. StepSecurity reports that attackers hijacked a maintainer account and published two poisoned versions. The trick wasn’t a sneaky code change in axios itself—it was a new dependency that existed mainly to run a postinstall script. That script allegedly dropped a remote access trojan targeting macOS, Windows, and Linux, and even tried to clean up traces afterward so routine checks would look normal. npm has removed the malicious releases and replaced the dependency with a security-holder package, but the big takeaway is uncomfortable: install-time scripts and dependency injection can compromise developer machines and CI without the main library code looking suspicious.

Staying with security and privacy, there’s a sharp critique making the rounds about a newly released official White House Android app. The article argues the app behaves like spyware: broad permissions, multiple third-party trackers, and questionable alignment with a minimal-data approach—especially for something that could arguably be a website or an RSS feed. The author uses it as a jumping-off point to criticize federal app practices more broadly, including embedded ad and analytics SDKs and long-lived data retention systems. Whether you agree with every claim or not, the story matters because government apps sit at a sensitive intersection of trust, data collection, and oversight—areas where “just ship the app” is not a harmless default.

On the space front, an Idle Words essay is calling for NASA to avoid flying Artemis II with astronauts—at least until Orion’s heat shield behavior is better understood. The concern traces back to Artemis I, where the uncrewed capsule’s lunar-return reentry produced unexpected and severe heat-shield damage, later documented with more alarming photos in an Inspector General report. The essay argues NASA is leaning on modeling and trajectory tweaks rather than redesign-and-test rigor, and it quotes former astronaut and heat-shield engineer Charles Camarda warning about a Challenger- and Columbia-style “normalization of deviance.” The broader significance is not just Artemis scheduling; it’s whether a program under political pressure can maintain the discipline to pause when a critical safety margin looks uncertain.

Now to AI on the desktop: Ollama released a preview update aimed at faster local inference on Apple Silicon by leaning into Apple’s MLX framework and unified memory. The headline is speed—faster time-to-first-token and faster generation—and the update also nods to production realities by adding support for NVIDIA’s NVFP4 low-precision format. There’s also work on caching to make agentic and coding workflows feel snappier across conversations. The reason this is interesting is the direction of travel: local AI is increasingly judged on latency and “workflow feel,” not just raw model size, and the stack is fragmenting by hardware—Apple on one side, NVIDIA-heavy production on the other—with tooling trying to bridge both.

In research-oriented AI news, Google Research’s TimesFM repo is pushing forward on open time-series forecasting with TimesFM 2.5. The pitch is a general-purpose pretrained model you can adapt across datasets, instead of rebuilding bespoke forecasting pipelines every time. The newer release emphasizes updated APIs, longer context windows, and uncertainty estimates via quantiles, plus restored covariate support through an approach called XReg. Why it matters: forecasting is everywhere—capacity planning, retail, energy, ops—and a solid pretrained baseline can lower the barrier to “good enough” predictions, while also making it easier to communicate uncertainty rather than pretending the future is a single crisp line.

Also in the “make AI cheaper to run” bucket, a GitHub repo called “claude-token-efficient” proposes a drop-in CLAUDE.md file to cut down on verbosity and what the author calls response “noise”—things like flattering openers, repeating the question, and heavy formatting. The repo claims big reductions in output length in small tests, but it’s honest about the trade-off: that guidance file itself consumes context on every message, so the savings only show up when you’re in output-heavy loops. The deeper point is less about Claude specifically and more about operational hygiene: teams scaling agents care about predictable, parseable, minimal outputs, because tokens are cost, latency, and failure surface area all at once.

That token-efficiency story pairs nicely with a more philosophical one: Alex Woods argues that letting LLMs draft your documents undermines the main value of writing, which is thinking. The claim is that writing forces structure onto uncertainty, and if you outsource the prose, you may also outsource the mental work—ending up with text that looks finished but didn’t actually earn its conclusions. He also flags a social consequence: machine-sounding documents can quietly erode trust, because readers suspect the author didn’t truly wrestle with the ideas. The practical middle ground he suggests is using LLMs for support tasks—research, brainstorming, checking—while keeping the core reasoning and narrative genuinely authored.

Shifting gears to robotics history, IEEE Spectrum revisited Honda’s P2 humanoid robot from 1996, now designated an IEEE Milestone. P2 is widely credited as the first self-contained autonomous biped that could walk stably without being tethered—an achievement that required real-time balance control, coordinated joints, and practical onboard power and computing. This matters today because the current wave of humanoid robots didn’t appear from nowhere; a lot of today’s “wow” demos sit on decades of hard-won fundamentals in gait, sensing, and stability. P2 is a reminder that breakthroughs often start as unglamorous control problems that someone stubbornly solves.

And for the programming-language corner: TinyAPL published documentation explaining combinators—functions that operate purely on their inputs, often used for point-free composition. It maps classic combinator patterns to TinyAPL primitives and includes visuals to help people reason about data flow. Why care? Because these ideas show up far beyond APL: once developers get comfortable with composable building blocks, they tend to write programs that are easier to refactor and reason about—especially when you’re trying to express transformations clearly without lots of scaffolding code.