Matthew Prince fired 1,100 Cloudflare employees the same hour he announced a $639.8M Q1 revenue beat, up 34% year-over-year. The memo blamed a 600% spike in internal AI usage over three months, not weak demand. Stock dropped 18% after hours anyway, on weak Q2 guidance.
Two days ago, Coinbase CEO Brian Armstrong wrote that mass layoffs were coming to every company. Cloudflare cut 20% the day it beat earnings. That’s the proof, not the prediction.
In today’s indie hacker news:
- Cloudflare cut 1,100 jobs and beat earnings the same hour
- ShinyHunters held 275M Canvas student records hostage
- Dirtyfrag: a 192-line C file roots Linux 6.x with no patch
- DeepMind’s AlphaEvolve broke a 56-year matrix-multiply record
- Mozilla used Claude Mythos to find 271 Firefox bugs
TOP STORIES
AI ATE THE ORG CHART
Cloudflare cut 1,100 jobs the same hour it beat Q1 earnings, blamed a 600% AI usage spike.
The story: Matthew Prince’s memo hit Cloudflare’s payroll May 7 alongside Q1 earnings. 1,100 employees out, about 20% of the 5,156-person workforce. Same hour, the company beat analyst estimates with $639.8M Q1 revenue, up 34% year-over-year. Prince’s stated reason: internal AI usage grew 600% in three months. “There are roles at the company that just aren’t the roles that we need for the future.”
The severance is unusually generous: full base pay through end of 2026, US healthcare to year-end, equity vesting extended to August 15. Total charge $140 to $150M. Stock still dropped 18% after hours on weak Q2 guidance ($664-665M vs $665.3M consensus).
The details:
- 1,100+ cut across all departments. Engineering, HR, finance, marketing all called out as AI-automated functions (SiliconANGLE)
- Internal AI usage grew 600% in 3 months. Employees running thousands of agent sessions daily (memo)
- Q1 revenue $639.8M vs $622M analyst estimate. Layoffs not financial-distress driven (CNBC)
- $140-150M restructuring: $105-110M cash severance + $35-40M non-cash equity. The “we want this finished now” package
- Two days earlier, Coinbase’s Brian Armstrong wrote “mass layoffs are coming to every company.” Edition #35 covered Coinbase’s 660 cuts. Cloudflare is the next beat
Why builders care: This is the cleanest enterprise case study yet of agentic AI replacing non-engineering headcount: HR, finance, marketing, ops, not just code. If your team’s AI usage doubled this quarter, the playbook is the same: audit every recurring human task against what Claude agents, Cursor, or Zapier AI can now do in minutes. The kicker: the cheapest severance package is the one you never have to pay.
Work from any WiFi like it's your home network. NordVPN's Meshnet runs a free private mesh between your laptop, dev box, and home server. SSH from a café without exposing a port, the way you'd use Tailscale. The paid VPN on top lets you test geo-fenced Stripe checkouts or feature flags from any country.
We get a cut if you sign up. Only added for tools we use ourselves.
ONE VENDOR, 9,000 SCHOOLS DOWN
ShinyHunters held 275M Canvas student records hostage by hitting one vendor.
The story: ShinyHunters claimed responsibility on May 2 for a second Instructure breach in 8 months: 3.65 TB and 275 million records pulled from the Canvas LMS production cloud on April 30. Blast radius: 8,809 institutions, including every Ivy League school, MIT, Oxford, Cambridge, Stanford, Duke, plus 2,000+ K-12 districts. The ultimatum: “PAY OR LEAK.” Ransom deadline extended from May 6 to today, May 8.
The attack vector wasn’t a database dump. ShinyHunters exploited a vuln in Instructure’s production cloud, registered malicious connected applications, and used custom Python plus legitimate API tools to bulk-extract data. They abused the trust boundary every LMS integration relies on. The Next Web called it the largest education data breach in history.
The details:
- 8,809 institutions hit including all 8 Ivy League schools, Oxford, Cambridge, Stanford, MIT, Duke, OU, Penn, plus 44 Dutch universities (Duke Chronicle)
- Data exfil: names, email addresses, student IDs, Canvas Inbox + Discussion private messages between students and teachers. No passwords, DOBs, or financial data confirmed stolen (HackRead)
- Second Instructure breach in 8 months. First was Sept 2025 via Salesforce social engineering. Same actor returned with a different vector
- Canvas LMS controls 35-41% of North American higher-ed market share with ~30M active users (Inside Higher Ed)
- Steve Proud, Instructure CISO, customer notification: “[The exposed data] may include names, email addresses, student identification numbers, and Canvas Inbox and Discussion messages”
Why builders care: ShinyHunters didn’t attack 9,000 schools, they attacked one vendor and got all 9,000. If you build on Canvas, Salesforce, or Snowflake, audit what API scopes you grant. If you ARE the platform layer, treat trusted-integration registration as your highest-priority audit surface. The kicker: in 2024 ShinyHunters extracted $370K from AT&T. The 275M-record demand is what they think Instructure is worth.
192 LINES, FULL ROOT
Dirtyfrag: a 9-year-old Linux kernel bug, deterministic, no patch yet.
The story: Hyunwoo Kim published a 192-line C file May 7 that roots every Linux server still on kernel 6.x. It chains two page-cache write bugs, a 9-year-old xfrm ESP4/ESP6 hole from 2017 and a 3-year-old RxRPC/rxkad hole from 2023, to escalate uid=1000 to root by overwriting /usr/bin/su or patching /etc/passwd. It’s a deterministic logic bug, not a race condition. The kernel doesn’t panic on failure, and the success rate is very high on the first attempt.
Kim wrote on the oss-security list that someone broke the embargo before the May 12 coordinated disclosure date, forcing immediate full release with no upstream patch ready. Confirmed vulnerable: Ubuntu 24.04.4, RHEL 10.1, Fedora 44, CentOS Stream 10, AlmaLinux 10, openSUSE Tumbleweed.
The details:
- ESP path bug present since January 2017, about 9 years of vulnerable Linux releases
- Kim’s writeup: “Because it is a deterministic logic bug, no race condition is required, the kernel does not panic when the exploit fails, and the success rate is very high”
- Same researcher behind Copy Fail (CVE-2026-31431) weeks earlier. Copy Fail’s algif_aead blacklist does NOT protect against Dirtyfrag
- Workaround: blacklist esp4, esp6, rxrpc modules via /etc/modprobe.d. Caution: breaks IPsec tunnels (strongSwan, Libreswan). CloudLinux livepatched within hours, mainline kernel still unpatched as of May 8
- Third major “Dirty*” Linux LPE in a decade after DirtyCow (2016, race condition) and DirtyPipe (2022, splice/pipe). Strictly more dangerous because the primitive is deterministic
Why builders care: If your VPS has one user, you’re not immediately exploitable. Dirtyfrag needs a local unprivileged shell first. But anyone running shared CI runners, multi-tenant containers, or any environment where untrusted code executes as an unprivileged user is fully exposed. A malicious npm dependency can own the host with one C binary. Action items: blacklist esp4/esp6/rxrpc, check your cloud’s kernel patch status before your next deploy, treat shared infra as zero-day until your kernel is patched. The kicker: see Bookmarked Today for Xe Iaso’s “pause your installs for a week” advice. He’s right.
AN LLM BEAT 1969
DeepMind’s AlphaEvolve broke a 56-year matrix-multiply record, then cut Spanner write amplification 20%.
The story: DeepMind posted an impact recap of one year of internal AlphaEvolve runs. AlphaEvolve is an evolutionary coding agent: define a fitness function that returns a score, ask Gemini 2.0 to mutate the current best codebase, accept anything that improves the score, repeat. The flagship math result: a rank-48 factorization for two 4×4 complex-valued matrices. First improvement on Strassen’s algorithm for 4×4 matrix multiplication since 1969.
Google production wins are more interesting than the math. Spanner write amplification dropped 20%. Compiler optimization cut storage 9%. A counterintuitive TPU silicon circuit baked into the next-gen chip. External wins: Klarna 2x training speedup, Schrödinger 4x molecular force-fields speedup, FM Logistic 10.4% routing gains.
The details:
- 48 scalar multiplications for two 4×4 complex matrices. Recurses over any field with characteristic 0, unlike Winograd’s scheme which doesn’t recurse to larger matrices (arXiv 2506.13131)
- About 1000x sample efficiency vs FunSearch (2023): thousands of evals vs millions. Same idea, much stronger LLM
- @demishassabis on X: “Knowledge begets more knowledge, algorithms optimising other algorithms, we are using AlphaEvolve to optimise our AI ecosystem, the flywheels are spinning fast”
- AlphaEvolve itself is Google-internal. Only verification notebooks are open (alphaevolve_results). OpenEvolve is the independent open-source clone you can run today
- HN community pushed back: 258 points, 110 comments. Hardware engineers called the TPU bit-truncation win “automatically performed by synthesis tools” (thread)
Why builders care: AlphaEvolve isn’t runnable, but the loop is 200 lines of Python and OpenEvolve ships it open-source. If you have a pricing algorithm, a route optimizer, or a hot SQL query you can’t profile-optimize further, swap in an evolutionary LLM loop against a measurable metric. No ML expertise needed, just a function that returns a number. The kicker: the same pattern that beat Strassen also beat Google’s database engineers on Spanner. Your handwritten code is not the floor.
271 BUGS, 15 FALSE POSITIVES
Mozilla used Claude Mythos to find 271 Firefox bugs, including a 20-year-old XSLT one.
The story: Mozilla posted the architecture writeup for using Anthropic’s unreleased Claude Mythos Preview to find 271 security bugs in Firefox 150. 180 sec-high, 80 sec-moderate, 11 sec-low. Total Firefox security fixes shipped in April: 423 vs Mozilla’s 2025 monthly average of 20-30. The headline catch was a 20-year-old XSLT bug from 2006 plus a 15-year-old <legend> bug. Fewer than 15 false positives across the entire run.
Mozilla started with Claude Opus 4.6: 22 vulnerabilities, 14 high-severity, in 2 weeks for $4,000 in API credits. Then upgraded to Mythos. Authors are Brian Grinstead, Christian Holler, Frederik Braun. Mythos access came through Project Glasswing, Anthropic’s industry consortium.
The details:
- Harness architecture: agentic harness on top of existing fuzzing infra. Runs Claude in parallel across ephemeral VMs, dynamically creates and runs reproducible test cases, deduplicates findings before they reach engineers
- Brian Grinstead, Mozilla Distinguished Engineer: “This pipeline is extremely reliable at filtering out false positives, so long as you have a clearly defined success condition to validate against”
- Subsystems reviewed: JIT, WebAssembly GC, IndexedDB, IPC, WebTransport, DNS/HTTPS parsing, XSLT, image decoding, RLBox sandboxing
- 100+ Mozilla engineers contributed patches. Bugs flowed through normal triage, not a separate AI-only flow (Help Net Security)
- Project Glasswing covers 40+ critical-software orgs (AWS, Apple, Microsoft, Google, JPMorgan, Linux Foundation). Anthropic committed $1.5M to Apache Software Foundation, $2.5M to other open-source security orgs
Why builders care: Mozilla’s writeup is the most detailed public recipe for running Claude as an autonomous code-auditing agent. The load-bearing insight: false positives collapse when you force the agent to write a reproducible test case before it files a bug. If Claude can’t produce a passing test, it doesn’t file the report. Mythos access is gated through Glasswing, but Opus 4.6 is what Mozilla started with, and it found 22 real Firefox bugs in 2 weeks for $4,000. Solo founders can apply this pattern today: build a success-condition validator alongside your prompt. The kicker: Mozilla put 20 years of XSLT into a coding agent’s backlog and got most of it back in a single release.
TRENDING TODAY
Local control planes for AI agents go mainstream. Three Show HNs in 24 hours sandbox Claude Code/Codex locally instead of trusting cloud agents: Armorer (Docker isolation, UI+CLI), Agentctl (Go MIT, gates 5 high-risk actions, today’s Stack of the Day), and Kill-The-Backlog (TypeScript AGPL, runs opencode in E2B sandboxes with auto-PR). Three independent projects shipping the same control-plane abstraction in a day means the pattern just went mainstream.
Multi-Token Prediction lands in llama.cpp. Edition #35 covered Google’s MTP announcement. Today it shipped. llama.cpp merged beta MTP support, and r/LocalLLaMA users are extracting MTP tensor GGUFs from finished models as “donor” grafts onto other architectures. Reported gains: 40% Gemma 4 speedup, 2.5x Qwen 3.6 27B on dual 3090s NVLINK. Speculative decoding moved from research curiosity to consumer-GPU table stakes inside a week.
@levelsio reminded everyone SQLite is free. He posted that SQLite supports databases up to 281 TB and writes 500K rows/sec with batching. 216K views, 2,562 likes in 9 hours. The numbers check out: sqlite.org/limits.html confirms the 281 TB ceiling, and Anders Murphy’s Dec 2025 demo hit 100K TPS over a billion rows. Same week Claude Code “took his site down,” Levels is reminding builders the boring database is also the fastest one.
FIRST DOLLAR
MOODFLIX HIT $100 IN MONTH ONE
A solo dev’s AI movie rec app crossed 100 users and a $100 milestone via display ads + a $1.99/week subscription.
A solo dev (publisher: ProTimeWorld) posted on r/SideProject that his AI movie recommendation app Moodflix crossed 100+ users and a $100 earnings milestone. Live on Google Play and the App Store. Monetization: display ads + a $1.99/week subscription. He’s looking for a Tier-1 marketing co-founder. Same playbook as edition #35’s Anything.com pivot: vibe-coded app + Admob + IAP = first dollar inside three months.
DRAMA
AI SLOP IS KILLING ONLINE COMMUNITIES
A 505-point HN thread argues low-effort AI content is overwhelming the places builders find their first 100 users.
Robin Moffatt posted that AI-generated submissions without genuine contribution are degrading every community he uses. 505 HN points, 469 comments, 93% comment-to-vote ratio. Cited examples: Zig’s no-AI policy, the Vouch project, RedMonk’s generative-AI policy in OSS. Moffatt quoted Brandolini’s Law: “the amount of energy needed to refute bullshit is an order of magnitude bigger than that needed to produce it.”
Why builders care: Mirrors @levelsio’s “99% of replies are AI bots” comments. If you’re a solo founder counting on Reddit/HN/Twitter to find your first 100 users, the human-to-bot ratio is now your distribution problem, not your launch-day problem.
STACK OF THE DAY
🛠️ Agentctl
Agentctl is a single Go binary that gates five high-risk actions from coding agents like Claude Code: package installs, code execution, secret access, file writes, external API calls. Records structured traces for every decision. Unique feature is policy replay: re-run a prior session against a stricter policy to see “what would have happened.” MIT, 99.7% Go. Install: go install github.com/chocks/agentctl/cmd/agentctl@latest && agentctl attach claude-code. If you’ve ever watched Claude Code rm -rf the wrong directory or pip install a typosquat, this is the canonical answer.
Not sponsored. We just feature tools builders would actually use.
BOOKMARKED TODAY
⏸️ Maybe you shouldn’t install new software for a bit (Xe Iaso). Companion piece to Dirtyfrag (story 3). Xe argues for a 1-week moratorium on new software installs because Copy Fail and Dirtyfrag drop in the same window. His line: “Right now would be one of the best times for a supply chain attack via NPM to hit hard.” 245 HN points, 108 comments.
🔒 Chrome removed its on-device AI privacy claim (r/chrome). 496 HN points, 191 comments. Edition #35 covered Chrome silently installing a 4GB model. Now the privacy claim that justified it is gone. If you ship a feature that depends on window.ai and called it “private/local,” audit your copy.
🔁 Agents need control flow, not more prompts (bsuh.bearblog.dev). 365 HN points, 196 comments. Top-scoring HN post of the day. Brian’s line: “If you’ve ever resorted to MANDATORY or DO NOT SKIP, you’ve hit the ceiling of prompting.” Pairs with today’s local-control-plane wave (Agentctl, Armorer, Kill-The-Backlog): same insight, different layer.
Curated by AI, built by a human.