NIST moved ~29,000 CVEs to “Not Scheduled” this week. No severity scores. No product identifiers. Snyk, Dependabot, and Grype need that data to match a CVE to your specific package versions. Without it, your npm audit is silently incomplete.
CVE submissions surged 263% since 2020. NVD staff: unchanged at 21 people. AI is generating vulnerability reports faster than anyone can process them, and NIST threw in the towel.
In today’s indie hacker news:
- NIST shelved 29K CVEs. Your scanner goes partially blind.
- Virginia banned selling location data. 500M phones already mapped.
- smolvm boots a full Linux VM from a single file in under 200ms
- Hyperscalers burn $690B/yr on AI, more than the Interstate Highway
- Healthchecks.io self-hosted S3 after two EU clouds failed
TOP STORIES
YOUR SCANNER JUST WENT BLIND
🔓 NIST shelved ~29,000 CVEs and stopped verifying severity scores
On April 15, NIST announced it will only enrich CVEs in three buckets: CISA’s Known Exploited Vulnerabilities catalog, federal government software, and “critical software” under Executive Order 14028 (OSes, browsers, firewalls, VPNs). Everything else: “Lowest Priority, not scheduled for immediate enrichment.”
Roughly 29,000 CVEs with NVD publish dates before March 2026 moved to “Not Scheduled.” They will never be enriched under current policy.
The details:
- 263% increase in CVE submissions 2020-2025. Q1 2026 running 33% above Q1 2025.
- NIST enriched ~42,000 CVEs in 2025. 45% more than any prior year. Still not enough.
- NVD staff: ~21 people. Unchanged despite exponential volume growth.
- NIST stops independently assigning CVSS scores. Displays what submitters provide, no verification layer.
- Endor Labs tracked as many new vulnerabilities in the first 100 days of 2026 as all of 2025.
Why builders care: Dependency scanners pull CVSS scores and CPE product mappings from NVD. Without enrichment, they silently miss vulnerabilities in everything outside CISA KEV. Your npm audit is now incomplete by design. If you run SOC 2 or ISO 27001 audits, your vulnerability management program has a gap auditors will flag.
Work from any WiFi like it's your home network. NordVPN's Meshnet runs a free private mesh between your laptop, dev box, and home server. SSH from a café without exposing a port, the way you'd use Tailscale. The paid VPN on top lets you test geo-fenced Stripe checkouts or feature flags from any country.
We get a cut if you sign up. Only added for tools we use ourselves.
500M PHONES, ZERO WARRANTS
📍 Virginia banned selling your location data. 500M phones are already mapped.
Virginia Governor Spanberger signed SB 338 on April 15, banning the sale of precise geolocation data within a 1,750-foot radius. Takes effect July 1. Unanimous bipartisan support.
A Citizen Lab report found Webloc (made by Cobwebs Technologies, now sold by Penlink) can access location records from up to 500 million mobile devices globally with 3 years of history. Customers include ICE, US Navy, Hungarian intelligence, and police in LA, Dallas, and Baltimore.
The details:
- DHS signed a $2.3M contract with Penlink in September 2025 giving ICE access to Webloc.
- 72 lawmakers demanded a federal investigation. ICE canceled the oversight briefing the day before.
- FTC banned Gravy Analytics and Mobilewalla from selling location data (January 2025).
- Maryland and Oregon have similar bans. Six more states considering them in 2026.
- Webloc links “anonymous” device IDs to social media accounts without a warrant.
Why builders care: If your app uses an ad SDK or analytics layer, it may be reselling location data to brokers without your knowledge. Virginia’s law makes you liable if your SDK does this in the chain. The RTB exchange model that funds free apps is being dismantled state by state.
VM IN A FILE, BOOTS IN A BLINK
⚡ smolvm packs a full Linux VM into a portable file that boots in under 200ms
smolvm (YC Spring 2026) wraps a Linux VM into a portable .smolmachine binary. No Docker, no QEMU, no daemon. Cold start: under 200ms. Built on libkrun with macOS native hardware isolation via Hypervisor.framework. Firecracker can’t run on macOS. smolvm can.
Founders BinBin He and Fu Qiao built it for AI agent sandboxing: each session gets a clean VM with snapshotable state and elastic memory.
The details:
- Written in Rust (82.4%), Apache-2.0 license. 1,000+ GitHub stars.
- Network off by default. Egress via domain allowlist only.
- Environments declared via Smolfile (TOML). Reproducible, no drift.
- Elastic memory via virtio balloon. Host only commits what the guest uses.
- 4 vCPUs, 8 GiB RAM default, fully overridable at launch.
Why builders care: AI agent sandboxing needs stateful, resettable environments. Containers are stateless. Firecracker needs Linux/KVM. smolvm ships like an Electron app and runs like a VM, on your MacBook.
MORE THAN THE INTERSTATE, EVERY YEAR
💰 Four hyperscalers are burning $690B/yr on AI. That’s the Interstate Highway, annually.
Amazon committed ~$200B in capex for 2026. More than the entire US energy sector combined. Alphabet guided $175-185B, up from ~$91B in 2025. Microsoft: ~$120B+. Meta: $115-135B. Combined: ~$690B for 2026, roughly matching the inflation-adjusted cost of the Interstate Highway System built over 35+ years.
Goldman Sachs projects $1.15 trillion in hyperscaler capex from 2025-2027.
The details:
- Amazon’s negative free cash flow projected at $17-28B in 2026.
- Alphabet free cash flow projected to fall 90%, from $73.3B to $8.2B.
- Capex quadrupled since GPT-4’s release. Growing 72%/yr since Q2 2023.
- AI services: ~$25B revenue in 2025 vs. $381B spend. The gap is the question.
- Manhattan Project: ~$27.5B adjusted. Hyperscalers spend that every ~2 weeks.
Why builders care: This spending creates the deflationary flywheel that makes AI products viable. Inference costs drop because hyperscalers need to fill capacity. But 4 companies control most global AI compute. Any disruption reshapes the builder stack overnight.
SELF-HOSTED AND PAYS MORE
🔧 Healthchecks.io’s solo founder ditched managed S3 after two EU clouds failed
Pēteris Caune runs Healthchecks.io solo. $19,100 MRR, 856 paying accounts, live since 2015. He migrated from OVHcloud (2022-2024) to UpCloud (2024-2026). Both failed on reliability, especially DeleteObjects under his 30-writes/second workload.
He now runs Versity S3 Gateway on a dedicated server with two NVMe drives in RAID 1 on Btrfs. It costs more than managed S3. He doesn’t care. It works.
The details:
- 14 million objects, 119GB total, 8KB average. Btrfs chosen to avoid inode exhaustion.
- Rejected MinIO, SeaweedFS, and Garage. Too complex for one person.
- Versity upgrade: “Replace a single binary and restart a systemd service.”
- rsync backup every 2 hours. Acceptable data loss: 2 hours of ping request bodies.
- 55.6 million daily pings processed across 209,000 monitored services.
Why builders care: The anti-DHH story. Caune isn’t saving money. He’s paying more. He switched because reliability mattered more than cost. The S3 API as abstraction let him migrate three times with zero app-layer code changes.
TRENDING TODAY
🧠 Cloudflare ships Agent Memory - Managed persistent memory for AI agents that survives context compaction. Multi-stage retrieval fusion combining 5 parallel search methods. Runs on Durable Objects + Vectorize + Workers AI. Waitlist only. The real problem it solves: context compaction normally loses information silently.
🗜️ Cloudflare Unweight: lossless 22% LLM compression - Bit-exact output preservation while shrinking LLM weights 22%. Exploits BF16 exponent byte redundancy with Huffman coding. Prior compression (quantization, pruning) always trades accuracy for size. This doesn’t. Shown on Llama 3.1 8B.
✋ The anti-vibe-coding movement gets organized - The backlash has a name. An organized “Slopless” initiative launched at slopless.design. Miguel Conner enrolled in a 12-week Recurse Center retreat to train a transformer from scratch. Core complaint: AI tools democratized creation and drowned everything in sameness.
DRAMA
THE THINKER THAT WON’T STOP THINKING
🌀 Opus 4.7’s “adaptive thinking” triggers community backlash
A PhD student in theoretical math/physics posted that Opus 4.7’s adaptive thinking spirals mid-response without landing conclusions. The post was auto-removed from r/ClaudeAI, then resurfaced on r/artificial (218 upvotes, 114 comments). Top community theory (123 points): “Adaptively nerfing Opus is how Anthropic keeps servers running until they build more.” No official response visible.
Why builders care: If you use Opus 4.7 for complex reasoning, try explicit “think step-by-step then conclude” instructions. Usage limits reportedly hit faster with adaptive thinking active.
FIRST DOLLAR
14 MONTHS, THIRD TRY
💵 Arthur Yuzbashev, 21, hit $40K in 14 months with mediafa.st
@arthuryuzbashew, from Azerbaijan, studying in Spain. Month 1: $363. Month 14: $5,900. Total: ~$40K. He plateaued at month 10 and almost quit. Key moves: SEO from day 1 (manual + Claude for content), raised prices 5-6 times as traction grew. 55% of revenue came in the last 4 months. Third startup. Two prior failures.
STACK OF THE DAY
🧰 PodWarden - Fleet management for self-hosted apps without Kubernetes. Deploy, scale, and monitor containerized workloads across servers. 3,400+ curated apps. Uses K3s under the hood. Free tier: unlimited servers. Pro $19/mo. Show HN today.
Not sponsored. We just feature tools builders would actually use.
BOOKMARKED TODAY
🔒 Even ‘cat readme.txt’ is not safe - iTerm2 SSH integration trusts terminal escape sequences from any file content. A malicious readme.txt can trigger code execution via iTerm2’s conductor protocol. Check if you use iTerm2 with SSH.
💳 Deleteduser.com: a $15 PII magnet - Security researcher bought deleteduser.com for ~$15. Within 24 hours, 30+ companies sent sensitive emails to it. They “delete” users by overwriting emails with something@deleteduser.com instead of purging data.
🔍 Is your site agent-ready? - Cloudflare’s free tool at isitagentready.com scores sites on 4 AI-agent compatibility dimensions. Only 4% of top sites declare AI preferences. MCP Server Cards: fewer than 15 in 200,000 domains.
Curated by AI, built by a human.