Notes on tech and daily lifehttps://lilting.ch/en-ushttps://lilting.ch/en/articles/fast-inverse-square-root-apple-m4-benchmark/https://lilting.ch/en/articles/fast-inverse-square-root-apple-m4-benchmark/Tested Q_rsqrt on Apple M4 (Mac mini) and Zen 3 (Ryzen 5800HS / WSL2). M4's -O2 already rewrites 1/sqrtf to frsqrte and ties Q_rsqrt; x86 clang needs -ffast-math or hits a 12x gap. Hand-written NEON/SSE wrappers turn out slower. Newton 0/1/2 error and the Lomont constant covered too.Wed, 13 May 2026 09:54:00 GMTCApple Siliconhttps://lilting.ch/en/articles/omlx-039-dev2-gemma4-copilot-cache/https://lilting.ch/en/articles/omlx-039-dev2-gemma4-copilot-cache/oMLX 0.3.9.dev2 release notes from the angle of Codex/Copilot on Mac local LLMs: Gemma 4 VLM MTP, DFlash, omlx launch copilot, SSD KV cache — what each changes for agent workflows.Wed, 13 May 2026 06:51:00 GMTAILLMLocal LLMApple SiliconMLXInference OptimizationCodexhttps://lilting.ch/en/articles/rubygems-new-signups-paused-malicious-packages/https://lilting.ch/en/articles/rubygems-new-signups-paused-malicious-packages/RubyGems.org halted new signups after DDoS and 500+ malicious gem uploads. Existing install/push unaffected — check lockfiles for gems added around May 12 2026.Wed, 13 May 2026 05:00:09 GMThttps://lilting.ch/en/articles/voxcpm2-tokenizer-free-local-tts/https://lilting.ch/en/articles/voxcpm2-tokenizer-free-local-tts/VoxCPM2 sits in the tokenizer-free corner. Mapped vs F5-TTS, CosyVoice2, Irodori-TTS, Style-Bert-VITS2; plus why Japanese TTS still leans on OpenJTalk.Wed, 13 May 2026 04:57:03 GMTAITTSSpeech SynthesisVoice CloningLocal AIOpen SourceFine-tuninghttps://lilting.ch/en/articles/nist-nvd-risk-based-cve-enrichment/https://lilting.ch/en/articles/nist-nvd-risk-based-cve-enrichment/NVD API queries: kernel CVEs return Analyzed but SuperAGI CVE-2026-6584 stays Deferred with no CPE. Maps Snyk, Trivy, Grype, Dependabot, OSV-Scanner reliance on NVD vs GHSA/OSV.Tue, 12 May 2026 09:01:56 GMTCVECISAhttps://lilting.ch/en/articles/react-native-ota-updates-codepush-stallion/https://lilting.ch/en/articles/react-native-ota-updates-codepush-stallion/CodePush shut down in March 2025. Compared EAS Update, self-hosted, and Stallion for React Native OTA — rollback, bundle signing, delta delivery — plus Unity AssetBundle parallels, TestFlight for personal apps, PWA Service Worker cache traps, and the lifecycle of deployed code.Tue, 12 May 2026 05:08:43 GMTJavaScriptReactiOSAndroidhttps://lilting.ch/en/articles/mini-shai-hulud-tanstack-mistral-npm-oidc/https://lilting.ch/en/articles/mini-shai-hulud-tanstack-mistral-npm-oidc/TanStack npm compromise (42 pkgs / 84 versions, CVE-2026-45321 CVSS 9.6) on May 11, 2026 UTC spread across UiPath (60+), Mistral, OpenSearch, guardrails-ai, Checkmarx Jenkins. Covers token-revoke wipe ordering, first valid SLSA provenance on malicious npm, and Vect ransomware secondary wave (wiper, not real ransomware). Live tracking.Tue, 12 May 2026 05:03:00 GMTnpmGitHub Actionshttps://lilting.ch/en/articles/ghostty-claude-code-tab-title-zsh-hook/https://lilting.ch/en/articles/ghostty-claude-code-tab-title-zsh-hook/Every Ghostty tab turns into 'Claude Code' when running multiple AI CLI sessions. Fix it with shell-integration-features = no-title, CLAUDE_CODE_DISABLE_TERMINAL_TITLE, and a 30-line zsh preexec/precmd/chpwd hook that tags tabs by repo name.Mon, 11 May 2026 18:02:29 GMTClaude CodeTerminalDevToolshttps://lilting.ch/en/articles/ghostlock-smb-deny-share-handles/https://lilting.ch/en/articles/ghostlock-smb-deny-share-handles/CreateFileW dwShareMode=0 locks 500K SMB files in 8 min with no encryption. Detection key: NAS session exclusive handle counts, not write-based indicators.Mon, 11 May 2026 17:53:00 GMTWindowshttps://lilting.ch/en/articles/wordpress-70-ai-client-rtc-removed/https://lilting.ch/en/articles/wordpress-70-ai-client-rtc-removed/WordPress 7.0 keeps AI Client, Connectors API, PHP-only blocks but drops real-time editing despite 52% storage gain. wp_ai_client_prompt() code and functions.php patterns.Mon, 11 May 2026 17:21:57 GMTWordPressAICMSPHPAPIhttps://lilting.ch/en/articles/sugar-printer-halftone-photo-density-command/https://lilting.ch/en/articles/sugar-printer-halftone-photo-density-command/Tested on M1 Max: Floyd-Steinberg halftone + BLE pacing + a vendor-specific density command `1D 49 F0 nn` to print sharp photos on the Sugar YMP-01 thermal mini printer from Python.Mon, 11 May 2026 16:45:00 GMTBluetoothBLEPythonMachttps://lilting.ch/en/articles/hp-sprocket-200-rfcomm-print-speedup/https://lilting.ch/en/articles/hp-sprocket-200-rfcomm-print-speedup/Tested on M1 Max: switching a Python BLE client to RFCOMM (SPP Ch.2) cuts transfer from ~60s to 5.38s for a 140KB JPEG. Covers PyObjC quirks, macOS Bluetooth entitlement, and an isolation experiment confirming olie.xdev's 'possibly not required' steps.Mon, 11 May 2026 15:25:00 GMTBluetoothRFCOMMPythonMachttps://lilting.ch/en/articles/lego-mosaic-oklab-color-quantization/https://lilting.ch/en/articles/lego-mosaic-oklab-color-quantization/Tested BMBrick's LEGO mosaic pipeline in Node + sharp with a 45-color palette: RGB nearest sprinkles 16% glitter and silver on photos, OKLab + material penalty wipes them out, and the original 0.15 is 7× overkill (0.02 is already enough).Mon, 11 May 2026 08:50:33 GMTJavaScriptCanvashttps://lilting.ch/en/articles/gemini-file-search-multimodal-game-npc-memory/https://lilting.ch/en/articles/gemini-file-search-multimodal-game-npc-memory/Gemini API File Search now indexes images alongside text in the same store. Metadata filters can isolate NPC memories by chapter and character, and a single-character prototype costs under $1/month on Flash-Lite. Notes on tier limits, pricing breakdown, and what to test first.Mon, 11 May 2026 07:30:00 GMTAIGeminiRAGAPIGamehttps://lilting.ch/en/articles/cross-modal-distillation-wildfire-evacuation-policy/https://lilting.ch/en/articles/cross-modal-distillation-wildfire-evacuation-policy/A DEV Community article proposes cross-modal distillation for wildfire evacuation routing that encodes road closures and AQI thresholds directly into the loss function. I look at the teacher-student gap when the student drops satellite imagery, why 23ms edge inference is irrelevant if sensor data is 5 minutes old, and what's missing for production.Sun, 10 May 2026 18:40:00 GMTAIMachine LearningMultimodalRealtimehttps://lilting.ch/en/articles/pnpm-npm-yarn-monorepo-hoisting/https://lilting.ch/en/articles/pnpm-npm-yarn-monorepo-hoisting/Cold install benchmarks from a Next.js 16 + Shadcn/ui + Railway monorepo show pnpm at half npm's time, but the real story is Radix UI's undeclared dependencies breaking under strict hoisting. A practical look at .npmrc tuning, Bun's flat structure trade-off, and where Next.js dependency weight dominates.Sun, 10 May 2026 18:30:00 GMTpnpmnpmNode.jsNext.jsTypeScriptBuild ToolsBunhttps://lilting.ch/en/articles/ollama-cve-2026-7482-memory-leak/https://lilting.ch/en/articles/ollama-cve-2026-7482-memory-leak/Out-of-bounds read in Ollama's GGUF loader before 0.17.1. If your Ollama API is network-accessible, a crafted model file can exfiltrate env vars, API keys, system prompts, and conversation fragments from process memory.Sun, 10 May 2026 18:26:32 GMTOllamaSecurityVulnerabilityCVELocal LLMLLMhttps://lilting.ch/en/articles/orbis-github-repo-3d-dependency-graph/https://lilting.ch/en/articles/orbis-github-repo-3d-dependency-graph/Tested Orbis in Docker: psf/requests (35 modules) makes a clean 3D graph, expressjs/express (98 modules) collapses into one giant sphere. Notes on what tree-sitter actually captures for code-review prep.Sat, 09 May 2026 15:42:00 GMTGitHubAI CodingPython3DClaudehttps://lilting.ch/en/articles/pcpjack-credential-stealer-cloud-cve/https://lilting.ch/en/articles/pcpjack-credential-stealer-cloud-cve/SentinelOne's PCPJack report broken down: initial access via Next.js and WordPress CVEs, lateral movement through Docker sockets, Kubernetes Secrets, Redis cron rewrite, and RayML job injection. IOCs and hardening steps included.Sat, 09 May 2026 14:36:29 GMTSecurityCloudMalwareCVETeamPCPhttps://lilting.ch/en/articles/android-google-apps-binary-transparency/https://lilting.ch/en/articles/android-google-apps-binary-transparency/Google extended Binary Transparency to its Android apps and Mainline modules starting May 2026. How the public log and verification tools differ from code signing, what's actually covered, and what the ADB-based verification workflow looks like for researchers.Sat, 09 May 2026 14:35:35 GMTAndroidGoogleSecuritySupply Chainhttps://lilting.ch/en/articles/pan-os-user-id-portal-root-rce/https://lilting.ch/en/articles/pan-os-user-id-portal-root-rce/PA-Series and VM-Series with User-ID Authentication Portal exposed to untrusted traffic. CL-STA-1132 achieved root RCE, wiped crash logs, enumerated AD, and deployed EarthWorm and ReverseSocks5. Patches start May 13; interim mitigations and forensic indicators for exposed portals.Sat, 09 May 2026 14:35:00 GMTCVERCEhttps://lilting.ch/en/articles/claude-code-html-output-markdown/https://lilting.ch/en/articles/claude-code-html-output-markdown/Went through Thariq's 20 HTML examples for practical Claude Code use. Throwaway editing UIs for ticket triage and annotated code diffs stood out. The deciding factor is whether the output's reader is human or AI.Sat, 09 May 2026 05:14:14 GMTClaude CodeMarkdownhttps://lilting.ch/en/articles/linux-dirty-frag-page-cache-root/https://lilting.ch/en/articles/linux-dirty-frag-page-cache-root/Dirty Frag is a local privilege escalation that writes to the Linux page cache via ESP-in-UDP and RxRPC receive paths. The algif_aead workaround from Copy Fail doesn't help, and the two attack paths complement each other to bypass Ubuntu's AppArmor restrictions on user namespaces.Sat, 09 May 2026 00:49:00 GMTLinuxCVEhttps://lilting.ch/en/articles/android-wireless-adb-cve-2026-0073-auth-bypass/https://lilting.ch/en/articles/android-wireless-adb-cve-2026-0073-auth-bypass/Android's May 2026 bulletin patches CVE-2026-0073, a Wireless ADB auth bypass from mishandled EVP_PKEY_cmp return values. Adjacent network attackers bypass mutual TLS and get shell-level RCE on Android 14 through 16-qpr2. AOSP diff and impact breakdown included.Sat, 09 May 2026 00:45:36 GMTAndroidSecurityCVEVulnerabilityRCEhttps://lilting.ch/en/articles/fortress-token-optimizer-api/https://lilting.ch/en/articles/fortress-token-optimizer-api/Checked Fortress Token Optimizer's DEV article and npm/PyPI packages. Polite filler words shrink 11-22%, but running it blindly on system prompts or RAG context can strip constraints that control model output.Fri, 08 May 2026 17:07:00 GMTAILLMAPIhttps://lilting.ch/en/articles/civicsurvival-ai-vibecoding-constraints/https://lilting.ch/en/articles/civicsurvival-ai-vibecoding-constraints/158K lines of AI-generated C# for a Cities: Skylines II total conversion mod. CivicRAG for codebase indexing, 300+ custom Roslyn analyzers as compile-time design rules, and manual visual debugging for render bugs AI couldn't see.Fri, 08 May 2026 09:38:48 GMTAIAI AgentsClaude CodeMCPRAGGamehttps://lilting.ch/en/articles/flux2-klein-9b-nsfw-lora-m1-max-handson/https://lilting.ch/en/articles/flux2-klein-9b-nsfw-lora-m1-max-handson/Tested Klein 9B + 9B NSFW LoRA on M1 Max 64GB via mflux 0.17.5: 1m51s/512, 5m37s/1024 q4, 224/224 LoRA keys match, NSFW prompts uncensored, Japanese subjects work with helper tokens.Fri, 08 May 2026 05:02:00 GMTAIFLUXApple SiliconMacMLXLoRAhttps://lilting.ch/en/articles/nextjs-security-release-16-2-6-15-5-18/https://lilting.ch/en/articles/nextjs-security-release-16-2-6-15-5-18/Next.js 16.2.6 / 15.5.18 dropped 13 security advisories at once. The impact depends on whether you use App Router, Middleware, RSC, or self-hosted Node.js server — here's where to look before upgrading.Fri, 08 May 2026 03:30:54 GMTNext.jsReactSecurityVulnerabilityhttps://lilting.ch/en/articles/vektor-memory-supersession-chains/https://lilting.ch/en/articles/vektor-memory-supersession-chains/Vektor Memory v1.5.4 supersession chains positioned against YourMemory decay, Cloudflare key-overwrite, and CTX, with a BM25 vs cosine threshold trap and a 5-field minimum schema for agent memory.Fri, 08 May 2026 03:29:27 GMTAIRAGMCPNode.jshttps://lilting.ch/en/articles/uv-claude-sdk-agent-project-setup/https://lilting.ch/en/articles/uv-claude-sdk-agent-project-setup/uv 0.9.21 as the entry for small Claude SDK Python experiments: uv init, uv add, uv run, uv.lock keep agent projects reproducible across machines and Codex/Claude Code sessions. Operational notes, not a benchmark of the DEV article's uv 0.11.11.Thu, 07 May 2026 13:56:58 GMTClaudePythonuv