June 20, 2026

# Nightly Librarian — Newsletter draft

Run: d39e9812-7aef-4d3f-bbb3-58da86ff1c74
Started: 2026-06-20T06:11:03.019Z
Completed: 2026-06-20T06:15:37.118Z

## Worth attention

- **I found 10k GitHub repositories distributing Trojan malware**
  https://orchidfiles.com/github-repositories-distributing-malware/
  A security researcher (Orchid Files) identified roughly 10,000 GitHub repositories quietly distributing Trojan malware for over a year, undetected by GitHub's automated systems. Corroborated by Cybernews, TechTimes, and HN discussion. The campaign clones legitimate-looking repos, periodically force-pushes a fake "Update README.md" commit to dodge detection, and delivers a LuaJIT-based loader that resolves its C2 via a Polygon smart contract. The researcher released an open-source detection tool and the full list of identified repos. Takeaway: be more careful vetting any repo you clone — check star/commit history authenticity, not just search ranking, especially when pulling code or MCP servers from GitHub.
- **Zero-Touch OAuth for MCP**
  https://blog.modelcontextprotocol.io/posts/enterprise-managed-auth/
  The Model Context Protocol's Enterprise-Managed Authorization extension reached stable status on June 18, 2026: an Identity Assertion JWT Authorization Grant (ID-JAG) flow that lets an organization's identity provider (Okta, etc.) silently provision MCP server access on first login, replacing per-app OAuth consent screens. Already being adopted by Anthropic, Microsoft, and Okta. Directly relevant if you build or maintain MCP servers, especially for teams/enterprise deployment.
- **Google Workspace threatening to block Firefox access**
  https://tales.fromprod.com/2026/169/google-workspace-threatening-to-block-firefox.html
  Multiple developers report that Firefox now triggers a block/warning when accessing Gmail, Drive, or Calendar on certain Google Workspace accounts, pushing users toward Chrome. Corroborating reports (HN, follow-up coverage) suggest this is tied to IT security/device-compliance features some organizations are enabling, not a blanket Google-wide policy against Firefox. If you administer or rely on a Workspace account, worth checking your org's device-compliance settings before assuming it's a bug.
- **Datasette Apps: Host custom HTML applications inside Datasette**
  https://simonwillison.net/2026/Jun/18/datasette-apps/
  Simon Willison describes Datasette Apps, a feature/plugin that lets you host custom HTML applications directly inside a Datasette instance — turning Datasette into a lightweight app-hosting layer on top of your data. Still early/alpha, but a concrete, usable feature if you use Datasette for internal tools or data exploration.
- **The design of littlefs**
  https://github.com/littlefs-project/littlefs/blob/master/DESIGN.md
  The official design document for littlefs, a small, fail-safe filesystem built for embedded/flash storage, covering how it achieves power-loss resilience and wear leveling within bounded RAM. A solid reference if you're building anything touching embedded flash storage.
- **DuckDB Internals: Why Is DuckDB Fast? (Part 1)**
  https://www.greybeam.ai/blog/duckdb-internals-part-1
  A technical deep-dive into the architectural choices behind DuckDB's query performance — vectorized execution, columnar storage, and query optimization. Useful if you use DuckDB for local/embedded analytics and want to understand its performance characteristics.

## Full digest

- [R] [lobsters] What are your Favorite Lobste.rs Comments? — https://lobste.rs/s/crl4fj/what_are_your_favorite_lobste_rs_comments — A meta-discussion thread on Lobsters asking users to share their favorite old comments from the site's history. Pure community nostalgia with no new information or technical content.
- [R] [lobsters] The Future of the Con Is Already Here, It's Just Not Evenly Distributed — http://manishearth.github.io/blog/2026/06/17/the-future-of-the-con-is-already-here/ — A personal essay riffing on William Gibson's quote to comment on tech conference culture. Speculative cultural commentary without a concrete claim or actionable takeaway.
- [P] [lobsters] Google Workspace threatening to block Firefox access — https://tales.fromprod.com/2026/169/google-workspace-threatening-to-block-firefox.html — Multiple developers report that Firefox now triggers a block/warning when accessing Gmail, Drive, or Calendar on certain Google Workspace accounts, pushing users toward Chrome. Corroborating reports (HN, follow-up coverage) suggest this is tied to IT security/device-compliance features some organizations are enabling, not a blanket Google-wide policy against Firefox. If you administer or rely on a Workspace account, worth checking your org's device-compliance settings before assuming it's a bug.
- [R] [lobsters] What was nice about the UI of Windows 2000 — https://movq.de/blog/postings/2026-06-16/0/POSTING-en.html — A nostalgia post reflecting on UI design choices in Windows 2000. Interesting trivia, no actionable or current relevance.
- [P] [lobsters] The design of littlefs — https://github.com/littlefs-project/littlefs/blob/master/DESIGN.md — The official design document for littlefs, a small, fail-safe filesystem built for embedded/flash storage, covering how it achieves power-loss resilience and wear leveling within bounded RAM. A solid reference if you're building anything touching embedded flash storage.
- [R] [lobsters] Vim Creator Bram Moolenaar's Forgotten Programming Language, Zimbu (2023) — https://thenewstack.io/vim-creator-bram-moolenaars-forgotten-programming-language-zimbu/ — A historical retrospective (originally from 2023) on Zimbu, a little-known programming language created by Vim's author. Interesting history, no current relevance.
- [R] [lobsters] Updating Stacked Pull Requests with git rebase --onto — https://bd103.dev/blog/2026-06-18-git-rebase-onto/ — Comments
- [R] [lobsters] offset_of! slices — https://bal-e.org/blog/2026/offset-of-slices/ — Comments
- [R] [lobsters] Is It Time for a New Embedded Linux Build System? — https://yoebuild.org/blog/time-for-a-new-build-system/ — Comments
- [R] [lobsters] The Hidden Elegance of Gradient Noise — https://yogthos.net/posts/2026-06-17-perlin-flow.html — Comments
- [R] [lobsters] Nix for Haskell: Static Builds — https://abhinavsarkar.net/posts/nix-for-haskell-static-builds/ — Comments
- [R] [lobsters] RFC 10008: The HTTP QUERY Method — https://blainsmith.com/articles/rfc-10008-http-query-method/ — Comments
- [R] [lobsters] Show your hands honor for the strange power they bring you — https://aresluna.org/show-your-hands-honor/ — Comments
- [R] [lobsters] I discovered a large-scale malware distribution on GitHub — https://orchidfiles.com/github-repositories-distributing-malware/ — Comments
- [R] [lobsters] usbliter8- Apple A12/A13 bootrom exploit — https://ps.tc/pages/blog-usbliter8.html — Comments
- [P] [hn-top] DuckDB Internals: Why Is DuckDB Fast? (Part 1) — https://www.greybeam.ai/blog/duckdb-internals-part-1 — A technical deep-dive into the architectural choices behind DuckDB's query performance — vectorized execution, columnar storage, and query optimization. Useful if you use DuckDB for local/embedded analytics and want to understand its performance characteristics.
- [R] [hn-top] To study how chips work, MIT researchers built their own operating system — https://news.mit.edu/2026/to-study-how-chips-really-work-mit-researchers-built-their-own-operating-system-0610 — MIT researchers built a custom operating system purely as a research tool to study low-level chip behavior. Academic research with no near-term practical action for a solo software builder.
- [R] [hn-top] Gribouille 0.3.0: A Grammar of Graphics for Typst — https://mickael.canouil.fr/posts/2026-06-15-gribouille-0-3/ — Version 0.3.0 release of Gribouille, a ggplot2-style plotting library for the Typst typesetting system. Niche tool update for a narrow audience.
- [P] [hn-top] I found 10k GitHub repositories distributing Trojan malware — https://orchidfiles.com/github-repositories-distributing-malware/ — A security researcher (Orchid Files) identified roughly 10,000 GitHub repositories quietly distributing Trojan malware for over a year, undetected by GitHub's automated systems. Corroborated by Cybernews, TechTimes, and HN discussion. The campaign clones legitimate-looking repos, periodically force-pushes a fake "Update README.md" commit to dodge detection, and delivers a LuaJIT-based loader that resolves its C2 via a Polygon smart contract. The researcher released an open-source detection tool and the full list of identified repos. Takeaway: be more careful vetting any repo you clone — check star/commit history authenticity, not just search ranking, especially when pulling code or MCP servers from GitHub.
- [P] [hn-top] Zero-Touch OAuth for MCP — https://blog.modelcontextprotocol.io/posts/enterprise-managed-auth/ — The Model Context Protocol's Enterprise-Managed Authorization extension reached stable status on June 18, 2026: an Identity Assertion JWT Authorization Grant (ID-JAG) flow that lets an organization's identity provider (Okta, etc.) silently provision MCP server access on first login, replacing per-app OAuth consent screens. Already being adopted by Anthropic, Microsoft, and Okta. Directly relevant if you build or maintain MCP servers, especially for teams/enterprise deployment.
- [P] [hn-top] Datasette Apps: Host custom HTML applications inside Datasette — https://simonwillison.net/2026/Jun/18/datasette-apps/ — Simon Willison describes Datasette Apps, a feature/plugin that lets you host custom HTML applications directly inside a Datasette instance — turning Datasette into a lightweight app-hosting layer on top of your data. Still early/alpha, but a concrete, usable feature if you use Datasette for internal tools or data exploration.
- [R] [hn-top] Building a robotics research setup that lives next to my desk — https://dfdxlabs.com/research/2026/robotics-setup/ — Quick framing, since the post is long: I did robotic manipulation research at OpenAI from 2017–2020, and the tabletop setup back then cost r…
- [R] [hn-top] Ice water drowning survival of young patient (2025) — https://www.jacc.org/doi/10.1016/j.jaccas.2025.104885 — Scheduled agent omitted this claimed item from the completion payload.
- [R] [hn-top] Ubiquiti: Enterprise NAS, Built on ZFS — https://blog.ui.com/article/introducing-enterprise-nas — Scheduled agent omitted this claimed item from the completion payload.
- [R] [hn-top] Show HN: Talos – Open-source WASM interpreter for Lean — https://github.com/cajal-technologies/talos — At Cajal (YC W26) we’re excited to share Talos ( https://github.com/cajal-technologies/talos ), an open source framework…
- [R] [hn-top] CS 6120: Advanced Compilers: The Self-Guided Online Course (2020) — https://www.cs.cornell.edu/courses/cs6120/2025fa/self-guided/ — Scheduled agent omitted this claimed item from the completion payload.
- [R] [hn-top] Cell-based architecture for resilient payment systems — https://americanexpress.io/cell-based-architecture-for-resilient-payment-systems/ — Scheduled agent omitted this claimed item from the completion payload.
- [R] [hn-top] .gitignore Isn't the only way to ignore files in Git — https://nelson.cloud/.gitignore-isnt-the-only-way-to-ignore-files-in-git/ — Scheduled agent omitted this claimed item from the completion payload.
- [R] [hn-top] Many Let's Encrypt renewals had errors today — https://letsencrypt.status.io/#2026 — Scheduled agent omitted this claimed item from the completion payload.
- [R] [hn-top] Hospitals and universities repurposing drugs at lower cost — https://www.kcl.ac.uk/news/hospitals-and-universities-repurposing-drugs-at-90-lower-cost — Scheduled agent omitted this claimed item from the completion payload.
- [R] [hn-top] How Japan's railways stayed one while splitting apart — https://arun.is/blog/jr-logo/ — Scheduled agent omitted this claimed item from the completion payload.
- [R] [hn-top] I told them forced consent was unlawful. 5 years later it cost Elkjop €1.8M — https://www.thatprivacyguy.com/blog/elkjop-forced-consent-fine/ — https://web.archive.org/web/20260618212028/https://www.thatp... https://archive.ph/I4zjA
- [R] [hn-top] Show HN: Are You in the Weights? — https://www.intheweights.com/ — With more traffic moving off-web and into LLMs, I got curious about what traces we leave "in the weights". My design partner and I built a s…
- [R] [hn-top] If your product is Great, it doesn't need to be Good (2010) — http://paulbuchheit.blogspot.com/2010/02/if-your-product-is-great-it-doesnt-need.html — Scheduled agent omitted this claimed item from the completion payload.
- [R] [hn-top] W Social, public institutions and the theater of European digital sovereignty — https://blog.elenarossini.com/w-social-public-institutions-and-the-theater-of-european-digital-sovereignty/ — Scheduled agent omitted this claimed item from the completion payload.
- [R] [hn-top] Launch HN: TesterArmy (YC P26) – Agents that test web and mobile apps — https://tester.army — Hey HN - we’re Oskar, Szymon, and Piotr, and we’re building TesterArmy ( https://tester.army ). TesterArmy is an agentic testing p…
- [R] [hn-top] Modos Color Monitor Pushes E-Paper Displays Further — https://spectrum.ieee.org/modos-e-paper-monitor — Scheduled agent omitted this claimed item from the completion payload.
- [R] [simon-willison] Datasette Apps: Host custom HTML applications inside Datasette — https://simonwillison.net/2026/Jun/18/datasette-apps/#atom-everything — Today we launched a new plugin for Datasette, datasette-apps , with this launch announcement post on the Datasette project blog. That post h…
- [R] [simon-willison] datasette-acl 0.6a0 — https://simonwillison.net/2026/Jun/18/datasette-acl/#atom-everything — Alpha release of datasette-acl, expanding the plugin from table-only permissions toward a general resource-sharing/access-control system for Datasette. Overlaps with the broader Datasette Apps story already covered separately.
- [R] [simon-willison] datasette-apps 0.1a3 — https://simonwillison.net/2026/Jun/15/datasette-apps-2/#atom-everything — Patch release of datasette-apps containing two permission bug fixes (create-app permission enforcement, edit/delete permission rules). No new user-facing functionality.