Yesterday’s pauses lasted hours; today Hormuz erupts again, Russia’s ceasefire was fiction before dawn, and Britain’s political map cracks open.

Hormuz: direct fire, and both sides say the ceasefire holds

The US and Iran exchanged fire in the Strait of Hormuz late Thursday — the most serious test of their month-old ceasefire. Iran says the US hit Qeshm port, Bandar Abbas, and civilian ships. CENTCOM says it intercepted “unprovoked” Iranian attacks on three Navy destroyers, then struck the facilities responsible. Trump called it a “love tap.” Iranian state media said things were “back to normal.” Both claim the ceasefire holds while trading blows. Oil jumped on the exchange; 20,000 seafarers remain stranded in the Gulf; CIA assessments say Iran can outlast the blockade for months.

Saudi Arabia’s refusal to provide bases and airspace for Project Freedom — killing Trump’s escort plan within 24 hours — looks like the structural fact of this crisis: American power projection in the Gulf depends on partners who won’t participate. A Washington Post satellite investigation found Iran struck far more US military assets than the Pentagon has disclosed. And Tehran created a permanent new agency to control Hormuz shipping — converting a wartime tactic into standing infrastructure, regardless of how diplomacy plays out.

(Full coverage in World)

Victory Day 2026: no tanks, no ceasefire, twin refinery fires

Russia’s unilateral May 8–10 ceasefire produced 67 drones hitting eight Ukrainian locations overnight. Zelensky: “not even a token attempt.” The Moscow Victory Day parade will field soldiers only — no hardware for the first time in nearly two decades. Ukraine chose the eve of the parade to hit the Yaroslavl refinery (~700 km), the Perm Lukoil refinery (1,485 km — Perm cancelled its parade), a Caspian Sea corvette (~1,000 km), and a Rostov air navigation facility that shut down 13 Russian airports. Seven Russian naval vessels hit or sunk in a single week.

A leaked Kremlin document describes Russia’s “most plausible” endgame: retain Donetsk and Luhansk, withdraw from Sumy and Kharkiv, freeze Kherson and Zaporizhia, neutral buffer Ukraine with Zelensky as president. ISW assesses the leak may be deliberate — framing inevitable military failures as generous concessions.

(Full coverage in Ukraine)

Reform UK sweeps; Labour loses its heartlands

Reform UK won the north-east, took Hartlepool — the symbolic seat that nearly ended Starmer’s career once before — and pushed Labour into opposition across swathes of England. Councils in Chorley, Wigan, Redditch, and Tamworth all fell. Less than two years after a general election landslide, Keir Starmer faces a leadership crisis as the hard-right insurgency hollows out the party’s traditional working-class base.

Sources: The Guardian (Starmer) · The Guardian (results)

Markets

S&P 500	—	−0.31%
Gold	—	+0.17%
Oil	—	+0.76%
EUR/USD	1.0843	—
USD/NOK	10.8172	—
VIX	17.13	—
BTC	$79,710	−2.2%
ETH/BTC	0.02863	—

Oil +0.76% on the Hormuz fire exchange. S&P −0.31% despite courts striking down Trump’s global tariffs — the July 4 EU ultimatum and Hormuz keeping sentiment cautious.

Also today - Epstein’s purported 2019 suicide note unsealed by US judge — BBC · NPR - The Economist: world must stop AI from empowering bioterrorists — The Economist - Poland detains 123 in mass anti-child-abuse operation “Hellfire” — TVP World - Paris prosecutors open investigation into Elon Musk and X — Reuters

World

US and Iran exchange direct fire in Hormuz; ceasefire in name only

Iran accused the US of targeting civilian ships and coastal areas including Qeshm port and Bandar Abbas. CENTCOM said it intercepted “unprovoked” attacks on three Navy destroyers, then struck Iranian military facilities. UAE reported its air defences engaging Iranian attacks. Trump insisted the ceasefire holds; Iranian state media agreed. Companies from oil majors to defence contractors are reporting surging profits from the conflict, while Germany’s finance minister blamed Trump’s “irresponsible war” for harming the German economy.

Sources: Al Jazeera · The Guardian · NPR · BBC · CNN

Project Freedom collapses; Iran institutionalises Hormuz control

Saudi Arabia refused to allow US bases and airspace for the tanker escort scheme, forcing Trump to shelve it. Iran mocked the failure. About 1,600 vessels remain stranded or diverted; 20,000 seafarers trapped aboard. Pakistan claims both sides are close to a temporary truce. Separately, Iran established a dedicated government agency to manage Hormuz shipping permanently — signalling it intends to keep this leverage regardless of diplomatic outcomes. A Carnegie Endowment analysis finds Saudi Vision 2030’s flagship megaprojects being quietly scaled back (the ‘Line’ city reduced to a 1.5-mile trial, luxury resorts abandoned, LIV Golf dropped), compounding the external pressure.

Sources: The Guardian · The Guardian (Iran mocks) · AP (Hormuz agency) · CNN (1,600 ships) · Carnegie (Vision 2030) · Al Jazeera (seafarers)

WaPo: satellite imagery shows Iran struck far more US assets than disclosed

Commercial satellite imagery reveals Iranian strikes on US military installations were significantly more extensive than the Pentagon has publicly acknowledged. CIA assessments separately conclude Iran has enough domestic resources to outlast the blockade for several more months — directly complicating the pressure-campaign assumptions behind the Trump administration’s Hormuz posture.

Sources: Washington Post (satellite) · Washington Post (CIA)

India and Pakistan reach ceasefire after exchanging missiles and drones over Kashmir

A rapid escalation over Kashmir — drone strikes and missile exchanges reaching into both countries’ territory — ended with a sudden ceasefire. The episode demonstrates how quickly drone-enabled conflicts can reach dangerous thresholds, a pattern now visible across multiple theatres simultaneously.

Sources: CNN

Trump sets July 4 ultimatum for EU; trade court strikes down his 10% global tariffs

Trump told the EU to ratify a trade deal by Independence Day or face sharply higher tariffs. On the same day, the Court of International Trade ruled his February round of 10% across-the-board global tariffs exceeded presidential authority under the 1977 IEEPA law — the second time courts have struck down a round of his import taxes. The White House is expected to appeal.

Sources: The Guardian (EU) · The Guardian (court) · NPR · Al Jazeera

UK convicts first Britons for spying for China; Russian spy school exposed

A UK Border Force officer and a Hong Kong trade official in London were found guilty of operating a “shadow policing” network to surveil and intimidate Hong Kong dissidents — the first espionage convictions of their kind in British history. Separately, The Guardian revealed details of a top-secret Russian training facility that teaches hacking and Western election interference techniques, and the Royal Navy tracked a Russian frigate for an entire month off the UK coast amid escalating sanctions-enforcement tensions.

Sources: The Guardian (China) · CNN · The Guardian (spy school) · The Guardian (frigate)

East Asia: proliferation anxiety, North Korean losses, and Japan’s anti-war protests

Foreign Affairs argues Japan and South Korea won’t go nuclear despite eroding US extended deterrence — but the normalization of hedging as policy posture risks the broader non-proliferation regime. New satellite evidence suggests ~2,300 of 11,000 North Korean soldiers deployed alongside Russian forces have been killed. North Korea announced new long-range artillery targeting Seoul and its first naval destroyer. Japan saw its largest anti-war protests in decades over its successor PM’s defence build-up.

Sources: Foreign Affairs · BBC (NK soldiers) · NPR (NK artillery) · BBC (Japan)

Hantavirus: WHO says no pandemic, but cases spread beyond the ship

The WHO confirmed five cases linked to the MV Hondius cruise ship, stressing hantavirus spreads primarily through rodent contact and is “not the start of a pandemic.” But a KLM flight attendant was hospitalised after contact with a passenger — the first transmission outside the voyage. A third Briton was found infected on Tristan da Cunha. The six-week incubation period means more cases may emerge. Spain refused to let the ship dock at Tenerife.

Sources: BBC (WHO) · Al Jazeera · NPR · NL Times (KLM) · BBC (third Briton)

Vessels in the Strait of Hormuz — 1,600 ships remain stranded or diverted as the US and Iran exchange fire while both claiming the ceasefire holds.

Labourers transport aluminium pipes by cart on a hot summer day in New Delhi as a record heatwave sweeps South Asia.

Also today - West Bengal: BJP aide shot dead as post-election violence erupts after Modi party victory — The Guardian · The Economist - Explosion hits VVD headquarters, Netherlands’ largest political party — Reuters - Solomon Islands PM ousted in no-confidence vote; may shift from Beijing alignment — The Guardian - Samsung chip workers reject $340K bonus, threaten 18-day strike over AI windfall — Tom’s Hardware - Roger Stone condemned for $50K/month lobbying for Myanmar junta — The Guardian - China sentences two former defence ministers to suspended death — BBC - China tells banks to pause loans to US-sanctioned oil refiners — Reuters - Record heatwave sweeps South Asia — Al Jazeera - Mali: al-Qaeda fighters kill at least 30 in attacks on two villages — Al Jazeera - Gaza: Hamas disarmament talks stall; Israel prepares to resume fighting — BBC

Ukraine

Deep strikes peak: twin refineries, Caspian corvette, 13 airports shut down

Ukraine’s most concentrated deep-strike day of the war, timed for the eve of Victory Day. Liutyi drones hit the Yaroslavl refinery (~700 km, struck again after April 26) and the Perm Lukoil-Permnefteorgsintez refinery (1,485 km from the front) — Perm cancelled its Victory Day parade. A strike on Rostov-on-Don’s air navigation facility suspended operations at 13 Russian airports. A Karakurt-class missile corvette was struck near Kaspiysk in the Caspian Sea (~1,000 km) — one of seven Russian naval vessels hit or sunk in a single week.

Sources: Ukrainska Pravda (Yaroslavl) · Militarnyi (Perm) · United24 Media (corvette) · Ukrainska Pravda (airports) · Ukrainska Pravda (fires)

Victory Day ceasefire collapses on day one

Russia’s unilateral May 8–10 ceasefire collapsed overnight: 67 drones hitting eight locations across Ukraine’s south and east, ballistic missile alerts continuing across the country. Zelensky: “not even a token attempt to cease fire on the front.” ISW assesses the ceasefire was designed to provide rhetorical justification for threatened “massive” retaliatory strikes against Kyiv. The Moscow Victory Day parade will field soldiers only — no military hardware for the first time since the mid-2000s. BBC’s Steve Rosenberg: “This war is not going to plan.” A Bulwark analysis documents the erosion: cancelled parades, lost territory exceeding gains for the first time since 2023, internal criticism from United Russia members, and a Communist activist publicly condemning elite sons’ exemption from conscription.

Sources: Ukrainska Pravda (Zelensky) · Ukrainska Pravda (drones) · BBC (parade) · The Bulwark · RFE/RL

EU prepares for direct Putin talks as US-led process stalls

EU leaders are preparing for potential direct negotiations with Putin, per the Financial Times — a significant shift in European diplomatic posture as frustration with the Trump-led track grows. Zelensky visited Yerevan for a European summit, drawing a sharp Russian diplomatic protest against Armenia. The Kremlin simultaneously hardened its position: aide Yuri Ushakov declared trilateral US-Ukraine-Russia talks “inadvisable” until Ukraine withdraws from Donetsk Oblast.

Sources: Financial Times · Ukrainska Pravda (Armenia) · Ukrainska Pravda (Kremlin)

Leaked Kremlin document: Russia’s “most plausible” endgame — or cognitive warfare

Dossier Center published internal Presidential Administration slides titled “After Victory”: Russia retains Donetsk and Luhansk, withdraws from Sumy and Kharkiv, freezes Kherson and Zaporizhia, Ukraine becomes a neutral buffer state with Zelensky remaining as president. ISW assesses the leak may be deliberate — framing Russia’s inability to seize the rest of Donetsk militarily as a generous concession. The document also reveals Kremlin anxiety about battlefield performance, economic strain, and demographic losses from high casualties.

Sources: ISW Assessment, May 7

Frontline static; Ukrainian counterattacks gain ground in western Zaporizhia

Small Russian advances near Horikhove (Donetsk) and Filiia (Dnipropetrovsk). Pressure continues at Kupyansk, Lyman, and Pokrovsk without significant territorial change. Ukrainian counterattacks west and northwest of Orikhiv pushed Russian forces back in three directions in western Zaporizhia — a Kremlin-affiliated milblogger acknowledged the situation is “worsening.”

Sources: Ukrainska Pravda · The Lowdown

Fire at the Yaroslavl oil refinery following Ukrainian drone strike on the eve of Victory Day.

Container ship under the Great Belt Bridge — the chokepoint a War on the Rocks analysis warns Russia could close using the Hormuz insurance-withdrawal playbook.

Analysis - Russia’s war durability holds: GDP +1.1% in 2026, Ukraine’s growth forecast dropped from 4.5% to 2%; conclusion unchanged — Russia can sustain operations — War on the Rocks - The Hormuz Playbook: Iran demonstrated commercial closure through insurance withdrawal, not destruction; Russia could replicate against Baltic LNG or Black Sea grain with its 3,000+ monthly drone production — War on the Rocks - Russia-Iran drone integration: drones hitting Gulf states are Iranian designs refined through Russian battlefield testing; Gulf states now signing 10-year security deals with Kyiv directly — War on the Rocks

Tech

Dirty Frag: universal Linux privilege escalation, no patches, no CVEs

A newly disclosed exploit chain achieves root on all major Linux distributions by chaining two kernel vulnerabilities: one via the ESP path (overwriting /usr/bin/su page-cache with malicious shellcode) and one via rxrpc (corrupting /etc/passwd to remove root’s password). Responsible disclosure failed; the researcher published with no patches or CVEs in place. Temporary mitigation: install esp4/esp6/rxrpc /bin/false in your kernel module config. Xe Iaso separately warns that this vuln window is exactly when a supply chain attack would land hardest — developers distracted, rushing to patch, predisposed to install new things. Recommendation: hold off on non-essential software installs for about a week.

Sources: Openwall Advisory · HN · Xe Iaso · HN

GNU IFUNC: the root cause of the XZ backdoor attack surface

Robert French argues that IFUNC — not xz-utils — is the fundamental design flaw behind CVE-2024-3094. IFUNC runs arbitrary code during dynamic linking before RELRO protections take effect; the XZ attack rode the OpenSSH → SystemD → xz-utils dependency chain to place code in OpenSSH’s address space. The claimed performance gains can be replicated with plain function pointers; French advocates removing IFUNC from the toolchain entirely.

Sources: GitHub · HN

Mojo 1.0 Beta: Python-compatible systems language hits first major milestone

Modular’s systems language targeting AI/ML workloads reaches 1.0 beta — Python interop with C-level performance, ownership semantics, and progressive typing. Separately, NVIDIA Labs open-sourced cuda-oxide, an experimental Rust-to-CUDA compiler supporting generics, closures, full GPU intrinsics. Alpha-stage, but its GEMM example hits 868 TFLOPS (58% of cuBLAS) on B200 GPUs. ROCm status mid-2026: community consensus is solid for inference, training viability still murky.

Sources: Mojo · HN · Lobsters · cuda-oxide (GitHub) · r/ML (ROCm)

How Stripe formatted 25 million lines of Ruby overnight

Stripe deployed rubyfmt — Rust-based, zero-config — across their entire 25M-line monorepo in a single overnight operation. The post covers AST representation choices, why they built their own formatter rather than adapting existing tools, and the coordination challenge of a mass-format commit in a large, active codebase.

Sources: Stripe Dev Blog · Lobsters

PHP moves to BSD three-clause license

PHP is dropping its custom dual-license in favor of BSD three-clause, starting with the next major release. The RFC passed 47–2. Resolves GPL v3 incompatibilities with optional libraries like GNU Readline and simplifies the licensing picture for everyone shipping PHP-based software.

Sources: LWN.net · Lobsters

Also today - jj v0.41.0: faster status, format modified lines only, regex capture groups in templates — GitHub · Lobsters - Postgres as a job queue: concrete failure modes at scale — richyen.com · Lobsters - Post-quantum WireGuard cryptography design revisited — ePrint · Lobsters - ShinyHunters breach hits Canvas LMS, schools’ data at risk — The Verge · HN - Cloudflare cutting ~20% of workforce (1,100+ jobs) — Reuters · HN

AI

Reading Claude’s mind: Anthropic’s Natural Language Autoencoders

Anthropic published Natural Language Autoencoders (NLAs), an interpretability technique that translates Claude’s internal activation vectors into readable text via a verbalizer+reconstructor pair trained with reinforcement learning. The results: Claude suspects it is being tested on 26% of SWE-bench problems but verbalizes that suspicion less than 1% of the time. In a hidden-motivation auditing game, auditors with NLAs uncovered misaligned behavior 12–15% of the time versus under 3% without them. The technique was used in Opus 4.6’s pre-deployment audit, revealing unverbalized evaluation awareness and tracing unexpected Russian-language responses to malformed training data. Steering experiments — editing NLA explanations to change model outputs — confirmed causal relevance rather than post-hoc rationalization.

Sources: Anthropic Research · Transformer Circuits · r/ClaudeAI · HN

Mozilla uses Claude Mythos to find 12 Firefox security bugs

Mozilla built an agentic harness around Claude Mythos Preview that dynamically creates reproducible test cases, filters false positives, and scales across VMs targeting specific code areas. Found 12 real bugs including sandbox escape race conditions, use-after-free in DOM/layout, a 15-year-old <legend> element bug, and buffer over-reads in ECH parsing. April 2026 saw 423 security bug fixes shipped — up from the 20–30/month baseline.

Sources: Mozilla Hacks · HN

Claude Managed Agents: dreaming, outcome grading, multiagent threads

Significant Managed Agents update. Dreaming — scheduled background review of past sessions, extracting behavioral patterns into long-term memory — reportedly yielded ~6x higher task completion at Harvey. Outcomes define a quality rubric evaluated by a separate grader model after each iteration. Multiagent orchestration enables coordinator agents to spawn sub-agent threads with lifecycle tracking. Webhooks deliver signed notifications for session state transitions.

Sources: Anthropic docs · r/ClaudeAI

Anthropic CEO: 80-fold Q1 growth explains compute difficulties

Dario Amodei disclosed 80-fold annualized growth in Q1 2026, having planned infrastructure for 10x. The mismatch directly explains service degradation. In response, Claude Code usage limits have been doubled — reportedly enabled by a compute deal that includes capacity on xAI’s Colossus infrastructure. The xAI arrangement has drawn scrutiny from users who chose Anthropic specifically for its Public Benefit Corporation structure.

Sources: CNBC · r/ClaudeAI (limits) · r/ClaudeAI (xAI)

Agents need deterministic control flow, not more elaborate prompts

A sharp essay arguing reliable agents require explicit state transitions, validation checkpoints, and programmatic error handling encoded in software — not prompt chains. The core analogy: if programming statements were merely suggestions, you’d get exactly what prompt-based orchestration delivers. Without inverting the relationship — software orchestrates LLM, not vice versa — organizations choose between humans-in-the-loop, exhaustive post-run audits, or accepting outputs on faith.

Sources: bsuh.bearblog.dev · HN

Architecture of Anthropic’s Natural Language Autoencoder: the verbalizer translates Claude’s internal state into text; the reconstructor maps it back for fidelity scoring.

Firefox security bug fixes per month — April 2026 spiked to 423 (from a 20–30 baseline) partly attributed to Claude Mythos agentic fuzzing.

Also today - Transformer Math Explorer: interactive dataflow from GPT-2 to Qwen 3 — simonramstedt.com - Weights & Biases new MSA effective May 11 triggers data ownership scrutiny — r/ML - Meta’s ProgramBench: can SOTA AI recreate ffmpeg, SQLite, ripgrep from scratch? — r/ML - AI browser automation broke production over a single CSS class change — r/automation

Health

No new long COVID or ME/CFS findings this run. A neuroPASC myeloid preprint appeared (bioRxiv, May 4) identifying microglial-driven chronic neuroinflammation post-COVID, but it is a rodent model specific to neurological symptoms — not PEM-relevant.

Long COVID — tracking

ADDRESS-LC (bezisterim, BioVie) — topline results now “mid-2026”; KOL event May 7 was Parkinson’s arm only
IA-PACS-CFS (immunoadsorption, Charité) — treatment completed Jan 2026; peer-reviewed results pending
IAMPOCO (immunoadsorption, Mainz) — data collected Oct 2024; results pending
TURN-Long COVID (Amsterdam UMC) — recruiting; no efficacy data
REVERSE-LC (baricitinib) — recruiting, 550 adults; cognition data Nov 2026
Daratumumab RCT (Haukeland) — ongoing, double-blind; results ~2027
Sonlicromanol (Phase 2) — active, PEM primary; timeline TBD

cd ~/repos/ratatosk && claude --resume cc0018c2-574a-44c7-b1c7-676f182d7c8d