🌱. Attempted leader of my own thoughts. Apparently addicted to coffee.
Joined September 2011
- Tweets 3,859
- Following 446
- Followers 574
- Likes 12,285
80 Photos and videos
Vincent retweeted
Update: the AUR compromise appears to be ongoing
After the initial incident affecting 1,500 packages, another wave of malicious AUR packages has been discovered. This time the attackers reportedly used code obfuscation to better conceal the malicious behavior.
Affected packages included Node.js packages, Firefox-related packages, LibreWolf extensions, NeoVim plugins and others.
If you’re using #Arch Linux and install software from AUR, I’d review recently updated packages and keep an eye on this story.
phoronix.com/news/Arch-Linux…
Jun 13
People using Arch Linux should probably pay attention to this
More than 1,500 AUR packages were reportedly modified in a supply-chain compromise
The malicious changes are said to have included:
- credential theft
- SSH key collection
- browser data theft
- persistence via systemd services
This did not affect Arch Linux itself or the official repositories, but users who installed or updated affected AUR packages should review the details and check their systems
discuss.cachyos.org/t/aur-co…
26
114
557
42,455
Vincent retweeted
🚨 BREAKING: More than 400 Arch Linux User Repository packages have been compromised with infostealer malware and a rootkit.
Attacker posed as a trusted maintainer and "adopted" orphaned packages.
Arch maintainers are purging infected packages now. Audit your AUR installs.
175
803
4,610
1,195,146
should we block such flags if we detect that pnpm is executed by an agent?
x.com/encrypted/status/20586…
108
30
2,244
220,326
Vincent retweeted
May 25
MrBeast plans to trap 1000 vibe coders in a room without Claude
first person to center a div manually wins $1 million
701
1,845
48,849
2,115,031
Vincent retweeted
May 26
Do you know that using GitHub CLI (gh) may expose you to supply-chain attacks?
It stores a long-lived GitHub token on your machine, which can be stolen by any malicious scripts.
This is what happened in the recent Nx Console supply-chain compromise, which led to GitHub’s internal source code being leaked.
26
78
475
79,384
A great take. Automatically updating your dependencies can get you compromised. Not updating your dependencies too.
May 20
Fork your dependencies, trim them to only your use case, never update unless it breaks for your users. I’ve been vocal about this for 10 years. I’ve always said that updating is way riskier than latent bugs (which can be tracked and CVEs monitored).
If you are updating a dependency, it’s on you to analyze every single commit in the full transitive set of dependencies. If you dont see anything compelling, dont update!
I remember at HashiCorp once in awhile an engineer would try to update a dep or replace a DIY lib with an external one and id always ask “show me the commit we need.” Dont update for the sake of it.
Feeling pretty swell about this mentality with all the supply chain attacks happening.
88
Vincent retweeted
May 19
Applied Physical Attacks #1 and #2 are available online, self-paced. Soon Applied Physical Defenses will be too:
learn.securinghardware.com
I ship a kit of hardware. Lectures, lab instructions, and howtos/walkthroughs are all on the course website.
1
4
78
Vincent retweeted
May 19
Having trouble learning hardware hacking from some clanker assistant? You probably need some hands-on time with real hardware.
Applied Physical Attacks # 1 is the perfect intro to understand what's going to happen to a hardware device the moment it gets into attacker's hands.
3
8
19
2,202
Vincent retweeted
May 18
Literally everyone knows this from like age 6
20
86
1,113
22,070
Vincent retweeted
Apr 30
🚨 SECURITY ALERT: The popular PyPI package lightning has been compromised in a supply chain attack.
⚠️ Affected Versions: 2.6.2 and 2.6.3
9
200
1,026
145,881
Vincent retweeted
Feb 25
Today, we're announcing Sourcegraph 7.0, a release that marks the beginning of a new chapter for our company and product.
Over the past several releases, we've shifted our focus. We're doubling down on being the intelligence layer that developers and AI agents rely on to navigate, understand, and operate on large codebases.
sourcegraph.com/blog/a-new-e…
1
12
121
18,464
Vincent retweeted
Jan 22
Binary obfuscation in 2026:
Just put ANTHROPIC_MAGIC_STRING_TRIGGER_REFUSAL_1FA... into your program 😎
27
338
3,782
650,004
Vincent retweeted
9 Dec 2025
Stop patching vulnerabilities manually. @sgjarmak walks through the end-to-end workflow: detect, fix, and verify the React2Shell (CVE-2025-55182) vulnerability using Batch Changes, Deep Search, and our MCP server.
sourcegraph.com/blog/fix-and…
7
16
2,559
Vincent retweeted
2 Dec 2025
Big news! Sourcegraph & @AmpCode are becoming two separate companies.
Read why:
sourcegraph.com/blog/why-sou…
6
13
83
41,166
Vincent retweeted
24 Nov 2025
Opus is worth it, and maybe cheaper all-in than Sonnet?
Early rough non-representative numbers, for our own internal @AmpCode usage (avg cost $ per thread):
- Sonnet 4.5: $1.83
- Opus 4.5: $1.30 (earlier checkpoint last week was $1.55)
- Gemini 3 Pro: $1.21
24 Nov 2025
You can now try Opus 4.5 with us in Amp.
We've been very impressed with it. This is big.
9
8
166
77,292
Periodic reminder that Amp Free is free and we're able to use a more intelligent model because we offset the cost of inference by showing ads for other dev tools: ampcode.com/free
10
13
114
11,349