Ambidexter SRE from Philadelphia. Humanities enjoyer. Amateur musician. On a sugar cane plantation hacienda situated on a volcanic island in the Philippines.
Joined March 2009
- Tweets 6,044
- Following 444
- Followers 410
- Likes 378
157 Photos and videos
These #AUR attacks have an obvious footprint that should (ostensibly) make them easier to detect:
~ Adopted an orphaned package
~ Post-install hook added
~ Hook uses npm or bun
13
Thankfully, I have not installed or upgraded a single foreign (AUR) package on my system since the "Atomic Arch" malware campaign began on June 9th. phoronix.com/news/Arch-Linux…
1
45
But just to be sure, I'm checking my AUR build cache directories and verifying that those system directories are still clear of any sudden changes.
Then going about my day...
20
In a move that will surprise absolutely no-one, Google is working to close all uBlock Origin workarounds. neowin.net/news/google-chrom…
14
<s> "Final hiring decisions are ultimately made by humans" always sounds so reassuring. </s>
11
Reading CPython source is both humbling and illuminating at the same time.
15
A Pod stuck in CrashLoopBackOff with completely empty kubectl logs and no obvious clues in kubectl describe is the ultimate Kubernetes silent killer. It usually means the container is failing before the application layer starts, or stdout/stderr is being blocked or redirected.
1
23
I challenge anyone, anywhere, to create a more thorough '80s album playlist: open.spotify.com/playlist/3d…
34
Something @mischavdburg said today really hit me where I live:
"As the technical layer of the job gets cheaper, the work of dealing with humans becomes more load-bearing, not less."
3
1,744
If I wasn't such a heavy Neovim user I would switch to Zed. It's absolutely the fastest IDE I've seen. VS Code and Cursor feel slow and bloated in comparison.
1
1
71
But probably the best thing about Zed is that it's not an Electron app, and it shows.
22
GitHub getting swamped by agentic coding shows how hard it is to adapt to a new paradigm, especially at massive, monopoly-level scale.
26
It would be interesting to see how many signups there were today over at @codeberg_org
24
GitHub has been floundering for a while now, but this time they could really be cooked. x.com/mitchellh/status/20492…
Apr 28
Ghostty is leaving GitHub. I'm GitHub user 1299, joined Feb 2008. I've visited GitHub almost every single day for over 18 years. It's never been a question for me where I'd put my projects: always GitHub. I'm super sad to say this, but its time to go. mitchellh.com/writing/ghostt…
37
BTW, while I'm here. This is sick: x.com/dhh/status/20425659570…
In celebration of Omarchy 3.5 being the first distro to ship with complete Linux compatibility for the new XPS Panther Lake laptops, @Dell made me a special unit with super omarchy keys instead of Windows and Copilot. So damn cool!
1
36
If you use Vim, you should ensure you are updated to version 9.2.0272 or later. Here's why. Astonishing, but...this is where we are now with AI. blog.calif.io/p/mad-bugs-vim…
29
The "New Music 2026" playlist is shaping up: open.spotify.com/playlist/31… #Spotify
31
Even in an age of AI agentic coding, there's no shortcut to building your debugging skillset.
30
If you're responsible for installing and updating packages, you'd better understand how dependencies work. This particular horror was vibe coded and crashed the victim's system. Otherwise he might have never known what was going on. x.com/karpathy/status/203648…
Mar 24
Software horror: litellm PyPI supply chain attack.
Simple `pip install litellm` was enough to exfiltrate SSH keys, AWS/GCP/Azure creds, Kubernetes configs, git credentials, env vars (all your API keys), shell history, crypto wallets, SSL private keys, CI/CD secrets, database passwords.
LiteLLM itself has 97 million downloads per month which is already terrible, but much worse, the contagion spreads to any project that depends on litellm. For example, if you did `pip install dspy` (which depended on litellm>=1.64.0), you'd also be pwnd. Same for any other large project that depended on litellm.
Afaict the poisoned version was up for only less than ~1 hour. The attack had a bug which led to its discovery - Callum McMahon was using an MCP plugin inside Cursor that pulled in litellm as a transitive dependency. When litellm 1.82.8 installed, their machine ran out of RAM and crashed. So if the attacker didn't vibe code this attack it could have been undetected for many days or weeks.
Supply chain attacks like this are basically the scariest thing imaginable in modern software. Every time you install any depedency you could be pulling in a poisoned package anywhere deep inside its entire depedency tree. This is especially risky with large projects that might have lots and lots of dependencies. The credentials that do get stolen in each attack can then be used to take over more accounts and compromise more packages.
Classical software engineering would have you believe that dependencies are good (we're building pyramids from bricks), but imo this has to be re-evaluated, and it's why I've been so growingly averse to them, preferring to use LLMs to "yoink" functionality when it's simple enough and possible.
29
One of the classic CSS gotchas that bites everyone:
When you nest <code> inside <pre>, both elements can have their own padding/margin that stacks up. The fix is always to zero out the inner <code> element's spacing so only the <pre> controls the padding.
35