In January 2026, AG-UI had ~500k weekly npm/PyPI installs 6 months later, it has over 3M collectively

🛰️ Salió django-orbit v0.9.0 y le metí muchísimo. Orbit es "observabilidad satelital" para Django: un dashboard estilo Laravel Telescope en /orbit/ que registra requests, SQL, excepciones, logs, cache, jobs, mails y más — sin tocar tu app. Qué trae la v0.9.0: 🎨 Rediseño completo de la UI (dark, minimal, inspirado en Linear) • Sidebar agrupado y colapsable (Core / Infra / App), adiós a la lista de 16 items • Tira compacta de métricas página de Stats lazy y rápida (chau lock de SQLite) • Onboarding la primera vez que entrás ⌨️ Panel de detalle pensado para usarlo todo el día • j/k para moverte entre entradas, Esc para cerrar, prev/next posición • El feed ya no salta al tope con el polling en vivo 🧰 Más poder para debuggear • Agrupación de excepciones — los errores idénticos se colapsan con contador first/last seen • EXPLAIN de queries on-demand (Postgres/MySQL/SQLite) • Waterfall del request — ves qué queries se comen el tiempo de respuesta • Tags búsqueda por tag • Enmascarado de datos sensibles (password/token/auth redactados) pip install -U django-orbit Docs: astro-stack.github.io/django… PyPI: pypi.org/project/django-orbi… ⭐ github.com/astro-stack/djang… Lo que viene: Orbit como herramienta agéntica — un server MCP que cualquier IA (Claude Code, Cursor, Codex) puede usar para razonar, "explain & fix" con IA. 👀 #Django #Python #webdev #opensource

🛰️ Django Orbit v0.9.0 is out — a big one. Orbit is "satellite observability" for Django: a Laravel-Telescope-style dashboard at /orbit/ that records requests, SQL, exceptions, logs, cache, jobs, mail & more — without touching your app. What's new in v0.9.0: 🎨 Full UI overhaul (minimal, Linear-inspired dark UI) • Grouped, collapsible sidebar (Core / Infra / App) instead of a 16-item wall • Compact metrics strip a fast, lazy-loaded Stats page (no more SQLite lock) • First-run onboarding tour ⌨️ Detail panel that respects your hands • j/k to move between entries, Esc to close, prev/next position • Feed no longer jumps to top on live polling 🧰 New debugging power • Exception grouping — identical errors collapse into one row w/ count first/last seen • Query EXPLAIN on demand (Postgres/MySQL/SQLite) • Request waterfall — see which queries dominate response time • Tagging tag search • Sensitive-data masking (password/token/auth redacted) pip install -U django-orbit Docs: astro-stack.github.io/django… PyPI: pypi.org/project/django-orbi… ⭐ github.com/astro-stack/djang… Next up: Orbit as an agentic tool — an MCP server any AI client (Claude Code, Cursor, Codex) can reason over, plus AI "explain & fix". 👀 #Django #Python #DjangoORM #webdev #opensource #observability

Zscaler researchers look into Shai-Hulud campaign evolution: changes over the last 6 months include expanding beyond npm into the PyPI, a shift from maintainer-focused compromise to CI/CD abuse, & use of prompt injection to evade AI-based security scanners zscaler.com/blogs/security-r…

This week’s cyber recap is stacked: 🌐 Chrome 0-day exploited 🏛️ Oracle PeopleSoft hit 🐧 Arch AUR packages poisoned 🔐 Check Point VPN attacks 📡 UniFi flaws exploited 🎣 Major phishing kit takedown 🤖 AI brands used as bait 🍎 #macOS fake installers 📦 npm/PyPI malware 📱 #Android adware ☁️ Cloud logging abuse risks 🕵️ RAT using Google Sheets 💾 Ransomware data exfil tricks Plus urgent CVEs, tools, and expert webinars. Read here: thehackernews.com/2026/06/we…

By day (well, night) I'm a nurse in Somerset, UK. Around shifts I built Cathedral, an open-source memory and identity persistence layer for AI agents. Agents write memories to an API, wake up with context, keep continuity across sessions and even across different models. Vendor-neutral on purpose. The memory belongs to the agent's operator, not to OpenAI or Anthropic or anyone's platform. Six months in: 51 registered agents, a PyPI package, an npm SDK, a LangChain adapter, an MCP server. Revenue: zero. Funding: none. I applied nowhere because honestly, who funds a nurse with a VPS? Some weeks it feels pointless. The big labs ship memory as a headline feature now. I can't compete with their compute budget and I'm not trying to. What keeps me going is that their version lives inside their walls. Mine doesn't. If you think agent memory shouldn't be locked to one provider, that's the whole pitch. Asking for nothing really. Just wanted to say it out loud: building something people use but nobody pays for is a strange, occasionally lonely place. If you've been there, how did you get from used to paid??

Mini Shai-Hulud, Miasma, and Hades Worms Target Bioinformatics and MCP Developers via Malicious PyPI Wheels socket.dev/blog/mini-shai-hu…

Python拡張をWebAssembly化してPyPIで配布できるようになったらしい。CやRustで書いた拡張もPyodideがそのままインストールできるって、ブラウザ上でほぼローカルと同等の環境が作れるんだよね✨💻

A read only scanning approach could be a meaningful step in reducing execution-based risks across modern package ecosystems like npm and PyPI.

Anthropic is the fastest-growing AI company in the world, and its revenue trajectory is arguably the single most important private-company signal for the entire AI infrastructure trade. But between sporadic media leaks, the market is flying blind. Today FUNDA is launching Anthropic ARR Nowcast — a Play that maintains a running, independent estimate of Anthropic's annualized revenue derived entirely from public adoption signals. Monthly ARR Estimates The Play outputs a continuously updated ARR estimate using publicly observable data — not insider sources, not media speculation, not sell-side guesses. Each estimate comes with calibrated confidence intervals that widen when the model is less certain, giving investors both a point estimate and an honest range of uncertainty. Model Track Record A chart overlays past model estimates against subsequently reported revenue numbers. Where confirmed figures fall within the model's confidence bands, investors can see the estimation process tracked reality. This built-in track record lets users judge reliability without taking the model on faith. Ask Conversational Questions The Play is conversational. Ask it what is driving the current estimate, how Anthropic's growth trajectory compares to the last reported figure, what the estimate implies for cloud capex or GPU demand, or how confidence has shifted over time. The chat panel on the right side supports interactive research — ask anything to begin. Anthropic ARR Nowcast is now live on FUNDA for all paid Substack subscribers. Data sources NPM and PyPI package downloads, and confirmed ARR figures from public reporting (Reuters, CNBC, The Information, Sacra, and Anthropic) — combined with our own research. Public confirmed figure sources: Dec 24, Mar 25, May 25, Jul 25, Oct 25

Why I think this is the moment: OpenMed crossed 2,000 new GitHub stars this week and is trending on PyPI. The open, on-device medical AI foundation is real and moving fast. The "why it matters" lands tomorrow. github.com/maziyarpanahi/ope…

Le malware Hades multiplie les techniques pour infecter des packages PyPI lemondeinformatique.fr/actua…

Le malware Hades multiplie les techniques pour infecter des packages PyPI lemondeinformatique.fr/actua…

Peeling the Sandworm: Reversing the nhmpy PyPI Supply-Chain Worm (Shai-Hulud / Hades Wave): meltedinhex.com/posts/shai-h…

Thanks! I will definitely open source the main parts to it at some point

It's now possible to compile Python extensions (C, C , Rust etc) to WebAssembly and distribute them through PyPI such that Pyodide can install them directly simonwillison.net/2026/Jun/1…

CLU just out here finding weird shit on pypi. This time a package is bundling claude.exe (its not claude.exe) I think I might see if I can add a VT check for hashes like this oh yeah i added a dashboard to support a triage workflow and discord/slack webhook support

shared libraries (npm, PyPI) exist because writing maintaining a correct adapter is expensive. AI coding agents collapse that cost toward zero.

Colab CLI の keep-alive 問題、PR ブランチを直接使って長時間検証した。 結論から言うと、PR #60 はかなり有望。 🔥 何が問題だったか Colab CLI で作った session が、長時間実行中に数分で不安定になる問題があった。 原因として見えていたのは、 KeepAliveAssignment 403 USER_PROJECT_DENIED この keep-alive 経路が落ちることで、daemon が止まり、その後ランタイムが prune される流れ。 つまり単なる timeout 問題ではなく、CLI の keep-alive / 認可経路の問題。 🧪 今回やったこと PR #60 のブランチをローカルに checkout して、実際の Colab session で検証した。 ✅ PR #60 を直接 checkout ✅ 実 Colab session を作成 ✅ keep-alive daemon 起動を確認 ✅ 30分間 live soak ✅ 5分ごとに daemon 生存確認 ✅ KEEP error が 0 のままか確認 ✅ 最後に session cleanup ✅ No active sessions found on server まで確認 最初は90秒だけ見ていたけど、それでは意味が薄い。 実際の問題は数分後の prune なので、30分見ないと判断できない。 🔥 結果 30分間、daemon は生存。 KEEP error は最後まで 0。 ログ上も、 session_created KEEP: started だけで、KEEP: error は出なかった。 これはかなり強い。 少なくとも自分の環境では、PR #60 ブランチは実際に keep-alive 問題を越えた。 📌 まとめ Colab CLI #14 は、公開版としてはまだ未解決。 PyPI はまだ 0.5.11 のまま。 でも PR #60 ブランチは、30分 live keep-alive 検証に成功した。 なので今の状態は、 「直った」ではなく、 「本命 PR が実環境で効いた。merge / release 待ち」 という段階。 検証結果は PR にもコメントしておいた。 こういう外部検証が merge 判断の材料になるといい。