Flux
Toutes les catégories

Programmation

1549 articles

Package Managers Need to Cool Down
IA Programmation

Package Managers Need to Cool Down

Package Managers Need to Cool Down Today's LiteLLM supply chain attack inspired me to revisit the idea of dependency cooldowns, the practice of only installing updated dependencies once they've been out in the wild for a few days to give the community a chance to spot if they've been subverted in some way. This recent piece (March 4th) piece by Andrew Nesbitt reviews the current state of dependency cooldown mechanisms across different packaging tools. It's surprisingly well supported! There's…

Simon Willison's Weblog
5 Malicious npm Packages Typosquat Solana and Ethereum Libraries to Steal Private Keys
Cybersécurité Programmation

5 Malicious npm Packages Typosquat Solana and Ethereum Libraries to Steal Private Keys

Socket's Threat Research Team identified five malicious npm packages published under the account galedonovan, all targeting cryptocurrency developers. Each package typosquats a legitimate crypto library and exfiltrates private keys to a single hardcoded Telegram bot. The campaign covers both the Solana and Ethereum ecosystems, and the C2 infrastructure was confirmed active as of March 23, 2026. One of the packages, base_xd, was published by the same account but was unpublished within five…

Socket
TeamPCP Is Systematically Targeting Security Tools Across the OSS Ecosystem
Cybersécurité Programmation

TeamPCP Is Systematically Targeting Security Tools Across the OSS Ecosystem

TeamPCP is escalating a coordinated campaign targeting security tools and open source developer infrastructure, and is now openly taking credit for multiple follow-on attacks across ecosystems. In recent Telegram posts, the group has claimed responsibility for expanding beyond the initial Trivy compromise, pointing to attacks on GitHub Actions, OpenVSX extensions, and now PyPI. The latest development includes attacks on Checkmarx' KICS scanner and OpenVSX extensions and a trojanized release of…

Socket
Malicious litellm_init.pth in litellm 1.82.8 — credential stealer
IA Programmation

Malicious litellm_init.pth in litellm 1.82.8 — credential stealer

Malicious litellm_init.pth in litellm 1.82.8 — credential stealer The LiteLLM v1.82.8 package published to PyPI was compromised with a particularly nasty credential stealer hidden in base64 in a litellm_init.pth file, which means installing the package is enough to trigger it even without running import litellm. (1.82.7 had the exploit as well but it was in the proxy/proxy_server.py file so the package had to be imported for it to take effect.) This issue has a very detailed description of what…

Simon Willison's Weblog
Streaming experts
IA Programmation

Streaming experts

I wrote about Dan Woods' experiments with streaming experts the other day, the trick where you run larger Mixture-of-Experts models on hardware that doesn't have enough RAM to fit the entire model by instead streaming the necessary expert weights from SSD for each token that you process. Five days ago Dan was running Qwen3.5-397B-A17B in 48GB of RAM. Today @seikixtc reported running the colossal Kimi K2.5 - a 1 trillion parameter model with 32B active weights at any one time, in 96GB of RAM on…

Simon Willison's Weblog
TypeScript 6.0 Released: The Final JavaScript-Based Version
Cybersécurité Programmation

TypeScript 6.0 Released: The Final JavaScript-Based Version

TypeScript 6.0 landed today marking a milestone: this is the final release built on the existing JavaScript codebase. TypeScript 7.0, currently in preview, will run on a Go-native compiler, and the team says the release is imminent. "TypeScript 6.0 acts as the bridge between TypeScript 5.9 and 7.0," Microsoft's TypeScript Principal Product Manager Daniel Rosenwasser said. "As such, most changes in TypeScript 6.0 are meant to help align and prepare for adopting TypeScript 7.0. It may seem…

Socket
datasette-files 0.1a2
IA Programmation

datasette-files 0.1a2

Release: datasette-files 0.1a2 The most interesting alpha of datasette-files yet, a new plugin which adds the ability to upload files directly into a Datasette instance. Here are the release notes in full: Columns are now configured using the new column_types system from Datasette 1.0a26. #8 New file_actions plugin hook, plus ability to import an uploaded CSV/TSV file to a table. #10 UI for uploading multiple files at once via the new documented JSON upload API. #11 Thumbnails are now generated…

Simon Willison's Weblog
Quoting David Abram
IA Programmation

Quoting David Abram

I have been doing this for years, and the hardest parts of the job were never about typing out code. I have always struggled most with understanding systems, debugging things that made no sense, designing architectures that wouldn't collapse under heavy load, and making decisions that would save months of pain later. None of these problems can be solved LLMs. They can suggest code, help with boilerplate, sometimes can act as a sounding board. But they don't understand the system, they don't…

Simon Willison's Weblog
Beats now have notes
IA Programmation

Beats now have notes

Last month I added a feature I call beats to this blog, pulling in some of my other content from external sources and including it on the homepage, search and various archive pages on the site. On any given day these frequently outnumber my regular posts. They were looking a little bit thin and were lacking any form of explanation beyond a link, so I've added the ability to annotate them with a "note" which now shows up as part of their display. Here's what that looks like for the content I…

Simon Willison's Weblog