Flux
Quoting Greg Kroah-Hartman
IA Programmation

Quoting Greg Kroah-Hartman

Months ago, we were getting what we called 'AI slop,' AI-generated security reports that were obviously wrong or low quality. It was kind of funny. It didn't really worry us. Something happened a month ago, and the world switched. Now we have real reports. All open source projects have real reports that are made with AI, but they're good, and they're real. — Greg Kroah-Hartman, Linux kernel maintainer (bio), in conversation with Steven J. Vaughan-Nichols Tags: security, linux,…

Simon Willison's Weblog
Attackers Are Hunting High-Impact Node.js Maintainers in a Coordinated Social Engineering Campaign
Cybersécurité Programmation

Attackers Are Hunting High-Impact Node.js Maintainers in a Coordinated Social Engineering Campaign

Since we published our initial analysis of the axios compromise, a deep dive into its hidden blast radius, and a report on the maintainer confirming it was social engineering, maintainers across the Node.js ecosystem have come out of the woodwork to report that they were targeted by the same social engineering campaign. The accounts now span some of the most widely depended-upon packages in the npm registry and Node.js core itself, and together they confirm that axios was not a one-off target.…

Socket
Can JavaScript Escape a CSP Meta Tag Inside an Iframe?
IA Programmation

Can JavaScript Escape a CSP Meta Tag Inside an Iframe?

Research: Can JavaScript Escape a CSP Meta Tag Inside an Iframe? In trying to build my own version of Claude Artifacts I got curious about options for applying CSP headers to content in sandboxed iframes without using a separate domain to host the files. Turns out you can inject <meta http-equiv="Content-Security-Policy"...> tags at the top of the iframe content and they'll be obeyed even if subsequent untrusted JavaScript tries to manipulate them. Tags: iframes, security, javascript,…

Simon Willison's Weblog
The Axios supply chain attack used individually targeted social engineering
IA Programmation

The Axios supply chain attack used individually targeted social engineering

The Axios team have published a full postmortem on the supply chain attack which resulted in a malware dependency going out in a release the other day, and it involved a sophisticated social engineering campaign targeting one of their maintainers directly. Here's Jason Saayman'a description of how that worked: so the attack vector mimics what google has documented here: https://cloud.google.com/blog/topics/threat-intelligence/unc1069-targets-cryptocurrency-ai-social-engineering they tailored…

Simon Willison's Weblog
The Cathedral, the Bazaar, and the Winchester Mystery House
IA

The Cathedral, the Bazaar, and the Winchester Mystery House

The following article originally appeared on Drew Breunig’s blog and is being republished here with the author’s permission. In 1998, Eric S. Raymond published the founding text of open source software development, The Cathedral and the Bazaar. In it, he detailed two methods of building software: The bazaar model was enabled by the internet, which […]

O'Reilly Radar — AI/ML
The PHP Podcast 2026.04.02
Programmation Web

The PHP Podcast 2026.04.02

🎙️ The PHP Podcast – Special Episode April 2, 2026 | Guest Hosts: Joe Ferguson & Sara Golemon In this special episode, Joe Ferguson and Sara Golemon step in as guest hosts while Eric recovers from illness and John is busy in Discord. They cover AI tool challenges, PHP Foundation updates, Unicode adventures, infrastructure work, […] The post The PHP Podcast 2026.04.02 appeared first on PHP Architect.

PHP Architect
Highlights from my conversation about agentic engineering on Lenny's Podcast
IA Programmation

Highlights from my conversation about agentic engineering on Lenny's Podcast

I was a guest on Lenny Rachitsky's podcast, in a new episode titled An AI state of the union: We've passed the inflection point, dark factories are coming, and automation timelines. It's available on YouTube, Spotify, and Apple Podcasts. Here are my highlights from our conversation, with relevant links. The November inflection point Software engineers as bellwethers for other information workers Writing code on my phone Responsible vibe coding Dark Factories and StrongDM The bottleneck has…

Simon Willison's Weblog
Gemma 4: Byte for byte, the most capable open models
IA Programmation

Gemma 4: Byte for byte, the most capable open models

Gemma 4: Byte for byte, the most capable open models Four new vision-capable Apache 2.0 licensed reasoning LLMs from Google DeepMind, sized at 2B, 4B, 31B, plus a 26B-A4B Mixture-of-Experts. Google emphasize "unprecedented level of intelligence-per-parameter", providing yet more evidence that creating small useful models is one of the hottest areas of research right now. They actually label the two smaller models as E2B and E4B for "Effective" parameter size. The system card explains: The…

Simon Willison's Weblog