Flux
Compromised Injective SDK npm Package Exfiltrates Wallet Keys and Mnemonics

Compromised Injective SDK npm Package Exfiltrates Wallet Keys and Mnemonics

@injectivelabs/sdk-ts@1.20.21 records private keys and mnemonics, enabling wallet compromise via 17 scoped packages pinned to the malicious version. Socket detected a malicious @injectivelabs/sdk-ts@1.20.21 release published to npm with fake telemetry functionality that exfiltrates wallet private keys and mnemonic phrases. The affected package is part of the Injective Labs TypeScript SDK and receives roughly 50,000 weekly downloads, making the incident significant for developers and…

Socket
AI Enthusiasts Are in a Race Against Time, AI Skeptics Are in a Race Against Entropy

AI Enthusiasts Are in a Race Against Time, AI Skeptics Are in a Race Against Entropy

The following article originally appeared on Charity Majors’s Substack and is being republished here with the author’s permission. I recently attended a talk where one of the presenters made some pretty…astonishing claims about what they had achieved by the pure, uncut power of vibe coding. Difficult engineering problems solved, backlogs cleared. Rewrites that would have […]

O'Reilly Radar — AI/ML
Rewriting Bun in Rust

Rewriting Bun in Rust

Rewriting Bun in Rust Jarred Sumner has been promising this blog post (since May 9th) about his Zig to Rust rewrite of Bun for significantly longer than it took him to finish the rewrite. Honestly, it was worth the wait. This is a detailed description of an extremely sophisticated piece of agentic engineering, featuring dynamic workflows, trial runs, adversarial review and all sorts of other interesting tricks. Jarred spends the first half of the post praising Zig for getting Bun this far. Then…

Simon Willison's Weblog
Introducing GPT‑Live

Introducing GPT‑Live

Introducing GPT‑Live OpenAI finally upgraded the model used by ChatGPT voice mode! I've had preview access for a few weeks in the iPhone app, and the new model is very impressive. It also has the ability to spin off harder tasks to GPT-5.5: For questions that require web search, deeper reasoning, or more complex work, it delegates to our latest frontier model behind the scenes and brings the result back into the conversation when it’s ready. While it works, GPT‑Live can keep talking with you…

Simon Willison's Weblog
npm v12 Ships With Install Scripts Off by Default, Begins Deprecating 2FA-Bypass Tokens

npm v12 Ships With Install Scripts Off by Default, Begins Deprecating 2FA-Bypass Tokens

npm v12 is now generally available and tagged latest. The release turns on the install-time security defaults GitHub announced in June and starts winding down the most sensitive uses of 2FA-bypass granular access tokens (GATs). Both changes landed in today's changelog. The direction will be familiar to anyone who followed the past year of npm supply chain attacks. Almost every worm and credential stealer that hit the registry since late 2025 ran at install time, before any application code…

Socket
Malicious Go Module Exposes GitHub Malware Lure Network Spanning 222 Repositories

Malicious Go Module Exposes GitHub Malware Lure Network Spanning 222 Repositories

Our investigation began with a malicious Go module, github[.]com/kaleidora/dnsub-scanning-tool, that posed as a DNS/subdomain scanner. The module did more than impersonate a developer utility: it exposed a Windows malware-staging chain that used hidden PowerShell execution, public dead-drop resolution, protected archive delivery, and RAT/infostealer deployment. Pivoting from that module revealed the larger finding: a GitHub-based lure network of 222 confirmed repositories across 190 accounts,…

Socket
Quoting Kenton Varda

Quoting Kenton Varda

I just declared a moratorium against AI-written change descriptions (e.g. PR and commit messages, also issues/tickets) from my team. AI was writing change descriptions that were worse than useless to me as I tried to review PRs: outlining details of the code that could easily be seen by looking at the code, but omitting the higher-level framing needed to understand broadly what the code is doing. — Kenton Varda Tags: kenton-varda, ai-assisted-programming, generative-ai, ai, llms

Simon Willison's Weblog
Why AI Coding Agents Still Need Clear Specs

Why AI Coding Agents Still Need Clear Specs

The following article originally appeared on Markus Eisele’s newsletter, The Main Thread, and is being republished here with the author’s permission. There’s a mental model spreading through the developer community right now that goes something like this: Agents are smart enough to figure things out, so heavy upfront specification is bureaucratic overhead you don’t need […]

O'Reilly Radar — AI/ML
pnpm 11.10 Hardens Registry Authentication to Block Token Redirection

pnpm 11.10 Hardens Registry Authentication to Block Token Redirection

pnpm 11.10 was released over the weekend as a small update that includes several supply chain hardening changes. The main change is a new way to configure registry authentication that keeps a repository's own files from redirecting your registry token to a different host. The release also tightens a few build and packaging commands and adds an install path for pnpm v12, the Rust rewrite. The new _auth setting ties each token to its registry # pnpm 11.10 adds an _auth setting that stores…

Socket