Podcasts about github actions

AI subscriptions are becoming as essential as internet bills - and just as expensive. The vBrownBag gang takes a hard look at the real cost of LLMs and what happens when the free ride ends. Chris, Shala, and Damian dig into the Anthropic pricing plot twist, why AI data centers consume 10x the power of traditional racks, the DeepSeek distillation controversy, and what happens when the first hit's free phase ends. You'll learn practical strategies for reducing token burn, why local models are becoming a viable cost escape hatch, how to pick the right model for the right job, and why blindly using Opus for everything is lighting money on fire. This is the unfiltered conversation every AI practitioner needs to have - before the subsidies disappear and the real bills arrive. Timestamps 0:00 Cold Open: Get These Darn Kids Off My Lawn 1:27 Chris's Big News: Leaving IBM for Six Feet Up 8:09 How Many AI Subscriptions Do You Have? 16:41 Stack Overflow Is Dead, Long Live Claude 17:12 Don't Just Blindly Copy and Paste (AI Edition) 31:00 Anthropic Gross Margin 2025: Negative 53% 35:30 When Token Costs Exceed a Junior Dev's Salary 42:02 Find the Model That Fits the Job 46:11 AI Multitasking Is a Lie (Just Like Humans) 49:05 We Are Uniquely Bad at Making Money Off This Show 53:19 Supply Chain Attacks and GitHub Actions 54:45 Did We Solve Anything? Yes. No. Maybe. 55:58 Grateful for Friends & Wrapping Up Links from the show:

In episode 322, the co-hosts examine critical vulnerabilities, changing security standards, and adaptive defense mechanisms. They deep dive into the recent "Megalodon" breach, identifying it as a direct poisoned pipeline execution attack. Rather than exposing a flaw inside GitHub itself , researchers at Hudson Rock traced the root cause to credentials stolen from developer desktops via infostealer malware, which allowed attackers to push base64-encoded payloads into GitHub Actions workflow YAML files. To counter these types of automated supply chain threats, the hosts praise NPM's newly released "staged publishing" pipeline, which mandates two-factor authentication from human maintainers before releasing packages pushed by automated CI/CD workflows. Shifting to framework flaws, they highlight a catastrophic, vanilla SQL injection flaw discovered in GoCMS during active exploitation. Finally, the duo reviews the emergence of AI-powered honeypots highlighted Talos Intelligence. They conclude that turning the tables on attackers by utilizing LLM-driven "hall of mirrors" environments to impersonate real systems represents an innovative, under-explored AppSec strategy designed to drain attacker resources and trigger high token costs.

This month's panel digs into the SpaceX Cursor acquisition rumor and what a $60 billion valuation means for AI coding tools. They debate Bun's million-line Rust rewrite generated entirely by AI, the tradeoffs of agentic coding at scale, and a sophisticated CI/CD cache poisoning attack targeting TanStack. Plus: practical takes on Claude token optimization, session forensics, local AI models, and why most Claude Code skills work best when tailored, not pulled off the shelf. Resources SpaceX/Cursor deal, CNBC: https://www.cnbc.com/2026/04/21/spacex-says-it-can-buy-cursor-later-this-year-for-60-billion-or-pay-10-billion-for-our-work-together.html Fortune, Cursor's uncertain future: https://fortune.com/2026/03/21/cursor-ceo-michael-truell-ai-coding-claude-anthropic-venture-capital/ GitHub Copilot usage-based billing announcement: https://github.blog/news-insights/company-news/github-copilot-is-moving-to-usage-based-billing/ Developer backlash, Visual Studio Magazine: https://visualstudiomagazine.com/articles/2026/04/27/devs-sound-off-on-usage-based-copilot-pricing-change-you-will-get-less-but-pay-the-same-price.aspx "The IDE Is Dead, Long Live the ADE", Indie Hackers: https://www.indiehackers.com/post/the-ide-is-dead-long-live-the-ade-0d81e9da3d Companies spending crazy money on AI coding tools, Medium: https://medium.com/@Reiki32/companies-are-spending-crazy-money-on-ai-coding-tools-while-developers-burn-out-efe5908f3dda The PR: https://github.com/oven-sh/bun/pull/30412 The Register writeup: https://www.theregister.com/devops/2026/05/14/anthropics-bun-rust-rewrite-merged-at-speed-of-ai/5240381 The 13,000 unsafe blocks piece: https://byteiota.com/bun-rust-rewrite-merged-the-13000-unsafe-block-problem/ TanStack postmortem: https://tanstack.com/blog/npm-supply-chain-compromise-postmortem TanStack hardening follow-up: https://tanstack.com/blog/incident-followup StepSecurity writeup (the researcher who caught it): https://www.stepsecurity.io/blog/mini-shai-hulud-is-back-a-self-spreading-supply-chain-attack-hits-the-npm-ecosystem SOC Prime writeup: https://socprime.com/active-threats/active-supply-chain-attack-compromises-node-ipc-package We want to hear from you! How did you find us? Did you see us on Twitter? In a newsletter? Or maybe we were recommended by a friend? Fill out our listener survey! https://t.co/oKVAEXipxu Let us know by sending an email to our producer, Elizabeth, at elizabeth.becz@logrocket.com, or tweet at us at PodRocketPod. Check out our newsletter! https://blog.logrocket.com/the-replay-newsletter/ Follow us. Get free stickers. Follow us on Apple Podcasts, fill out this form, and we'll send you free PodRocket stickers! What does LogRocket do? LogRocket provides AI-first session replay and analytics that surfaces the UX and technical issues impacting user experiences. Start understanding where your users are struggling by trying it for free at LogRocket.com. Try LogRocket for free today. Chapters 00:00 Introduction 01:00 The $60B SpaceX Cursor deal 08:00 Token costs rising — the rug pull is real 09:30 Local models and sub-agent routing 12:00 Session forensics — cutting Claude token waste 15:00 Bun's AI-generated Rust rewrite 18:00 Should AI rewrite core infrastructure? 23:00 Does runtime choice even matter anymore? 29:00 The TanStack supply chain attack explained 33:00 How the GitHub Actions cache poisoning worked 36:00 Is GitHub Actions too flexible? 39:30 Ad break 40:00 Hot take — you'll be okay (local models and hardware) 42:30 Hot take — "They Will Kill You" (Jack's movie rec) 43:30 Hot take — stop hoarding Claude Code skills 46:00 Wrap-upSpecial Guest: Jack Herrington.

Mock-интервью с Николаем Лебедевым - DevOps/SRE-инженер, 17 лет в Linux, 4 года AWS EKS. Stack: Terraform, Flux, Cassandra, Kafka, Vault, SOPS. Два часа - много практики, много каверзных вопросов. ЧТО СПРАШИВАЛИ ☁️ AWS: EKS и IRSA, VPC с нуля (CIDR, multi-AZ, multi-region), managed K8s vs self-hosted, Elasticache, Golden Signals и метрики SRE.

Scott and Wes break down the “Mini Shai-Hulud” supply chain attack that compromised TanStack and other popular npm packages through a clever GitHub Actions cache poisoning exploit; a self-propagating worm that stole credentials and persisted through Claude Code hooks and VS Code tasks. They also cover how developers can protect themselves using pnpm's security defaults, dev containers, and other practical defenses. Show Notes 00:00 Welcome to Syntax! 00:25 Understanding the Shai-Hulud Worm Post Mortem of Shai Hulud Attack 02:47 Mechanics of the Attack: GitHub Actions and Cache How the attack happened Who Was Involved in the Attack Several npm latest releases are compromised Socket.dev Step Security 05:44 Brought to you by Sentry.io 06:09 Propagation and Impact of the Worm 09:30 Preventative Measures for Developers Dead Man's Switch 12:33 The Role of Package Managers in Security Block Exotic Subdeps 18:39 Using Dev Containers Why You Should Use Dev Containers Scott Tolinski's Security Review 20:57 Conclusion and Final Thoughts Sentry has Skills! Hit us up on Socials! Syntax: X Instagram Tiktok LinkedIn Threads Wes: X Instagram Tiktok LinkedIn Threads Scott: X Instagram Tiktok LinkedIn Threads Randy: X Instagram YouTube Threads

On this week's show Patrick Gray, Adam Boileau and James Wilson discuss the week's cybersecurity news. They cover: Mini Shai-Hulud and the TanStack compromise using Github Actions Instructure pays Canvas elearning platform data extortionists More Linux privilege escalation 0days! CISA helping critical infrastructure operators rearchitect their networks so they work offline This week's episode is sponsored by email security platform Sublime Security. Bobby Filar chats with Patrick about how agentic AI is being evaluated by buyers in a marketplace that's experiencing “AI fatigue”. This episode is also available on Youtube. Show notes ‘Mini Shai-Hulud' malware compromises hundreds of open-source packages in sprawling supply-chain attack | CyberScoop Hardening TanStack After the npm Compromise | TanStack Blog Canvas Breach Disrupts Schools & Colleges Nationwide – Krebs on Security Instructure pays ransom after Canvas incident as Congress announces investigation | The Record from Recorded Future News When DNSSEC goes wrong: how we responded to the .de TLD outage Adversaries Leverage AI for Vulnerability Exploitation, Augmented Operations, and Initial Access | Google Cloud Blog Mythos smythos! How to find 0day with lesser models - Risky Business Media GitHub - V4bel/dirtyfrag · GitHub retr0.zip NVD - CVE-2026-42511 Flaw in Claude's Chrome extension allowed ‘any' other plugin to hijack victims' AI | CyberScoop Ivanti customers confront yet another actively exploited zero-day | CyberScoop Palo Alto warns of critical software bug used in firewall attacks | The Record from Recorded Future News Where Have All the Complex Windows Malware and Their Analyses Gone? Meet Rassvet, Russia's Answer to Starlink | WIRED DOJ says ransomware gang tapped into Russian government databases | TechCrunch Iranian government hackers using Chaos ransomware as cover, researchers say | The Record from Recorded Future News Foxconn confirms cyberattack impacting North American factories | The Record from Recorded Future News New CISA initiative aims for critical infrastructure to operate offline during cyberattacks | The Record from Recorded Future News ‘HELLO BOSS': Inside the Chinese Realtime Deepfake Software Powering Scams Around the World How to Disable Google's Gemini in Chrome | WIRED FCC pushes ban on security updates for foreign-made routers, drones to 2029 | The Record from Recorded Future News

Are you shipping code faster with AI but quietly skipping the tests that matter most? Did you know that GitHub Actions went down 57 times in 12 months? Does your MCP server pass every test but your AI agent still fail in production? Find out the answer to these and other top news stories for the week of May 10th in this episode of the TestGuild news show. Don't miss TestGuild IRL in Nashville and Atlanta: https://testguild.com/irl 0:00 Intro   0:22 IRL https://testguild.com/irl 0:44 Webdriver BiDi https://testgld.link/a38v7egQ 2:14 TestOrbit https://testgld.link/YASfxQBN 3:27 Webinar of the Week https://testgld.link/Iiferct3 4:29 Microcks API https://testgld.link/Xhaleah3 5:26 MCP Checker https://testgld.link/liTG0qz8 6:45 The Tests we Skipped https://testgld.link/R48WnZLh 7:56 Confidence Engineering https://testgld.link/ffJN6hhs 8:55 GitHub Down https://testgld.link/x7FND9sN  

In this episode of Search Off the Record, Martin Splitt and John Mueller from Google's Search Relations team dive deep into the world of AI-assisted development. They explore the reality of "Vibe Coding", the process of building apps and websites using natural language instead of manual syntax. Whether you're a developer looking to offload tedious setup tasks or an SEO expert trying to understand how AI-generated sites impact search, this conversation is for you. In this episode, you'll learn: * What is Vibe Coding? Understanding the shift from writing syntax to "talking" to your IDE. * The Developer's Trap: Why you still need technical knowledge (like linters, deployment scripts, and GitHub Actions) to prevent AI from breaking your project. * SEO & AI Architecture: Why you can't just "add SEO" at the end—and how to guide AI to build with canonicals and sitemaps from day one. * Tooling Breakdown: Martin and John share their experiences with AI Studio, Gemini CLI, Firebase, and GitHub. * Testing with AI Agents: How to use AI to remote control browsers (like Chromium) for automated testing. Chapters 00:00 – Intro: What exactly is "Vibe Coding"? 01:32 – Martin's experiment with AI Studio and client-side JS. 03:30 – The "English as a Programming Language" allure. 06:00 – Why the AI makes assumptions (and why that's dangerous). 08:51 – "Sprinkling SEO" vs. Building for SEO from the start. 12:40 – Can AI test itself? Using browser agents for QA. 20:27 – The technical debt of AI: Refactoring and maintainability. 25:42 – Moving to the terminal: Gemini CLI & Cloud Code. 31:34 – Using AI to skip the setup work. Resources Mentioned: * Google AI Studio * Firebase Hosting * Gemini CLI / Cloud Code * GitHub Actions for CI/CD What's your experience with Vibe Coding? Let us know in the comments! Episode transcript → https://goo.gle/sotr110-transcript  Listen to more Search Off the Record → https://goo.gle/sotr-yt Subscribe to Google Search Channel → https://goo.gle/SearchCentral  Search Off the Record is a podcast series that takes you behind the scenes of Google Search with the Search Relations team.  #SOTRpodcast #SEO #GoogleSearch Speakers: Martin Splitt, John Mueller

In this episode, Ray Cochrane leads with GitHub’s worst reliability month on record and the AI infrastructure pressure behind it. He also covers Warp going open source, Apple’s Mac supply crunch, OpenAI’s goblin tic, the first 1X humanoid factory in the US, Tesla’s Semi finally hitting mass production, Chinese EVs with movie-projecting headlights, the final GPS III satellite, and a quantum researcher who won 1 Bitcoin. – Want to start a podcast? Its easy to get started! Sign-up at Blubrry – Thinking of buying a Starlink? Use my link to support the show. Subscribe to the Newsletter. Email Ray if you want to get in touch! Like and Follow Geek News Central’s Facebook Page. Support my Show Sponsor: Best Godaddy Promo Codes Get 1Password Full Summary Cochrane opens the show with one of the biggest infrastructure stories of the year. GitHub is buckling under unprecedented agentic load, and the world’s largest code host just had its worst reliability month on record. Furthermore, the broader episode threads a clear pattern: AI demand is reshaping infrastructure, hardware supply, and developer tooling in ways the industry did not see coming. GitHub’s Worst Reliability Month on Record GitHub CTO Vlad Fedorov posted an apology on the company blog this week. He acknowledged the platform’s recent failures and committed to a new priority order: availability first, then capacity, then features. Meanwhile, an April 23 merge queue regression silently produced wrong squash commits across 658 repositories and over 2,000 pull requests. Additionally, an Elasticsearch cluster crashed on April 27 after a botnet attack, and GitHub Actions went down on April 28. Outside reconstructions put April uptime under 85 percent. However, GitHub’s own status page stays in the 99 percent range because it does not count degraded performance as downtime. Cochrane notes that GitHub originally planned a 10x capacity increase and has now revised that to 30x in eight months. Mitchell Hashimoto, GitHub user 1299 since 2008, also announced he is pulling his Ghostty terminal off the platform entirely. Warp Terminal Goes Open Source Under AGPL Warp open-sourced its AI-first terminal client this week under the AGPL license. Their contribution model leans heavily on agents handling code, planning, and testing while humans focus on direction and verification. However, Cochrane pushes back on that framing. He argues the recent GitHub problems show that human approval alone is not enough oversight for agent-driven workflows. Additionally, he notes that the more hands-off developers get, the less they can mentally model their own systems. Apple Caught Flat-Footed by Local AI Demand Tim Cook told Wall Street on the Q2 FY2026 earnings call that Mac mini and Mac Studio supply will be constrained for several months. Both machines turned out to be popular local AI workstations, which Apple did not predict. Consequently, Apple discontinued the 512GB Mac Studio upgrade in early March and raised the 256GB upgrade by $400. Some upgraded configurations now show 4 to 5 month delivery estimates. Cochrane connects the demand spike to the OpenClaw wave and his own recent OpenClaw scare, where his install started making suspicious outbound requests. Furthermore, he is in no rush to lean into local agentic tooling given the constant prompt injection and security issues in the space. OpenAI Explains the Goblin Obsession After GPT-5.1 launched, ChatGPT users noticed the model could not stop saying “goblin.” OpenAI traced the bias to the optional Nerdy personality, which was 2.5 percent of all responses but produced 66.7 percent of all goblin mentions. The reward signal during personality training quietly favored creature metaphors. Then the bias leaked into the rest of the model through later supervised fine-tuning. OpenAI retired Nerdy in March, filtered creature words from training data, and added an explicit Codex system prompt rule: never talk about goblins, gremlins, raccoons, trolls, ogres, or pigeons. Cochrane frames this as the beauty and disaster of pattern matching. Additionally, he notes that LLM behavior is not editable like static code; it can only be patched, and the patches stack up over time. Sponsor: GoDaddy GoDaddy has been sponsoring this show for over twenty years. Economy hosting starts at $6.99/month, WordPress hosting at $12.99/month, and domains at $11.99. Use codes at geeknewscentral.com/godaddy for exclusive deals and to directly support the show. 1X Opens America’s First Vertically Integrated Humanoid Factory Bloomberg reports that 1X Technologies opened a 58,000 square foot humanoid robot factory in Hayward, California. The Norway-founded, OpenAI-backed company is calling it America’s first vertically integrated humanoid factory. Their goal: 10,000 NEO home humanoids in year one, with a 100,000 unit target by end of 2027. Furthermore, the first 10,000 unit allocation reportedly sold out in five days when pre-orders opened in October. NEO sells for $20,000 outright or $499 per month. Cochrane is skeptical that humanoids solve a real problem for the average household. However, he sees genuine potential for elderly and disabled users. Additionally, he flags privacy and data collection concerns about robots that have to perceive everything in your home. Tesla Semi Rolls Off the High-Volume Line Tesla rolled the first Semi off its 1.7 million square foot factory adjacent to Gigafactory Nevada on April 29. The Long Range version delivers 500 miles at $290,000, while the Standard Range hits 325 miles at $260,000. Additionally, the Long Range supports the 1.2 megawatt Megacharger that restores 60 percent of range in about 30 minutes. The factory targets 50,000 trucks per year, though analysts project 5,000 to 15,000 deliveries in 2026. Cochrane opens with a recent personal experience. He saw a semi truck on the freeway with the entire cabin removed from the engine, an unusual failure mode he had never seen before. Furthermore, he questions the actual environmental benefit of electric trucking given grid sourcing and battery mineral concerns. The reveal was 2017, and high-volume production is now nine years after that announcement. Chinese EVs With Headlights That Project Movies Huawei’s XPixel headlight system can now project full-color movies up to 100 inches in front of the car. The technology debuted in full color on the Aito M9 and is rolling out across Stelato S9, Qijing GT7, and Luxeed V9 MPV. Additionally, the same hardware powers real safety features: adaptive driving beam, lane-change path projection, and pedestrian crossing direction signaling. Meanwhile, US regulations only approved adaptive driving beam in February 2022. Pixel-addressable projection systems are not covered by current FMVSS rules at all. Consequently, even if these cars sold in the US, the headlights would have to be downgraded to be street legal. The Final GPS III Satellite Reaches Orbit SpaceX launched GPS III SV-10, the tenth and final GPS III satellite, on a Falcon 9 from Cape Canaveral on April 21. GPS III delivers signals 3 times more accurate and 8 times more resistant to jamming than the previous constellation. It also adds the L1C signal, which interoperates with Galileo, BeiDou, IRNSS, and QZSS, plus M-code military encryption. Up next, GPS IIIF launches start in 2027 with up to 22 satellites deploying through about 2037. IIIF adds laser inter-satellite links and optical reflectors for centimeter-level satellite tracking. Cochrane loves this kind of quiet infrastructure win that powers global economics without anyone noticing it. Researcher Wins 1 Bitcoin for a Quantum Attack on Crypto Independent Italian researcher Giancarlo Lelli won Project Eleven’s 1 Bitcoin Q-Day Prize on April 24. He derived a 15-bit elliptic curve private key from its public key using a variant of Shor’s algorithm on rented cloud quantum hardware. Furthermore, the previous record was 6 bits, set in September 2025 on an IBM 133-qubit machine, so this extends the record by a factor of 512. However, Bitcoin uses 256-bit elliptic curve cryptography, so real wallets are not at risk yet. Additionally, other researchers have pushed back on the result. Their criticism: a 15-bit search space is only 32,767 possibilities, which a laptop can brute-force in milliseconds. Project Eleven defends the milestone as a stepping stone for demonstrating Shor’s algorithm running end-to-end on real quantum hardware. Gemini Now Generates Real Files Google rolled out file generation for the Gemini app. Users can now generate PDFs, Word docs, Excel spreadsheets, Google Workspace files, CSV, LaTeX, plain text, RTF, and Markdown directly from a chat prompt. Additionally, files can be downloaded to device or exported straight to Google Drive. The feature is globally available to all Gemini app users. Google Illuminate Turns Papers Into Podcasts Google Illuminate is the experimental Labs tool that converts academic papers into roughly five-minute two-voice podcast-style audio. Generation takes about 30 seconds, with a 20-per-day cap and a 30-day library. Additionally, transcripts are interactive and clickable for jumping to specific moments. Cochrane likes it as an index for triaging papers but pushes back on using it to replace deep reading. He argues that real technical material like clustering logic needs a real read, not a summary by AI podcasters. Cochrane closes with show housekeeping and a callout to Pocket Casts and True Fans as solid modern podcast apps. Have a great night, and happy June. The post GitHub, Goblins, Ghostty, and GPS III #1863 appeared first on Geek News Central.

A recent attack shone a light on some of the problems with GitHub Actions, and CI/CD more generally. As tempting as it might be, going back to shell scripts probably isn’t the answer. 1K+ cloud environments infected following Trivy supply chain attack 2.5 Admins 292: Trivyally Infected Support us on patreon and get an ad-free RSS feed with early episodes sometimes Subscribe to the RSS feed.

What if your engineering calculations secretly sabotaged your nation's best efforts? This week, we reveal how a newly uncovered 21-year-old NSA rootkit quietly corrupted scientific research in hostile states and why it changes everything you think you know about cyberwarfare. Bitwarden's CLI hit with a supply-chain attack. Commercial routers in Iran fail shortly before the war. Meta logging all employee activity to train replacement AI. GRC's DNS Benchmark Release 5. Two miscellaneous AI thoughts. A bunch of terrific listener feedback. Unraveling the diabolical history of "fast16.sys" Show Notes - https://www.grc.com/sn/SN-1076-Notes.pdf Hosts: Steve Gibson and Leo Laporte Download or subscribe to Security Now at https://twit.tv/shows/security-now. You can submit a question to Security Now at the GRC Feedback Page. For 16kbps versions, transcripts, and notes (including fixes), visit Steve's site: grc.com, also the home of the best disk maintenance and recovery utility ever written Spinrite 6. Join Club TWiT for Ad-Free Podcasts! Support what you love and get ad-free audio and video feeds, a members-only Discord, and exclusive content. Join today: https://twit.tv/clubtwit Sponsors: doppel.com threatlocker.com/twit material.security cyberhoot.com/securitynow guardsquare.com

What if your engineering calculations secretly sabotaged your nation's best efforts? This week, we reveal how a newly uncovered 21-year-old NSA rootkit quietly corrupted scientific research in hostile states and why it changes everything you think you know about cyberwarfare. Bitwarden's CLI hit with a supply-chain attack. Commercial routers in Iran fail shortly before the war. Meta logging all employee activity to train replacement AI. GRC's DNS Benchmark Release 5. Two miscellaneous AI thoughts. A bunch of terrific listener feedback. Unraveling the diabolical history of "fast16.sys" Show Notes - https://www.grc.com/sn/SN-1076-Notes.pdf Hosts: Steve Gibson and Leo Laporte Download or subscribe to Security Now at https://twit.tv/shows/security-now. You can submit a question to Security Now at the GRC Feedback Page. For 16kbps versions, transcripts, and notes (including fixes), visit Steve's site: grc.com, also the home of the best disk maintenance and recovery utility ever written Spinrite 6. Join Club TWiT for Ad-Free Podcasts! Support what you love and get ad-free audio and video feeds, a members-only Discord, and exclusive content. Join today: https://twit.tv/clubtwit Sponsors: doppel.com threatlocker.com/twit material.security cyberhoot.com/securitynow guardsquare.com

What if your engineering calculations secretly sabotaged your nation's best efforts? This week, we reveal how a newly uncovered 21-year-old NSA rootkit quietly corrupted scientific research in hostile states and why it changes everything you think you know about cyberwarfare. Bitwarden's CLI hit with a supply-chain attack. Commercial routers in Iran fail shortly before the war. Meta logging all employee activity to train replacement AI. GRC's DNS Benchmark Release 5. Two miscellaneous AI thoughts. A bunch of terrific listener feedback. Unraveling the diabolical history of "fast16.sys" Show Notes - https://www.grc.com/sn/SN-1076-Notes.pdf Hosts: Steve Gibson and Leo Laporte Download or subscribe to Security Now at https://twit.tv/shows/security-now. You can submit a question to Security Now at the GRC Feedback Page. For 16kbps versions, transcripts, and notes (including fixes), visit Steve's site: grc.com, also the home of the best disk maintenance and recovery utility ever written Spinrite 6. Join Club TWiT for Ad-Free Podcasts! Support what you love and get ad-free audio and video feeds, a members-only Discord, and exclusive content. Join today: https://twit.tv/clubtwit Sponsors: doppel.com threatlocker.com/twit material.security cyberhoot.com/securitynow guardsquare.com

What if your engineering calculations secretly sabotaged your nation's best efforts? This week, we reveal how a newly uncovered 21-year-old NSA rootkit quietly corrupted scientific research in hostile states and why it changes everything you think you know about cyberwarfare. Bitwarden's CLI hit with a supply-chain attack. Commercial routers in Iran fail shortly before the war. Meta logging all employee activity to train replacement AI. GRC's DNS Benchmark Release 5. Two miscellaneous AI thoughts. A bunch of terrific listener feedback. Unraveling the diabolical history of "fast16.sys" Show Notes - https://www.grc.com/sn/SN-1076-Notes.pdf Hosts: Steve Gibson and Leo Laporte Download or subscribe to Security Now at https://twit.tv/shows/security-now. You can submit a question to Security Now at the GRC Feedback Page. For 16kbps versions, transcripts, and notes (including fixes), visit Steve's site: grc.com, also the home of the best disk maintenance and recovery utility ever written Spinrite 6. Join Club TWiT for Ad-Free Podcasts! Support what you love and get ad-free audio and video feeds, a members-only Discord, and exclusive content. Join today: https://twit.tv/clubtwit Sponsors: doppel.com threatlocker.com/twit material.security cyberhoot.com/securitynow guardsquare.com

What if your engineering calculations secretly sabotaged your nation's best efforts? This week, we reveal how a newly uncovered 21-year-old NSA rootkit quietly corrupted scientific research in hostile states and why it changes everything you think you know about cyberwarfare. Bitwarden's CLI hit with a supply-chain attack. Commercial routers in Iran fail shortly before the war. Meta logging all employee activity to train replacement AI. GRC's DNS Benchmark Release 5. Two miscellaneous AI thoughts. A bunch of terrific listener feedback. Unraveling the diabolical history of "fast16.sys" Show Notes - https://www.grc.com/sn/SN-1076-Notes.pdf Hosts: Steve Gibson and Leo Laporte Download or subscribe to Security Now at https://twit.tv/shows/security-now. You can submit a question to Security Now at the GRC Feedback Page. For 16kbps versions, transcripts, and notes (including fixes), visit Steve's site: grc.com, also the home of the best disk maintenance and recovery utility ever written Spinrite 6. Join Club TWiT for Ad-Free Podcasts! Support what you love and get ad-free audio and video feeds, a members-only Discord, and exclusive content. Join today: https://twit.tv/clubtwit Sponsors: doppel.com threatlocker.com/twit material.security cyberhoot.com/securitynow guardsquare.com

What if your engineering calculations secretly sabotaged your nation's best efforts? This week, we reveal how a newly uncovered 21-year-old NSA rootkit quietly corrupted scientific research in hostile states and why it changes everything you think you know about cyberwarfare. Bitwarden's CLI hit with a supply-chain attack. Commercial routers in Iran fail shortly before the war. Meta logging all employee activity to train replacement AI. GRC's DNS Benchmark Release 5. Two miscellaneous AI thoughts. A bunch of terrific listener feedback. Unraveling the diabolical history of "fast16.sys" Show Notes - https://www.grc.com/sn/SN-1076-Notes.pdf Hosts: Steve Gibson and Leo Laporte Download or subscribe to Security Now at https://twit.tv/shows/security-now. You can submit a question to Security Now at the GRC Feedback Page. For 16kbps versions, transcripts, and notes (including fixes), visit Steve's site: grc.com, also the home of the best disk maintenance and recovery utility ever written Spinrite 6. Join Club TWiT for Ad-Free Podcasts! Support what you love and get ad-free audio and video feeds, a members-only Discord, and exclusive content. Join today: https://twit.tv/clubtwit Sponsors: doppel.com threatlocker.com/twit material.security cyberhoot.com/securitynow guardsquare.com

Send us Fan MailKen and Mike are back in the AI trenches, this time unpacking the hype, fear, and practical security implications surrounding Anthropic's Mythos preview. As the industry reacts to claims around AI-driven vulnerability discovery and exploit generation, the hosts ask a more important question: are we actually ready to fix what we already know is broken?The conversation cuts through the zero-day panic and focuses on the fundamentals that still matter: patching, hardening, reducing attack surface, validating AI-generated code, and keeping deterministic security checks in place. From supply chain attacks and GitHub Actions misconfigurations to agentic development workflows and the future of CI/CD, Ken and Mike explore where AI may genuinely change the threat landscape and where security teams are still fighting the same old battles.If your organization is rushing to build faster with AI, this episode is a reminder to also use it to build better.

What if your engineering calculations secretly sabotaged your nation's best efforts? This week, we reveal how a newly uncovered 21-year-old NSA rootkit quietly corrupted scientific research in hostile states and why it changes everything you think you know about cyberwarfare. Bitwarden's CLI hit with a supply-chain attack. Commercial routers in Iran fail shortly before the war. Meta logging all employee activity to train replacement AI. GRC's DNS Benchmark Release 5. Two miscellaneous AI thoughts. A bunch of terrific listener feedback. Unraveling the diabolical history of "fast16.sys" Show Notes - https://www.grc.com/sn/SN-1076-Notes.pdf Hosts: Steve Gibson and Leo Laporte Download or subscribe to Security Now at https://twit.tv/shows/security-now. You can submit a question to Security Now at the GRC Feedback Page. For 16kbps versions, transcripts, and notes (including fixes), visit Steve's site: grc.com, also the home of the best disk maintenance and recovery utility ever written Spinrite 6. Join Club TWiT for Ad-Free Podcasts! Support what you love and get ad-free audio and video feeds, a members-only Discord, and exclusive content. Join today: https://twit.tv/clubtwit Sponsors: doppel.com threatlocker.com/twit material.security cyberhoot.com/securitynow guardsquare.com

What if your engineering calculations secretly sabotaged your nation's best efforts? This week, we reveal how a newly uncovered 21-year-old NSA rootkit quietly corrupted scientific research in hostile states and why it changes everything you think you know about cyberwarfare. Bitwarden's CLI hit with a supply-chain attack. Commercial routers in Iran fail shortly before the war. Meta logging all employee activity to train replacement AI. GRC's DNS Benchmark Release 5. Two miscellaneous AI thoughts. A bunch of terrific listener feedback. Unraveling the diabolical history of "fast16.sys" Show Notes - https://www.grc.com/sn/SN-1076-Notes.pdf Hosts: Steve Gibson and Leo Laporte Download or subscribe to Security Now at https://twit.tv/shows/security-now. You can submit a question to Security Now at the GRC Feedback Page. For 16kbps versions, transcripts, and notes (including fixes), visit Steve's site: grc.com, also the home of the best disk maintenance and recovery utility ever written Spinrite 6. Join Club TWiT for Ad-Free Podcasts! Support what you love and get ad-free audio and video feeds, a members-only Discord, and exclusive content. Join today: https://twit.tv/clubtwit Sponsors: doppel.com threatlocker.com/twit material.security cyberhoot.com/securitynow guardsquare.com

After 26 years, we return to our roots and reflect on why LinuxFest Northwest is still a special event.Sponsored By:Jupiter Party Annual Membership: Put your support on automatic with our annual plan, and get one month of membership for free!Managed Nebula: Meet Managed Nebula from Defined Networking. A decentralized VPN built on the open-source Nebula platform that we love.Support LINUX UnpluggedLinks:

“Senior engineers benefit from AI a lot more than juniors.” DHH zmienił front o 180 stopni, a Szymon dopowiada: “juniorzy mają obecnie przerąbane. Nie chciałbym być w tych spodniach.” Ewolucja czy rewolucja, skoro twórca Shape Up mówi, że książka jest do przepisania?

Your database is slow, your Sentry is screaming, and the backlog is full of “we'll fix it later.” What if an AI agent handled the boring but high-impact work while you slept and just opened a clean pull request for review the next morning?We're joined by Mike Coutermarsh, a software engineer who helped build GitHub Actions and later left GitHub for PlanetScale. We talk candidly about the trade-offs: walking away from big-company comfort, choosing impact over feeling like a cog, and learning to thrive in a flatter org where the best “process” is ownership. Mike shares how he leads the team responsible for everything users see at PlanetScale, from dashboards to APIs to CLIs, and why speeding up CI, reducing bugs, and protecting reliability can matter more than chasing the flashiest feature.Then we get practical about AI coding tools. Mike breaks down how Cursor, Claude Code, and MCP servers can connect production query patterns and Sentry errors to scoped “bot army” automations that propose fixes, optimize performance, and even keep error queues from becoming a garbage fire. We also dig into AI code review, responsibility (“if your name is on the commit, you own it”), and the uncomfortable question of whether code quality still matters when models can generate code fast. Along the way we touch token costs, local models, and why conventions like Rails can actually help AI work better.On the database side, Mike explains why PlanetScale started with MySQL via Vitess, how sharding changes operations like backups and restores, why Postgres demand forced a new product push, and what it could mean to bring Vitess-style scaling to Postgres. We wrap with a small but surprisingly powerful workflow upgrade: fast dictation using Spokenly and local speech-to-text.Subscribe, share this with a teammate who lives in dashboards and PRs, and leave a review with the one workflow you'd want an AI agent to automate next.Send us some love.JudoscaleAutoscaling that actually works. Take control of your cloud hosting. HoneybadgerHoneybadger is an application health monitoring tool built by developers for developers.JudoscaleAutoscaling that actually works. Take control of your cloud hosting.Disclaimer: This post contains affiliate links. If you make a purchase, I may receive a commission at no extra cost to you.Support the show

In this episode, we break down a real-world AI security incident involving OpenAI and a compromised third-party tool, Axios—and what it reveals about the growing risks of software supply chain attacks. We walk through exactly what happened: how a malicious package made its way into a GitHub Actions workflow, what systems were exposed, and why code-signing certificates became the focal point of the response. More importantly, we unpack what didn't happen—no user data breach, no system compromise—and why that distinction matters. This is a grounded look at modern security in an AI-powered development ecosystem, where even trusted dependencies can become attack vectors. Key topics:What a software supply chain attack actually is (and why it's increasing)How a compromised dependency impacted the macOS app-signing processThe role of code-signing certificates and why they're critical for trustWhy OpenAI rotated certificates and forced app updatesLessons from the GitHub Actions misconfiguration (floating tags, release controls)What developers and companies can learn from this incidentWe also explore the broader takeaway: as AI accelerates development speed and complexity, security practices need to evolve just as quickly—especially at the infrastructure and dependency level. If you build software, manage systems, or rely on AI tools, this episode offers a practical breakdown of a modern security incident—and how to think about risk in an increasingly interconnected stack.

“Człowieka zaczęły spadać już tylko edge case'y.” Łukasz przywołuje raport BCG o zjawisku “brain fry” - przemęczeniu przy pracy z AI agents. Plot twist? Problem ma korzenie w automatyzacji fabryk z lat 50. - Ironies of Automation i vigilance decrement, czyli spadek czujności spowodowany nadzorem. Context switching zabija produktywność, ale może robisz to źle?

Hey yall, Alex here, writing this from sunny London, at the first ever AI Engineer conference in Europe!What a show we have for you today! First, let me catch you up on what's important: Anthropic, this week announced a whopping $30B ARR up from 19B in Feb, while also telling us about Claude Mythos Preview their next gen HUGE model that they won't release to the public (yet?) that finds crazy vulnerabilities in existing code bases. Apparently OpenAI will follow up with a similar non-public model soon.The Meta Superintelligence Lab led by Alex Wang finally showed what they were working on, Muse Spark, the smaller of their upcoming models on a complete new infrastructure (MSL announcement, Simon Willison's deep dive on the 16 hidden tools).In other news:Z.AI released GLM 5.1 in OSS finally (HF weights), Seedance 2.0 finally available in US on Replicate, OpenAI testing out GPT-image-2 on LM Arena under codenames, HappyHorse from Alibaba takes the video crown, and Mila Jovovich (5th Element, Resident Evil) releases agentic memory plugin called MemPalace (Ben Sigman's transparent correction thread is worth reading).We had 5 guests today on the show, we kick off with @swyx the founder of AI Engineer and host of Latent Space. We then chatted with @petergostev from Arena (formerly LMArena) about Mythos and the compute wars, then Vincent Koc, the second most prolific contributor to OpenClaw, then our friends VB from OpenAI and Omar from DeepMind, both previously at HuggingFace. This is a busy busy show, and given the time-zones, I unfortunately don't have time for a full weekly writeup, but as always, I will share the raw notes and post the video (lightly edited).ThursdAI - Highest signal weekly AI news show is a reader-supported publication. To receive new posts and support my work, consider becoming a free or paid subscriber.AI Engineer - LondonThursdAI came a long way since the first AI Engineer conference, but many who read this don't know, that was my big break. Swyx invited me to cover the first AIE in San Francisco in 2023, and I remember, I was in an Uber to the airport, the driver asked me what I do, and I, for the first time said “I host a podcast”. I (and ThursdAI) owe a lot to Swyx, and AIE team, and it's been incredible to see how big they've grown and how many great speakers this event hosts! The term AI Engineer has drifted in those 3 years, but also has the term Software Engineer. Swyx predicted this nearly 3 years ago, what I don't think he predicted, is that all engineers are now AI Engineers, and this includes domains like Agens (OpenClaw), Context and Harness Engineering, Evals and Observability, Voice & Vision all of which are tracks in this conference. I was really surprised to see how many of the talks/speakers here are native to London (after all, Deepmind is from here, OAI, Anthropic, Meta have offices here) and the latest boom in agents, OpenClaw, Pi were all Europe based as well, and they are joined the AI Engineer stage. Oh, and there's also a Giant Inflatable Claw at the entrance, yup, for pictures and vibes, and to show off how quickly the OpenClaw took over the mind-share. Anthropic announces $30B ARR and Mythos, their next model, will not be released to the public. The thing that everyone will tell you, is that Anthropic is on a roll, this is obviously connected to their upcoming IPO this year. We've been covering many issues on their part, but this week we saw them posting about a HUGE increase in ARR, from 19B in February to 30B in April, passing OpenAI at $25B. That last fact though, is kind of disproven because they report on ARR differently, OpenAI apparently only counts their cloud revenue from Microsoft per the information. The growth is undeniable though, and so is the most unprecedented release announcement, Claude Mythos Preview, which was rumored for a bit and now was announced proper. With project Project GlassWing, Anthropic has announced that this model is SO good at cyber security and finding bugs in code, that they cannot share it with the public, and through GlassWing they will share it with companies like Microsoft, Linux, CrowdStrike and a bunch of others, to harden their security. This is it folks, this is the first time, where a model was “announced” but deemed too risky to release. Now, is it truly “too risky”? Previously, folks thought that DALL-E is too risky, or cloning voice tech is too risky, and now it's everywhere. The capabilities catch up even in OpenSource. But the facts are, Anthropic says they've found a 27-year old bug in OpenBSD (famously very secure), and that this model is very very good at connecting the dots between several, seemingly inacuous bugs, to string them together into one coheren exploit. This is, indeed scary. Just last week, one of the top security researchers in the world, Nicolas Carlini, now at Anthropic, gave a talk at Black Hat, showing off these results, and saying that these models since December and definitely recently have passed him as a security engineer. If you haven't seen this talk, watch it, then try to estimate if Anthropic did the right thing by only releasing this model to enterprises first. But on the show, Peter Gostev from Arena gave me a take on this that I haven't been able to shake. Peter pulled up his Compute Wars chart live on the show — and the picture is that OpenAI is way ahead of Anthropic on compute, with Anthropic only recently getting a noticeable bump (which lines up suspiciously well with Mythos being trainable in the first place). His read: “it sounds cooler to say it's too risky to release than ‘we can't serve it.'” The official partner pricing is $25 / $125 per million tokens — 5x Opus 4.6 — but if you don't have the GPUs to serve it broadly, the price doesn't matter. In the year of the IPO, the company that cannot serve a model says the model is too dangerous to serve. Make of that what you will.This also reframes the whole rate-limit drama with OpenClaw. Anthropic didn't ban OpenClaw — I want to be very clear about this because the discourse went sideways. What they did is they made it significantly more expensive for Max-tier subscribers to use Opus through OpenClaw, which pushed a lot of people over to GPT-5.4 via Codex. Same root cause: they're out of compute. The freshly announced Anthropic + Google TPU deal (Google already owns ~10% of Anthropic) is them trying to fix this — though as Peter noted, it's pretty wild that Google is propping up a direct competitor to their own DeepMind team. Same pattern as their original $2B Anthropic investment ending up propping AWS Bedrock against Google Cloud. Big Google contains multitudes.Meta Superintelligence Labs ships Muse Spark — Llama is dead, long live MuseLlama is dead, long live Muse. This week Meta finally showed what the very expensive Meta Superintelligence Labs under Alexandr Wang has been cooking, and the answer is Muse Spark — the smaller of their new model family, built on a fully rebuilt AI stack from scratch in just 9 months. Nine months is wild for that kind of overhaul, and the headline number people are quoting is that they reach Llama 4 Maverick capability with over 10x less compute.Spark is intentionally small and latency-optimized — it's not trying to be the biggest, it's trying to be the first step on Meta's new scaling ladder. But the benchmarks in certain areas are nuts: 86.4 on CharXiv Reasoning (beats Opus, Gemini, GPT-5.4), and the one that really got me — 42.8 on HealthBench Hard vs Opus at 14.8 and Gemini at 20.6. They trained it with data curated by over 1,000 physicians and it shows. They also shipped a Contemplating mode which is parallel multi-agent reasoning, hitting 58.4% on Humanity's Last Exam with tools. Coding is the acknowledged weak point (77.4 on SWE-Bench Verified vs Opus 80.8) but for v1 from a brand new stack, this is extremely respectable.Meta is Back!The real story isn't any single benchmark though, it's distribution. Spark is rolling out across meta.ai, WhatsApp, Instagram, Threads, Messenger, and Ray-Ban Meta glasses — billions of users. Meta went from open Llama to a closed consumer model and they're clearly playing a different game now (though Wang says future Muse versions might be open-sourced).The deep-dive that's really worth your time is Simon Willison's post where he poked at the meta.ai chat UI and got the model to spit out descriptions of 16 hidden tools behind the scenes — full Code Interpreter with persistent Python 3.9, a visual grounding tool that does pixel-precise object detection (bounding boxes, point coordinates, counting — it located 8 objects including individual whiskers and claws on a generated raccoon), sub-agent spawning, file editing, and semantic search across Instagram/Threads/Facebook posts. It's basically an entire agentic harness baked into the chat UI. Jack Wu from MSL confirmed the tools are part of a new harness built specifically for Spark's launch. Meta stock went up 7% on this. They are very much back in the frontier game.Guest highlights We had an unprecedented packed show with 5 guests (also this is the shortest show we've everSwyx kicked us off with vibes from the AI Engineer floor — harness engineering as the dominant theme (gains are coming from the harness, not the weights), the rise of skills (English-as-programming-language) absorbing more of that harness work, and his thesis that supply-chain attacks like the recent light LLM and Axios incidents mean you should basically vendor everything — pip fork instead of pip install. We also chatted about how MCP has gone from “the most exciting protocol” to “settled and stable, therefore less interesting,” which is a great problem to have.Peter Gostev from Arena (you saw a lot of him in the Mythos section above) also dropped a bonus on us: Arena just released 3 years of historical leaderboard data and actual prompt datasets on Hugging Face. He used to literally scrape the arena website by hand into Google sheets to make those overtime leaderboards we all loved — now it's all public. Also: he confirmed that Seedance 2.0 jumped ~80 ELO points above the next video model on Arena, which is unprecedented — video models normally cluster within 10 points of each other.Vincent Koc — the #2 OpenClaw maintainer after Peter Steinberger — joined us fresh off the OpenClaw track stage. The OpenClaw codebase is now ~1.5 million lines of code including unreleased iOS and Android native apps. GitHub literally caps the issue/PR counter at “5K+” and they hit the ceiling. We talked about OpenClaw 2026.4.5 which ships /dreaming GA (Light/Deep/REM phases that defrag agent memory and write a human-readable Dream Diary to DREAMS.md), built-in video and music generation across 4 backends, GPT-5.4 as the new default, prompt-cache reuse improvements, and Control UI + docs in 12 new languages. Vincent's framing of dreaming was beautiful — “how do you explain agent memory to a mom? You call it dreaming.” He also gave my favorite line of the show on the GPT-5.4 personality problem: incredible at coding, but soulless. (For what it's worth, I came home after watching Project Hail Mary, cloned the Rocky voice, dropped it into my OpenClaw, and it was magical. That's the kind of thing you can only do when the harness and the model are decoupled.)VB from OpenAI told us Codex just hit 3 million weekly active users — up from 2 million last month. We talked plugins (the Stripe / Supabase / shadcn ones that ship as packages), sub-agents (yes, one is named Jason), and Guardian Approvals — an experimental mode that classifies each tool call by risk and only escalates the dangerous ones to you, so you don't have to YOLO-mode everything. The story that stuck with me though is his 9 AM Codex automation: every morning it reads his Slack mentions, cross-references Gmail and Calendar, and creates 5-minute pre-brief calendar events for upcoming meetings. None of that is “coding.” That's the super-app future hiding inside a “developer tool.” I'm stealing this workflow.Omar Sanseviero from Google DeepMind came on to celebrate Gemma 4 crossing 10M+ downloads with 1,000+ Gemma-4-based fine-tunes already on HF (and Gemma family total is now over 500M downloads). Gemma 4 is also the foundation for the next generation of Gemini Nano on Pixel/Samsung devices. Lama.cpp vision capability fixes are landing. Gemma 4 is also live on W&B Inference if you want to play. Wolfram (whose entire household runs on Pixel + Google AI Studio, including his 70-year-old mother on voice unlock) was in heaven.This Week's BuzzA short but spicy week from Weights & Biases:* W&B Automations are LIVE. You can now wire event triggers from your training runs (completion, eval thresholds, drift) into notifications, GitHub Actions, deployments, infra shutdowns — closing the loop from experiment to production. Pairs really well with the iOS app we recently shipped, so you can get a ping on your phone the moment something interesting happens on a run.* GLM 5.1 is live on W&B Inference (alongside Gemma 4 from last week) — the team is moving fast to host the best open models the moment they drop.* Wolfram published a deep dive on “more reasoning is not always better” on the W&B blog — the research behind his finding that giving models more thinking tokens can actually make them dumber on certain tasks. It's the in-depth version of what we discussed on the show last week, with all the data. Go read it on wandb.com.Also: shout out to everyone who came up to me at AI Engineer and said hi. The Wolf Bench mentions in particular made my day. If you're listening to this and you're at AIE — come find us, we'll be around tomorrow too.That's it for this week — newsletter is short because the show was long and London is calling. As always, thanks for reading and listening

What if the tools protecting your organization were the ones compromising it? In this episode of The Audit, co-hosts Joshua Schmidt, Eric Brown, and Nick Mellem — joined by IT Audit Labs team member Samuel Cala live in the St. Paul studio — unpack a wave of cybersecurity stories that all converge on one unsettling theme: trust is being exploited at every layer of the stack. From an Iranian-linked APT group targeting U.S. healthcare infrastructure, to a sophisticated GitHub Actions supply chain attack that backdoored an AI coding library used by thousands of developers — the crew breaks down exactly how threat actors are weaponizing the tools, platforms, and third-party services organizations depend on daily. They also dive into a disturbing revelation about AI-powered audit certifications: one company allegedly fabricated compliance evidence to hand out ISO 27001 and SOC 2 certifications at a fraction of the cost — raising serious questions about what those credentials are actually worth. In this episode: 

At MVP Summit we dig into Agentic Workflows — write Markdown prompts that drive AI agents to run CI, open PRs, and automate cross‑repo tasks — and MAUI DevFlow, which lets agents interact with native UIs to click, screenshot and validate designs. Listen for practical takeaways on ditching brittle YAML/scripts and automating tedious maintenance and testing, plus the real caveats: security front‑matter, a compile/lock step and token costs. Follow Us Frank: Twitter, Blog, GitHub James: Twitter, Blog, GitHub Merge Conflict: Twitter, Facebook, Website, Chat on Discord Music : Amethyst Seer - Citrine by Adventureface ⭐⭐ Review Us ⭐⭐ Machine transcription available on http://mergeconflict.fm

On this episode, Andrew's buried in messy authentication work spread across legacy code, Chris recounts a frustrating GitHub Actions debugging session, and David explains the mental drain of working across both Vue 2 and Vue 3 in the same application. They talk about using workflow run triggers, scheduled builds, and GitHub's new Agentic Copilot workflows such as CI Doctor, Automatic Code Simplifier, and issue/PR management, while lamenting low-quality AI-generated PRs and paid AI code review tools. Andrew makes a special announcement about Blastoff Rails, they compare LazyVim, lazy.nvim, and Kickstart Neovim, we hear about Ruby 3.4.9 and its bug-fix release, and Marco Roth's Herb improvements for ERB tooling. Hit download now to hear more! LinksJudoscale- Remote Ruby listener giftUpload-artifact v7.0.0 (GitHub)Download-artifact v8.0.0 (GitHub)GitHub Agentic WorkflowsBringing Code Review to Claude CodeScott's Pizza ToursBlastoff Rails-June 11-12, 2026, Albuquerque, New MexicoLearn Enough Bridgetown to be Dangerous (Andrew's talk)lazy.nvimLazyVimkickstart.nvimkickstart-modular.nvimTree-sitterHerbMarco Roth X (Herb)HoneybadgerHoneybadger is an application health monitoring tool built by developers for developers.JudoscaleMake your deployments bulletproof with autoscaling that just works.Disclaimer: This post contains affiliate links. If you make a purchase, I may receive a commission at no extra cost to you.Chris Oliver X/TwitterAndrew Mason X/TwitterJason Charnes X/Twitter

Bret is joined by the founders of Plakar - Julien Mangeard and Gilles Chehade - to nerd out over backup engineering. The kind where you're building your own file formats and cryptographic layers, not just wiring up cron jobs. We get into how Plakar deduplicates and encrypts at the source so your cloud provider never sees your keys. Also, their snapshot model has no chain dependencies, which means you can delete any backup without breaking the others. We had a fun hour of backup horror stories, ransomware pragmatism, where I'm lobbying hard for a Docker volume integration.Check out the video podcast version here: https://youtu.be/OPRK5osKQHI

In this episode, Jake and Michael dive into modern infrastructure security practices, sparked by an annual audit and the painful process of rotating AWS IAM tokens. That experience leads into a broader discussion on why long-lived credentials in GitHub Actions are risky, and how OIDC (OpenID Connect) enables a more secure, short-lived, role-based alternative.Show linksScout SuiteOpenID Connect (OIDC)Laravel ForgeLaravel HorizonScrambleClaudeLoRA (Low-Rank Adaptation)

Проверяем знания кандидата на позицию Senior DevOps инженера в прямом эфире. В этом выпуске: архитектурные паттерны в AWS, вечный спор Terraform против CloudFormation, глубокое погружение в Kubernetes (Karpenter, скейлинг) и Live-траблшутинг сломанного Helm-чарта. О ЧЁМ ВЫПУСК: • Архитектура и облака: Как выбрать между EKS и ECS/Fargate и настроить безопасное хранение бэкапов в S3.  • IaC войны: Честное сравнение Terraform и CloudFormation — где заканчивается удобство и начинается боль.  • Kubernetes под капотом: Разбираем Control Plane, работу контроллеров и нюансы обновления on-prem кластеров.  • Live Debug: Реальная задача по починке упавшего пода (CrashLoopBackOff) — работа с пробами, портами и Helm.  • CI/CD стратегии: Строим идеальный пайплайн с GitHub Actions и ArgoCD. ГОСТЬ: Максим — DevOps-инженер (5 лет опыта DevOps, 10 лет SysAdmin). Стек: AWS, Terraform, Kubernetes, Ansible, Monitoring. ССЫЛКИ

Strategic Technology Consultation Services This episode of The Modern .NET Show is supported, in part, by RJJ Software's Strategic Technology Consultation Services. If you're an SME (Small to Medium Enterprise) leader wondering why your technology investments aren't delivering, or you're facing critical decisions about AI, modernization, or team productivity, let's talk. Show Notes "So it essentially is a build orchestration framework. So it doesn't replace the .NET CL or MSBuild or whatever you're using today. It doesn't replace GitHub Actions or Azure pipelines. What it does is that it reduces the complexity of those things"— Mattias Karlsson Hey everyone, and welcome back to The Modern .NET Show; the premier .NET podcast, focusing entirely on the knowledge, tools, and frameworks that all .NET developers should have in their toolbox. I'm your host Jamie Taylor, bringing you conversations with the brightest minds in the .NET ecosystem. Today, we're joined by Matthas Karlsson to talk about Cake (aka C# Make), the build orchestrator built entirely in .NET. "Like, you need to evaluate and see what works for you. Because, like, if you have an open source project and all you do is dotnet pack, then it might be too complicated."— Mattias Karlsson Along the way, we talked about what a build orchestrator is, why you might consider one (and when it might be too complex to have one), the recent single file application changes to .NET (i.e `dotnet run file.cs`), and talk about why it's important to have multiple tools in your development toolbox. Before we jump in, a quick reminder: if The Modern .NET Show has become part of your learning journey, please consider supporting us through Patreon or Buy Me A Coffee. Every contribution helps us continue bringing you these in-depth conversations with industry experts. You'll find all the links in the show notes. Anyway, without further ado, let's sit back, open up a terminal, type in `dotnet new podcast` and we'll dive into the core of Modern .NET. Full Show Notes The full show notes, including links to some of the things we discussed and a full transcription of this episode, can be found at: https://dotnetcore.show/season-8/from-yaml-chaos-to-csharp-clarity-mattias-karlsson-on-cake-build/ Useful Links: Cake Build Mattias' links: Website LinkedIn Bluesky Mastadon Supporting the show: Leave a rating or review Buy the show a coffee Become a patron Getting in Touch: Via the contact page Joining the Discord Remember to rate and review the show on Apple Podcasts, Podchaser, or wherever you find your podcasts, this will help the show's audience grow. Or you can just share the show with a friend. And don't forget to reach out via our Contact page. We're very interested in your opinion of the show, so please get in touch. You can support the show by making a monthly donation on the show's Patreon page at: https://www.patreon.com/TheDotNetCorePodcast. Music created by Mono Memory Music, licensed to RJJ Software for use in The Modern .NET Show. Editing and post-production services for this episode were provided by MB Podcast Services.

AI is reshaping both sides of the cybersecurity battlefield — and fast. In this episode, we break down five stories that prove it: the first Chrome zero-day of 2026 (CVE-2026-2441), a near-perfect CVSS 9.9 in Microsoft's Semantic Kernel SDK (CVE-2026-26030), a supply chain attack on AI coding assistant Cline that silently installed autonomous agents on thousands of developer machines, the first-ever Android malware using Google's Gemini AI at runtime (PromptSpy), and a Russian-speaking threat actor who used commercial AI tools to breach over 600 FortiGate firewalls across 55 countries in just five weeks. Whether you're a developer, security professional, or just someone who uses a browser — this one's worth your time.

Container base images (like Official Docker Hub images) are often updated without new tag versions. I call this Silent Rebuilds. There's no way to know this happens without image digest-checking automation like Dependabot and Renovate with specific settings. Failure to keep up-to-date is a prime source of vulnerabilities that can lead to serious security breaches. Automate the updates!Check out the video podcast version here: https://youtu.be/z_ahbsSc4Fo

Topics covered in this episode: Better Python tests with inline-snapshot jolt Battery intelligence for your laptop Markdown code formatting with ruff act - run your GitHub actions locally Extras Joke Watch on YouTube About the show Sponsored by us! Support our work through: Our courses at Talk Python Training The Complete pytest Course Patreon Supporters Connect with the hosts Michael: @mkennedy@fosstodon.org / @mkennedy.codes (bsky) Brian: @brianokken@fosstodon.org / @brianokken.bsky.social Show: @pythonbytes@fosstodon.org / @pythonbytes.fm (bsky) Join us on YouTube at pythonbytes.fm/live to be part of the audience. Usually Monday at 11am PT. Older video versions available there too. Finally, if you want an artisanal, hand-crafted digest of every week of the show notes in email form? Add your name and email to our friends of the show list, we'll never share it. Brian #1: Better Python tests with inline-snapshot Alex Hall, on Pydantic blog Great for testing complex data structures Allows you to write a test like this: from inline_snapshot import snapshot def test_user_creation(): user = create_user(id=123, name="test_user") assert user.dict() == snapshot({}) Then run pytest --inline-snapshot=fix And the library updates the test source code to look like this: def test_user_creation(): user = create_user(id=123, name="test_user") assert user.dict() == snapshot({ "id": 123, "name": "test_user", "status": "active" }) Now, when you run the code without “fix” the collected data is used for comparison Awesome to be able to visually inspect the test data right there in the test code. Projects mentioned inline-snapshot pytest-examples syrupy dirty-equals executing Michael #2: jolt Battery intelligence for your laptop Support for both macOS and Linux Battery Status — Charge percentage, time remaining, health, and cycle count Power Monitoring — System power draw with CPU/GPU breakdown Process Tracking — Processes sorted by energy impact with color-coded severity Historical Graphs — Track battery and power trends over time Themes — 10+ built-in themes with dark/light auto-detection Background Daemon — Collect historical data even when the TUI isn't running Process Management — Kill energy-hungry processes directly Brian #3: Markdown code formatting with ruff Suggested by Matthias Schoettle ruff can now format code within markdown files Will format valid Python code in code blocks marked with python, py, python3 or py3. Also recognizes pyi as Python type stub files. Includes the ability to turn off formatting with comment [HTML_REMOVED] , [HTML_REMOVED] blocks. Requires preview mode [tool.ruff.lint] preview = true Michael #4: act - run your GitHub actions locally Run your GitHub Actions locally! Why would you want to do this? Two reasons: Fast Feedback - Rather than having to commit/push every time you want to test out the changes you are making to your .github/workflows/ files (or for any changes to embedded GitHub actions), you can use act to run the actions locally. The environment variables and filesystem are all configured to match what GitHub provides. Local Task Runner - I love make. However, I also hate repeating myself. With act, you can use the GitHub Actions defined in your .github/workflows/ to replace your Makefile! When you run act it reads in your GitHub Actions from .github/workflows/ and determines the set of actions that need to be run. Uses the Docker API to either pull or build the necessary images, as defined in your workflow files and finally determines the execution path based on the dependencies that were defined. Once it has the execution path, it then uses the Docker API to run containers for each action based on the images prepared earlier. The environment variables and filesystem are all configured to match what GitHub provides. Extras Michael: Winter is coming: Frozendict accepted Django ORM stand-alone Command Book app announcement post Joke: Plug ‘n Paste

"It's prime time for runtime!"In this episode of the mnemonic security podcast, we're joined by Sergej Epp, Global CISO & Member of the Executive Team of Sysdig, to discuss threats at machine speed and runtime security.Sergej explains how runtime security enables organisations to understand what is really happening inside containers and serverless workloads, and why, without it, they are effectively blind to critical activity within their cloud-native environments. He shares recent examples of supply chain incidents that highlight these risks, including the GitHub Actions compromise, NPM attacks, and the two waves of Shai-Hulud.Robby and Sergej also discuss the most common ways that attackers get access to clusters and containers, and how organisations can stay ahead of attacks using real-time telemetry.Send a text

I'm joined by Nirmal Mehta of AWS and Viktor Farcic from Upbound, to go through our 2025 year in review. We look into the AI tools that consumed us this year, from CLI agents to terminal emulators, IDEs, AI browsers - what worked, what flopped, what's worth your time and money, and what we think isn't!Check out the video podcast version here: https://youtu.be/mnagfUsh5bc

This is a recap of the top 10 posts on Hacker News on February 06, 2026. This podcast was generated by wondercraft.ai (00:30): I now assume that all ads on Apple news are scamsOriginal post: https://news.ycombinator.com/item?id=46911901&utm_source=wondercraft_ai(01:59): The Waymo World ModelOriginal post: https://news.ycombinator.com/item?id=46914785&utm_source=wondercraft_ai(03:28): TikTok's 'addictive design' found to be illegal in EuropeOriginal post: https://news.ycombinator.com/item?id=46911869&utm_source=wondercraft_ai(04:57): A new bill in New York would require disclaimers on AI-generated news contentOriginal post: https://news.ycombinator.com/item?id=46910963&utm_source=wondercraft_ai(06:27): OpenCiv3: Open-source, cross-platform reimagining of Civilization IIIOriginal post: https://news.ycombinator.com/item?id=46918612&utm_source=wondercraft_ai(07:56): Hackers (1995) Animated ExperienceOriginal post: https://news.ycombinator.com/item?id=46912800&utm_source=wondercraft_ai(09:25): GitHub Actions is slowly killing engineering teamsOriginal post: https://news.ycombinator.com/item?id=46908491&utm_source=wondercraft_ai(10:55): An Update on HerokuOriginal post: https://news.ycombinator.com/item?id=46913903&utm_source=wondercraft_ai(12:24): Microsoft open-sources LiteBox, a security-focused library OSOriginal post: https://news.ycombinator.com/item?id=46913793&utm_source=wondercraft_ai(13:53): Sheldon Brown's Bicycle Technical InfoOriginal post: https://news.ycombinator.com/item?id=46914159&utm_source=wondercraft_aiThis is a third-party project, independent from HN and YC. Text and audio generated using AI, by wondercraft.ai. Create your own studio quality podcast with text as the only input in seconds at app.wondercraft.ai. Issues or feedback? We'd love to hear from you: team@wondercraft.ai

I talk with David Flanagan, aka Rawkode, about his new opinionated Tech Matrix that helps you navigate the overwhelming CNCF landscape. https://rawkode.academy/technology/matrix

This episode opens with mic and Nintendo banter before plunging into macOS release pain points: sandboxing, hardened runtime, notarization, Sparkle auto‑updates, and automating releases with GitHub Actions and tags. James and Frank offer practical tips—drag builds into /Applications to test signing—and unpack .NET 10 trimming/reflection pitfalls and CI/CD quirks for anyone shipping native apps outside the App Store. Follow Us Frank: Twitter, Blog, GitHub James: Twitter, Blog, GitHub Merge Conflict: Twitter, Facebook, Website, Chat on Discord Music : Amethyst Seer - Citrine by Adventureface ⭐⭐ Review Us (https://itunes.apple.com/us/podcast/merge-conflict/id1133064277?mt=2&ls=1) ⭐⭐ Machine transcription available on http://mergeconflict.fm

This is a recap of the top 10 posts on Hacker News on January 14, 2026. This podcast was generated by wondercraft.ai (00:30): FBI raids Washington Post reporter's homeOriginal post: https://news.ycombinator.com/item?id=46616745&utm_source=wondercraft_ai(01:58): Claude Cowork exfiltrates filesOriginal post: https://news.ycombinator.com/item?id=46622328&utm_source=wondercraft_ai(03:26): Ford F-150 Lightning outsold the Cybertruck and was then canceled for poor salesOriginal post: https://news.ycombinator.com/item?id=46618901&utm_source=wondercraft_ai(04:55): Ask HN: Share your personal websiteOriginal post: https://news.ycombinator.com/item?id=46618714&utm_source=wondercraft_ai(06:23): I hate GitHub Actions with passionOriginal post: https://news.ycombinator.com/item?id=46614558&utm_source=wondercraft_ai(07:52): SparkFun Officially Dropping AdaFruit due to CoC ViolationOriginal post: https://news.ycombinator.com/item?id=46616488&utm_source=wondercraft_ai(09:20): 1000 Blank White CardsOriginal post: https://news.ycombinator.com/item?id=46611823&utm_source=wondercraft_ai(10:48): ASCII CloudsOriginal post: https://news.ycombinator.com/item?id=46611507&utm_source=wondercraft_ai(12:17): So, you've hit an age gate. What now?Original post: https://news.ycombinator.com/item?id=46619030&utm_source=wondercraft_ai(13:45): I'm leaving Redis for SolidQueueOriginal post: https://news.ycombinator.com/item?id=46614037&utm_source=wondercraft_aiThis is a third-party project, independent from HN and YC. Text and audio generated using AI, by wondercraft.ai. Create your own studio quality podcast with text as the only input in seconds at app.wondercraft.ai. Issues or feedback? We'd love to hear from you: team@wondercraft.ai

 This is continual learning, right? Everyone has been talking about continual learning as the next challenge in AI. Actually, it's solved. Just tell it to keep some notes somewhere. Sure, it's not, it's not machine learning, but in some ways it is because when it will load this text file again, it will influence what it does … And it works so well: it's easy to understand. It's easy to inspect, it's easy to evolve and modify!Eleanor Berger and Isaac Flaath, the minds behind Elite AI Assisted Coding, join Hugo to talk about how to redefine software development through effective AI-assisted coding, leveraging “specification-first” approaches and advanced agentic workflows.We Discuss:* Markdown learning loops: Use simple agents.md files for agents to self-update rules and persist context, creating inspectable, low-cost learning;* Intent-first development: As AI commoditizes syntax, defining clear specs and what makes a result “good” becomes the core, durable developer skill;* Effortless documentation: Leverage LLMs to distill messy “brain dumps” or walks-and-talks into structured project specifications, offloading context faster;* Modular agent skills: Transition from MCP servers to simple markdown-based “skills” with YAML and scripts, allowing progressive disclosure of tool details;* Scheduled async agents: Break the chat-based productivity ceiling by using GitHub Actions or Cron jobs for agents to work on issues, shifting humans to reviewers;* Automated tech debt audits: Deploy background agents to identify duplicate code, architectural drift, or missing test coverage, leveraging AI to police AI-induced messiness;* Explicit knowledge culture: AI agents eliminate “cafeteria chat” by forcing explicit, machine-readable documentation, solving the perennial problem of lost institutional knowledge;* Tiered model strategy: Optimize token spend by using high-tier “reasoning” models (e.g., Opus) for planning and low-cost, high-speed models (e.g., Flash) for execution;* Ephemeral software specs: With near-zero generation costs, software shifts from static products to dynamic, regenerated code based on a permanent, underlying specification.You can also find the full episode on Spotify, Apple Podcasts, and YouTube.You can also interact directly with the transcript here in NotebookLM: If you do so, let us know anything you find in the comments!

Speed isn't just a nice-to-have - it affects user experience, cloud costs, and how fast teams can move. In this episode, we chat with Saurabh Misra about making Python performance a continuous habit rather than a last-minute clean-up. He introduces Codeflash, a tool that profiles real code paths, explores optimisation options with LLMs, and only suggests changes that preserve behaviour and deliver measurable speedups.We delve into how this works, from tracing and line-level profiling to coverage-guided inputs and concolic testing. Saurabh shares real examples, including smarter NumPy usage, avoiding unnecessary global sorts, and using Numba to speed up numeric hotspots. We also talk about fitting performance checks into everyday workflows via the CLI, VS Code, and GitHub Actions.The big takeaway: performance doesn't have to slow teams down — with the right tooling, it can be part of shipping well from day one.Connect with Saurabh at https://www.linkedin.com/in/saurabh-misra/ and find out more about Codeflash via the website https://www.codeflash.ai/.___

У свіжому дайджесті DOU News говоримо про стан ІТ-ринку у 2025 році, стрімке зростання української мови в ШІ та податкові зміни для ФОПів. А ще — про нові релізи Google й OpenAI, великі інвестиції в ШІ-стартапи, слово року та інші теми українського ІТ та світового тек-сектору. Таймкоди 00:00 Інтро 00:23 Хто почувається краще на ІТ-ринку у 2025 році 06:29 Українська мова — найшвидше зростає в open-source ШІ 07:49 ПДВ для ФОПів: що пропонує Мінфін 11:15 Скільки користувачів у нового застосунку «Нової пошти» 13:05 Direct to Cell від «Київстар» став доступним для iPhone 13:56 Зміни цін на GitHub Actions 19:43 Google представила Gemini 3 Flash 22:52 OpenAI запустила ChatGPT Images 24:50 OpenAI шукає фінансування до $100 млрд 26:53 Vibe-coding стартап Lovable залучив $330 млн 29:10 Слово року 2025 — slop 31:10 Google припиняє dark web-сповіщення 32:58 Чергове дивне рішення росії 35:56 Starlink втратив супутник через аномалію 38:06 Що цього тижня рекомендує Женя: Стаття: Cloudflare Radar Year Review Книга: «Хроніки Буресвітла», книга 5 — «Вітер і істина» Серіал: «Андор» Фільм: «Ти — космос» Музичний альбом: Arcane S2 OST (honorable mention — «Поле каніфолі») Музичне відкриття: Клер (на вінілі)

This is a recap of the top 10 posts on Hacker News on December 08, 2025. This podcast was generated by wondercraft.ai (00:30): The fuck off contact pageOriginal post: https://news.ycombinator.com/item?id=46189994&utm_source=wondercraft_ai(01:52): GitHub Actions has a package manager, and it might be the worstOriginal post: https://news.ycombinator.com/item?id=46189692&utm_source=wondercraft_ai(03:14): Microsoft has a problem: lack of demand for its AI productsOriginal post: https://news.ycombinator.com/item?id=46194615&utm_source=wondercraft_ai(04:37): IBM to acquire ConfluentOriginal post: https://news.ycombinator.com/item?id=46192130&utm_source=wondercraft_ai(05:59): Icons in Menus Everywhere – Send HelpOriginal post: https://news.ycombinator.com/item?id=46196688&utm_source=wondercraft_ai(07:21): Jepsen: NATS 2.12.1Original post: https://news.ycombinator.com/item?id=46196105&utm_source=wondercraft_ai(08:44): Microsoft increases Office 365 and Microsoft 365 license pricesOriginal post: https://news.ycombinator.com/item?id=46192186&utm_source=wondercraft_ai(10:06): NVIDIA frenemy relation with OpenAI and OracleOriginal post: https://news.ycombinator.com/item?id=46196076&utm_source=wondercraft_ai(11:28): Strong earthquake hits northern Japan, tsunami warning issuedOriginal post: https://news.ycombinator.com/item?id=46192846&utm_source=wondercraft_ai(12:51): Paramount launches hostile bid for Warner BrosOriginal post: https://news.ycombinator.com/item?id=46192459&utm_source=wondercraft_aiThis is a third-party project, independent from HN and YC. Text and audio generated using AI, by wondercraft.ai. Create your own studio quality podcast with text as the only input in seconds at app.wondercraft.ai. Issues or feedback? We'd love to hear from you: team@wondercraft.ai

Andrew returns from SF Ruby with a lot more than conference swag! He brings a clear snapshot of where Ruby, Rails, and AI are headed right now. In this episode, he and Chris walk through the most impactful talks from SF Ruby, share highlights of engaging discussions with other developers and friends, reminisces about nostalgic tech items, and explores insightful conversations on the future of Rails, startup culture, AI's impact on programming, developer anxiety, and they share product ideas from Chris new SaaS series on GoRails to Andrew's concept for a serious GitHub Actions monitoring tool. Hit download now to hear more! LinksGoRails Black Friday SaleJudoscale- Remote Ruby listener giftAction Cable NextSF Ruby 2025 Ruby ConferenceGitButlerWaymoSimple File UploadCallback HellAction Cable Next Ruby Was Ready From The Start by Obie Fernandez (Medium) FluxGoRails: Markdown MIME Type & RendererSF Ruby Sponsors Chris Oliver X/Twitter Andrew Mason X/Twitter Jason Charnes X/Twitter

In this potluck episode, Wes and Scott answer your questions about paid vs. free SSL, the state of frontend jobs, headless WordPress trade-offs, organizing TypeScript types, and more! Show Notes 00:00 Welcome to Syntax! 00:51 Recapping the GitHub Meetup 05:14 Is there any real benefit to picking a paid SSL over Let's Encrypt? 08:03 Is the pure frontend role disappearing? 11:17 Is the gravy train over for software devs? 20:48 How Scott automates versioning with GitHub Actions changesets Intro to using changesets zero-svelte graffiti 25:16 Brought to you by Sentry.io 25:41 Thoughts on VS Code alternatives and the rise of Zed 33:01 Should I switch to headless WordPress or continue rolling my own PHP templates? 37:33 How do you organize TypeScript types in a frontend project? 40:55 How do I continue to level up as a developer? 45:36 Stay in a comfortable job or embrace new challenges? Hit us up on Socials! Syntax: X Instagram Tiktok LinkedIn Threads Wes: X Instagram Tiktok LinkedIn Threads Scott: X Instagram Tiktok LinkedIn Threads Randy: X Instagram YouTube Threads

Pull requests are a core part of collaboration, whether in open or closed source. GitHub has documented some of the security consequences of misconfiguring how PRs can trigger actions. But what happens when repo owners don't read the docs? Bar Kaduri and Roi Nisimi walk through their experience in reading docs, finding vulns, demonstrating exploits, and working with repo owners to improve their security. Their work highlights the challenges in maintaining good security guidance, figuring out secure defaults, and how so many orgs still struggle with triaging external security reports -- something that's becoming even more challenging when orgs are being flooded with low-quality reports from LLMs. Segment Resources: https://orca.security/resources/blog/pull-request-nightmare-github-actions-rce/ https://orca.security/resources/blog/pull-request-nightmare-part-2-exploits/ Visit https://www.securityweekly.com/asw for all the latest episodes! Show Notes: https://securityweekly.com/asw-355

Hey everyone—it's Steve Edwards here, and in this episode of JavaScript Jabber, I'm joined by returning guest Feross Aboukhadijeh, founder of Socket.dev, for a deep dive into the dark and fascinating world of open source supply chain security. From phishing campaigns targeting top NPM maintainers to the now-infamous Chalk library compromise, we unpack the latest wave of JavaScript package attacks and what developers can learn from them.Feross explains how some hackers are even using AI tools like Claude and Gemini as part of their payloads—and how defenders like Socket are fighting back with AI-powered analysis of their own. We also dive into GitHub Actions vulnerabilities, the role of two-factor authentication, and the growing need for “phishing-resistant 2FA.” Whether you're an open source maintainer or just someone who runs npm install a little too often, this episode will open your eyes to how much happens behind the scenes to keep your code safe.

Fortra flags a critical flaw in its GoAnywhere Managed File Transfer (MFT) solution. Cisco patches a critical vulnerability in its IOS and IOS XE software. Cloudflare thwarts yet another record DDoS attack. Rhysida ransomware gang claims the Maryland Transit cyberattack. The new “Obscura” ransomware strain spreads via domain controllers. Retailers' use of generative AI expands attack surfaces. Researchers expose GitHub Actions misconfigurations with supply chain risk. Mandiant links the new BRICKSTORM backdoor to a China-based espionage campaign. Kansas students push back against an AI monitoring tool. Ben Yelin speaks with Michele Kellerman, Cybersecurity Engineer for Air and Missile Defense at Johns Hopkins University Applied Physics Lab, discussing Women's health apps and the legal grey zone that they create with HIPAA. Senators push the FTC to regulate your brainwaves. Remember to leave us a 5-star rating and review in your favorite podcast app. Miss an episode? Sign-up for our daily intelligence roundup, Daily Briefing, and you'll never miss a beat. And be sure to follow CyberWire Daily on LinkedIn. CyberWire Guest Ben Yelin, co-host of Caveat, is speaking with Michele Kellerman, Cybersecurity Engineer for Air and Missile Defense at Johns Hopkins University Applied Physics Lab, about Women's health apps and the legal grey zone that they create with HIPAA. If you want to hear the full conversation, check it out on Caveat, here. Selected Reading Critical CVSS 10 Flaw in GoAnywhere File Transfer Threatens 20,000 Systems (HackRead) Cisco IOS and IOS XE Software SNMP Denial of Service and Remote Code Execution Vulnerability (Cisco) Cloudflare mitigates new record-breaking 22.2 Tbps DDoS attack (Bleeping Computer) Ransomware gang known for government attacks claims Maryland transit incident (The Record) Obscura, an obscure new ransomware variant (Bleeping Computer) Threat Labs Report: Retail 2025 (Netskope) pull_request_nightmare Part 1: Exploiting GitHub Actions for RCE and Supply Chain Attacks (Orca) China-linked hackers use ‘BRICKSTORM' backdoor to steal IP (The Record) AI safety tool sparks student backlash after flagging art as porn, deleting emails (The Washington Post) Senators introduce bill directing FTC to establish standards for protecting consumers' neural data (The Record) Share your feedback. What do you think about CyberWire Daily? Please take a few minutes to share your thoughts with us by completing our brief listener survey. Thank you for helping us continue to improve our show. Want to hear your company in the show? You too can reach the most influential leaders and operators in the industry. Here's our media kit. Contact us at cyberwire@n2k.com to request more info. The CyberWire is a production of N2K Networks, your source for strategic workforce intelligence. © N2K Networks, Inc. Learn more about your ad choices. Visit megaphone.fm/adchoices