Podcasts about NPM

Join Christina Warren and Brett Terpstra as they navigate the freezing Minnesotan cold without running water, delve into the intersection of tech and political turmoil, and explore the latest in AI agents and multi-agent workflows. Dive into a whirlwind of emotions, tech tips, and political ranting, all while contemplating the ethics of open source funding and AI coding. From brutal weather updates to philosophical debates on modern fascism, this episode pulls no punches. Sponsor Copilot Money can help you take control of your finances. Get a fresh start with your money for 2026 with 2 months free when you visit try.copilot.money/overtired. Show Links Crimethinc: Being “Peaceful” and “Law-Abiding” Will Not Stop Authoritarianism Gas Town Apex OpenCode Backdrop Cindori Sensei Moltbot Chapters 00:00 Introduction and Host Updates 00:21 Brett’s Water Crisis 02:27 Political Climate and Media Suppression 06:32 Police Violence and Public Response 18:31 Social Media and Surveillance 22:15 Sponsor Break: Copilot Money 26:20 Tech Talk: Gas Town and AI Agents 31:58 Crypto Controversies 37:09 Ethics in Journalism and Personal Dilemmas 39:45 The Future of Open Source and Cryptocurrency 45:03 Apex 1.0? 48:25 Challenges and Innovations in Markdown Processing 01:02:16 AI in Coding and Personal Assistants 01:06:36 GrAPPtitude 01:14:40 Conclusion and Upcoming Plans Join the Conversation Merch Come chat on Discord! Twitter/ovrtrd Instagram/ovrtrd Youtube Get the Newsletter Thanks! You’re downloading today’s show from CacheFly’s network BackBeat Media Podcast Network Check out more episodes at overtiredpod.com and subscribe on Apple Podcasts, Spotify, or your favorite podcast app. Find Brett as @ttscoff, Christina as @film_girl, Jeff as @jsguntzel, and follow Overtired at @ovrtrd on Twitter. Transcript AI Agents and Political Chaos Introduction and Host Updates Christina: [00:00:00] Welcome back. You’re listening to Overtired. I’m Christina Warren. Joined as always by Brett Terpstra. Jeff Severns. Guntzel could not be with us this week, um, but uh, but Brett and I are here. So Brett, how are you? How’s the cold? Brett: The cold. Brett’s Water Crisis Brett: So I’m going on day four without running water. Um, I drove to my parents last night to shower and we’re, we’re driving loads of dishes to friends’ house to wash them. We have big buckets of melted snow in our bathtub that we use to flush the Toyland. Um, and we have like big jugs with a spout on them for drinking water. So we’re surviving, but it is highly inconvenient. Um, and we don’t know yet if it’s a frozen pipe. Or if we have [00:01:00] a bad pump on our, well, uh, hopefully we’ll find that out today. But no guarantees because all the plumbers are very busy right now with negative 30 degree weather. They tend to get a lot of calls, lots of stuff happens. Um, so yeah, but I’m, I’m staying warm. I got a fireplace, I got my heat’s working Christina: I mean, that’s the important thing. Brett: and that went out, that went out twice, in, twice already. This winter, our heat has gone out, um, which I’m thankful. We, we finally, we added glycol to our, so our heat pumps water through, like, it’s not radiators, it’s like baseboard heat, but it, it uses water and. Um, and though we were getting like frozen spots, not burst pipes, just enough that the water wouldn’t go through fast enough to heat anything. So we added glycol to that [00:02:00] system to bring the freeze point down to like zero degrees. So it’s not perfect, but we also hardwired the pump so that it always circulates water, um, even when the heat’s not running. So hopefully it’ll never freeze again. That’s the goal. Um, and if we replace the well pump, that should be good for another 20 years. So hopefully after this things will be smoother. Political Climate and Media Suppression Brett: Um, yeah, but that, that’s all in addition to, you know, my state being occupied by federal agents and even in my small town, we’ve got people being like, abducted. Things are escalating quickly at this point, and a lot of it doesn’t get talked about on mainstream media. Um, but yeah, things, I don’t know, man. I think we’re making progress because, um, apparently Binos [00:03:00] getting retired Christina: I was going to say, I, I, I, I heard, I heard that, and I don’t know if that’s good or if that’s bad. Um, I can’t, I can’t tell. Brett: it’s, it’s like, it’s like if Trump died, we wouldn’t know if that was good or bad because JD Vance as president, like maybe things get way worse. Who knows? Uh, none of these, none of these actual figureheads are the solution. Removing them isn’t the solution to removing the kinda maga philosophy behind it. But yeah, and that’s also Jeff is, you know, highly involved and I, I won’t, I won’t talk about that for him. I hope we can get him monsoon to talk about that. Christina: No, me, me, me too. Because I’ve, I’ve been thinking about, about him and about you and about your whole area, your communities, you know, from several thousand miles away. Like all, all we, all we see is either what people post online, which of course now is being suppressed. [00:04:00] Uh, thanks a lot. You know, like, like the, oh, TikTok was gonna be so terrible. Chi the, the Chinese are gonna take over our, uh, our algorithms. Right? No, Larry Ellison is, is actually going to completely, you know, fuck up the algorithms, um, and, and suppress anything. I, yeah. Yeah. They’re, they’re Brett: is TikTok? Well, ’cause Victor was telling me that, they were seeing videos. Uh, you would see one frame of the video and then it would black out. And it all seemed to be videos that were negative towards the administration and we weren’t sure. Is this a glitch? Is this coincidence? Christina: well, they claim it’s a glitch, but I don’t believe it. Brett: Yeah, it seems, it seems Christina: I, I mean, I mean, I mean, the thing is like, maybe it is, maybe it is a glitch and we’re overreacting. I don’t know. Um, all I know is that they’ve given us absolutely zero reason to trust them, and so I don’t, and so, um, uh, apparently the, the state of California, this is, [00:05:00] so we are recording this on Tuesday morning. Apparently the state of California has said that they are going to look into whether things are being, you know, suppressed or not, and if that’s violating California law, um, because now that, that, that TikTok is, is controlled by an American entity, um, even if it is, you know, owned by like a, you know, uh, evil, uh, billionaire, you know, uh, crony sto fuck you, Larry Ellison. Um, uh, I guess that means we won’t be getting an Oracle sponsorship. Sorry. Um, uh, Brett: take it anyway. Christina: I, I know you wouldn’t, I know you wouldn’t. That’s why I felt safe saying that. Um, but, uh, but even if, if, if that were the case, like I, you know, but apparently like now that it is like a, you know, kind of, you know, state based like US thing, like California could step in and potentially make things difficult for them. I mean, I think that’s probably a lot of bluster on Newsom’s part. I don’t think that he could really, honestly achieve any sort of change if they are doing things to the algorithm. Brett: Yeah. Uh, [00:06:00] if, if laws even matter anymore, it would be something that got tied up in court for a long time Christina: Right. Which effectively wouldn’t matter. Right. And, and then that opens up a lot of other interesting, um, things about like, okay, well, you know, should we, like what, what is the role? Like even for algorithmically determined things of the government to even step in or whatever, right now, obviously does, I think, become like more of a speech issue if it’s government speech that’s being suppressed, but regardless, it, it is just, it’s bad. So I’ve been, I’ve been thinking about you, I’ve been thinking about Jeff. Police Violence and Public Response Christina: Um, you know, we all saw what happened over the weekend and, and, you know, people be, people are being murdered in the streets and I mean that, that, that’s what’s happening. And, Brett: white people no less, Christina: Right. Well, I mean, that’s the thing, right? Like, is that like, but, but, but they keep moving the bar. They, they keep moving the goalpost, right? So first it’s a white woman and, oh, she, she was, she was running over. The, the officer [00:07:00] or the ice guy, and it’s like, no, she wasn’t, but, but, but that, that’s immediately where they go and, and she’s, you know, radical whatever and, and, and a terrorist and this and that. Okay. Then you have a literal veterans affair nurse, right? Like somebody who literally, like, you know, has, has worked with, with, with combat veterans and has done those things. Who, um, is stepping in to help someone who’s being pepper sprayed, you know, is, is just observing. And because he happens to have, um, a, a, a, a gun on him legally, which he’s allowed to do, um, they immediately used that as cover to execute him. But if he hadn’t had the gun, they would’ve, they would’ve come up with something else. Oh, we thought he had a gun, and they, you know what I mean? So like, they, they got lucky with that one because they removed the method, the, the, the weapon and then shot him 10 times. You know, they literally executed him in the street. But if he hadn’t had a gun, they still would’ve executed. Brett: Yeah, no, for sure. Um, it’s really frustrating that [00:08:00] they took the gun away. So he was disarmed and, and immobilized and then they shot him. Um, like so that’s just a straight up execution. And then to bring, like, to say that it, he, because he had a gun, he was dangerous, is such a, an affront to America has spent so long fighting against gun control and saying that we had the right to carry fucking assault rifles in the Christina: Kyle Rittenhouse. Kyle Rittenhouse was literally acquitted. Right? Brett: Yeah. And he killed people. Christina: and, and he killed people. He was literally walking around little fucking stogey, you know, little blubbering little bitch, like, you know, crying, you know, he’s like carrying around like Rambo a gun and literally snipe shooting people. That’s okay. Brett: They defended Christina: if you have a. They defended him. Of course they did. Right? Of course they did. Oh, well he has the right to carry and this and that, and Oh, you should be able to be armed in [00:09:00] these places. Oh, no, but, but if you’re, um, somebody that we don’t like Brett: Yeah, Christina: and you have a concealed carry permit, and I don’t even know if he was really concealed. Right. Because I think that if you have it on your holster, I don’t even think that counts as concealed to Brett: was supposedly in Christina: I, I, I don’t, I don’t, I don’t. Brett: like it Christina: Which I don’t think counts as concealed. I think. Brett: No. Christina: Right, right. So, so, so, so, so that, that, that wouldn’t be concealed. Be because you have someone in, in that situation, then all of a sudden, oh, no. Now, now the, the key, the goalpost, okay, well, it’s fine if it’s, you know, uh, police we don’t like, or, or other people. And, and, and if you’re going after protesters, then you can shoot and kill whoever you want, um, because you’ve perceived a threat and you can take actions into your, to your own hands. Um, but now if you are even a white person, um, even, you know, someone who’s, who’s worked in Veterans Affairs, whatever, if, if you have, uh, even if you’re like a, a, a, you know, a, a gun owner and, and have permits, um, now [00:10:00] if we don’t like you and you are anywhere in the vicinity of anybody associated with law enforcement, now they have the right to shoot you dead. Like that’s, that’s, that’s the argument, which is insanity. Brett: so I’m, I’m just gonna point out that as the third right came to power, they disarmed the Jews and they disarmed the anarchists and the socialists and they armed the rest of the population and it became, um, gun control for people they didn’t like. Um, and this is, it’s just straight up the same playbook. There’s no, there’s no differentiation anymore. Christina: No, it, it, it actively makes me angry that, um, I, I could be, because, ’cause what can we do? And, and what they’re counting on is the fact that we’re all tired and we’re all kind of, you know, like just, [00:11:00] you know, from, from what happened, you know, six years ago and, and, and what happened, you know, five years ago. Um, and, and, and various things. I think a lot of people are, are just. It kind of like Brett: Sure. Christina: done with, with, with being able to, to, to, right. But now the actual fascism is here, right? Like, like we, we, we saw a, a, you know, a whiff of this on, on, on January 6th, but now it’s actual fascism and they control every branch of government. Brett: Yeah. Christina: And, um, and, and, and I, and I don’t know what we’re supposed to do, right? Like, I mean it, because I mean, you know, uh, Philadelphia is, is, is begging for, for, for them to come. And I think that would be an interesting kind of standoff. Seattle is this, this is what a friend of mine said was like, you know, you know Philadelphia, Filch Philadelphia is begging them to come. Seattle is like scared. Um, that, that they’re going to come, um, because honestly, like we’re a bunch of little bitch babies and, um, [00:12:00] people think they’re like, oh, you know the WTO. I’m like, yeah, that was, that was 27 years ago. Um, uh, I, I don’t think that Seattle has the juice to hold that sort of line again. Um, but I also don’t wanna find out, right? Like, but, but, but this is, this is the attack thing. It’s like, okay, why are they in Minnesota? Right? They’re what, like 130,000, um, Brett: exactly Christina: um, immigrants in, in Minnesota. There are, there are however many million in Texas, however many million in Florida. We know exactly why, right? This isn’t about. Anything more than Brett: in any way. Christina: and opt. Right, right. It has nothing, it has nothing to do with, with, with immigration anyway. I mean, even, even the Wall Street Journal. The Wall Street Journal who a, you know, ran an op-ed basically saying get out of Minnesota. They also, they also had like a, you know, a news story, which was not from the opinion board, which like broke down the, the, the footage showing, you know, that like the, the video footage doesn’t match the administration’s claims, but they also ran a story. Um, that [00:13:00] basically did the math, I guess, on like the number of, of criminals, um, or people with criminal records who have been deported. And at this point, like in, you know, and, and when things started out, like, I guess when the raid started out, the, the majority of the people that they were kind of going after were people who had criminal records. Now, whether they were really violent, the worst, the worst, I mean that’s, I’m, I’m not gonna get into that, but you could at least say like, they, they could at least say, oh, well these were people who had criminal records, whatever. Now some, some huge percentage, I think it’s close to 80% don’t have anything. And many of the people that do the, the criminal like thing that they would hold would be, you know, some sort of visa violation. Right. So it’s, it’s, it’s Brett: they deported a five-year-old kid after using him as bait to try to get the rest of his family. Christina: as bait. Brett: Yeah. And like it’s, it’s pretty deplorable. But I will say I am proud of Minnesota. Um, they have not backed [00:14:00] down. They have stood up in the face of increasing increasingly escalated attacks, and they have shown up in force thousands of people out in the streets. Like Conti, like last night they had a, um, well, yeah, I mean, it’s been ongoing, but, uh, what’s his name? Preddy Alex. Um, at the place where he was shot, they had a, like continuing kind of memorial protest, I guess, and there’s footage of like a thousand, a thousand mins surrounding about 50, um, ICE agents and. Like basically corralling them to the point where they were all backed into a corner and weren’t moving. And I don’t know what happened after that. Um, but thus far it hasn’t been violent on the part of protesters. It’s been very violent on the part of ice. I [00:15:00] personally, I don’t know where I stand on, like, I feel like the Democrats are urging pacifism because it affects their hold on power. And I don’t necessarily think that peace when they’re murdering us in the street. I don’t know if peace is the right response, but I don’t know. I’m not openly declaring that I support violence at this point, but. At the same time, do I not? I’m not sure. Like I keep going back and forth on is it time for a war or do we try to vote our way out of this? Christina: I mean, well, and the scary thing about voting our way out of this is will we even be able to have free elections, right? Be because they’re using any sort of anything, even the most benign sort of legal [00:16:00] protest, even if violence isn’t involved in all of a sudden, talks of the Insurrection Act come Brett: yeah. And Trump, Trump offered to pull out of Minnesota if Minnesota will turn over its voter database to the federal government. Like that’s just blatant, like that’s obviously the end goal is suppression. Christina: Right, right. And, and so to your point, I don’t know. Right. And I’m, I’m never somebody who would wanna advocate outwardly for violence, but I, I, I, I, I don’t know. I mean, they’re killing citizens in the streets. They’re assassinating people in cold blood. They’re executing people, right. That’s what they’re doing. They’re literally executing people in the streets and then covering it up in real time. Brett: if the argument is, if we are violent, it will cause them to kill us. They’re already killing Christina: already doing it. Right. So at, at this point, I mean, like, you know, I mean, like, w to your point, wars have been started for, for, for less, or for the exact same things. Brett: [00:17:00] Yeah. Christina: So, I don’t know. I don’t know. Um, I know that that’s a depressing way to probably do mental health corner and whatnot, but this is what’s happening in our world right now and in and in your community, and it’s, it’s terrifying. Brett: I’m going to link in the show notes an article from Crime Think that was written by, uh, people in Germany who have studied, um, both historical fascism and the current rise of the A FD, which will soon be the most powerful party in Germany, um, which is straight up a Nazi party. Um, and it, they offered, like their hope right now lies in America stopping fascism. Christina: Yeah. Brett: Like if we can, if we can stop fascism, then they believe the rest of Europe can stop fascism. Um, but like they, it, it’s a good article. It kind of, it kind of broaches the same questions I do about like, is it [00:18:00] time for violence? And they offer, like, we don’t, we’re not advocating for a civil war, but like Civil wars might. If you, if you, if you broach them as revolutions, it’s kind of, they’re kind of the same thing in cases like this. So anyway, I’ll, I’ll link that for anyone who wants to read kinda what’s going on in my head. I’m making a note to dig that up. I, uh, I love Crime Fake Oh and Blue Sky. Social Media and Surveillance Brett: Um, so I have not, up until very recently been an avid Blue Sky user. Um, I think I have like, I think I have maybe like 200 followers there and I follow like 50 people. But I’ve been expanding that and I am getting a ton of my news from Blue Sky and like to get stories from people on the ground, like news as it happens, unfiltered and Blue Sky has been [00:19:00] really good for that. Um, I, it’s. There’s not like an algorithm. I just get my stuff and like Macedon, I have a much larger following and I follow a lot more people, but it’s very tech, Christina: It’s very tech and, Brett: there for. Christina: well, and, and MAs on, um, understandably too is also European, um, in a lot of regards. And so it’s just, it’s not. Gonna have the same amount of, of people who are gonna be able to, at least for instances like this, like be on the ground and doing real-time stuff. It’s not, it doesn’t have like the more normy stuff. So, no, that makes sense. Um, no, that’s great. I think, yeah, blue Sky’s been been really good for, for these sorts of real-time events because again, they don’t have an algorithm. Like you can have one, like for a personalized kind of like for you feed or whatever, but in terms of what you see, you know, you see it naturally. You’re not seeing it being adjusted by anything, which can be good and bad. I, I think is good because nothing’s suppressing things and you see things in real time. It can be bad because sometimes you miss things, but I think on the whole, it’s better. [00:20:00] The only thing I will say, just to anyone listening and, and just to spread onto, you know, people in your communities too, from what I’ve observed from others, like, it does seem like the, the government and other sorts of, you know, uh, uh, the, you know, bodies like that are finally starting to pay more attention to blue sky in terms of monitoring things. And so that’s not to say don’t. You know, use it at all. But the same way, you don’t make threats on Twitter if you don’t want the Feds to show up at your house. Don’t make threats on Blue Sky, because it’s not just a little microcosm where, you know, no one will see it. People are, it, it’s still small, but it’s, it’s getting bigger to the point that like when people look at like where some of the, the, the fire hose, you know, things observable things are there, there seem to be more and more of them located in the Washington DC area, which could just be because data centers are there, who knows? But I’ve also just seen anecdotally, like people who have had, like other instances, it’s like, don’t, don’t think [00:21:00] that like, oh, okay, well, you know, no one’s monitoring this. Um, of course people are so just don’t be dumb, don’t, don’t say things that could potentially get you in trouble. Um. Brett: a political candidate in Florida. Um, had the cops show up at her house and read her one of her Facebook posts. I mean, this was local. This was local cops, but still, yeah, you Christina: right. Well, yeah, that’s the thing, right? No, totally. And, and my, my only point with that is we’ve known that they do that for Facebook and for, for, you know, Twitter and, and, uh, you know, Instagram and things like that, but they, but Blue Sky, like, I don’t know if it’s on background checks yet, but it, uh, like for, uh, for jobs and things like that, I, I, I don’t know if that’s happening, but it definitely is at that point where, um, I know that people are starting to monitor those things. So just, you know, uh, not even saying for you per se, but just for anybody out there, like, it’s awesome and I’m so glad that like, that’s where people can get information out, but don’t be like [00:22:00] lulled into this false sense of security. Like, oh, well they’re not gonna monitor this. They’re not Brett: Nobody’s watching me here. Christina: It is like, no, they are, they are. Um, so especially as it becomes, you know, more prominent. So I’m, I’m glad that that’s. That’s an option there too. Um, okay. Sponsor Break: Copilot Money Christina: This is like the worst possible segue ever, but should we go ahead and segue to our, our, our sponsor break? Brett: Let’s do it. Let’s, let’s talk about capitalism. Christina: All right. This episode is brought to you by copilot money. Copilot money is not just another finance app. It’s your personal finance partner designed to help you feel clear, calm, and in control of your money. Whether it’s tracking your spending, saving for specific goals, or simply getting the handle on your investments. Copilot money has you covered as we enter the new year. Clarity and control over our finances has never been more important with the recent shutdown of Mint and rising financial stress, for many consumers are looking for a modern, trustworthy tool to help navigate their financial journeys. That’s where copilot money comes in. [00:23:00] With this beautifully designed app, you can see all your bank accounts, spending, savings and goals and investments all in one place. Imagine easily tracking everything without the clutter of chaotic spreadsheets or outdated tools. It’s a practical way to start 2026 with a fresh financial outlook. And here’s the exciting part. As of December 15th, copilot money is now available on the web so you can manage your finances on any device that you choose. Plus, it offers a seamless experience that keeps your data secure with a privacy first approach, when you sign up using our link, you’ll get two months for free. So visit, try. Copilot money slash Overtired to get started with features like automatic subscription tracking so you never miss a renewal date and customizable savings goals to help you stay on track. Copilot money empowers you to take charge of your financial life with confidence. So why wait Start 2026 with clarity and purpose. Download copilot money on your devices or visit. Try copilot money slash [00:24:00] overti today to claim you’re two months free and embrace a more organized, stress-free approach to your finances. Try copilot.money/ Overtired. Brett: Awesome that I appreciate this segue. ’cause we, we, we could, we could be talking about other things. Um, like it’s, it feels so weird, like when I go on social media and I just want to post that like my water’s out. It feels out of place right now because there’s everything that’s going on feels so much more important than, Christina: Right. Brett: than anything else. Um, but there’s still a place for living our lives, um, Christina: there are a absolutely. I mean, and, and, and in a certain extent, like not to, I mean, maybe this is a little bit of a cope, but it’s like, if all we do is focus on the things that we can’t control at the expense of everything else, it’s like then they win. You know? Like, which, which isn’t, which, which isn’t even to [00:25:00] say, like, don’t talk about what’s happening. Don’t try to help, don’t try to speak out and, and, um, and do what we can do, but also. Like as individuals, there’s very little we can control about things. And being completely, you know, subsumed by that is, is not necessarily good either. Um, so yeah, there’s, there, there are other things going on and it’s important for us to get out of our heads. It’s important, especially for you, you know, being in the region, I think to be able to, to focus on other things and, and hopefully your water will be back soon. ’cause that sucks like that. I’ve been, I’ve been worried about you. I’m glad that you have heat. I’m glad you have internet. I’m glad you have power, but you know, the pipes being frozen and all that stuff is like, not Brett: it, the, the internet has also been down for up to six hours at a time. I don’t know why. There’s like an amplifier down on our street. Um, and that has sucked because I, out here, I live in a, I’m not gonna call it rural. Uh, we’re like five minutes from town, [00:26:00] but, um, we, we don’t. We have shitty internet. Like I pay for a gigabit and I get 500 megabits and it’s, and it’s up and down all the time and I hate it. But anyway. Tech Talk: Gas Town and AI Agents Brett: Let’s talk about, uh, let’s talk about Gas Town. What can you tell me about Gastown? Christina: Okay. So we’ve talked a lot about like AI agents and, um, kind of like, uh, coding, um, loops and, and things like that. And so Gastown, uh, which is available, um, at, I, it is not Gas Town. Let me find the URL, um, one second. It’s, it’s at a gas town. No, it’s not. Lemme find it. Um. Right. So this is a thing that, that Steve Yy, uh, has created, and [00:27:00] it is a multi-agent workspace manager. And so the idea is basically that you can be running like a lot of instances of, um, of, of Claude Code or, um, I guess you could use Codex. You could use, uh, uh, uh, co-pilot, um, SDK or CLI agent and whatnot. Um, and basically what it’s designed to do is to basically let you coordinate like multiple coding agents at one time so they can all be working on different tasks, but then instead of having, um, like the context get lost when agents restart, it creates like a, a persistent, um, like. Work state, which it uses with, with git on the backend, which is supposed to basically enable more multi-agent workflows. So, um, basically the idea would be like, you get, have multiple agents working at once, kind of talking to one another, handing things off, you know, each doing their own task and then coordinating the work with what the other ones are doing. But then you have like a persistent, um, uh, I guess kind of like, you know, layer in the backend so that if an agent has to restart or whatever, it’s not gonna lose the, [00:28:00] the context, um, that that’s happening. And you don’t have to manually, um, worry about things like, okay, you know, I’ve lost certain things in memory and, and I’ve, you know, don’t know how I’m, I’m managing all these things together. Um, there, there’s another project, uh, called Ralph, which is kind of based on this, this concept of like, what of Ralph Wickham was, you know, coding or, or was doing kind of a loop. And, and it’s, it’s, it’s a, it’s kind of a similar idea. Um, there’s also. Brett: my nose wouldn’t bleed so much if I just kept my finger out of there. Christina: Exactly, exactly. My cat’s breath smells like cat food. Um, and um, and so. Like there are ideas of like Ralph Loops and Gastown. And so these are a couple of like projects, um, that have really started to, uh, take over. So like, uh, Ralph is more of an autonomous AI agent loop that basically like it runs like over and over and over again until, uh, a task is done. Um, and, and a lot of people use, use Gastown and, [00:29:00] and, and Ralph together. Um, but yeah, no Ga gastown is is pretty cool. Um, we’ll we’re gonna talk about it more ’cause it’s my pick of the week. We’ll talk about Molt bot previously known as Claude Bot, which is, uses some, some similar ideas. But it’s really been interesting to see like how, like the, the multi-agent workflow, and by multi-agent, I mean like, people are running like 20 or 30 of them, you know, at a time. So it’s more than that, um, is really starting to become a thing that people can, uh, can do. Um, Brett: gets expensive though. Christina: I was, I was just about to say that’s the one thing, right? Most people who are using things like Gastown. Are using them with the Claude, um, code Max plans, which is $200 a month. And those plans do give you more value than like, what the, what it would be if you spent $200 in API credits, uh, but $200 a month. Like that’s not an expensive, that’s, you know, that, that’s, that, that, like, you know what I mean? Like, like that, that, that, that, that, that’s a lot of money to spend on these sorts of things. Um, but people [00:30:00] are getting good results out of it. It’s pretty cool. Um. There have been some open models, which of course, most people don’t have equipment that would be fast enough for them to, to run, uh, to be able to kind of do what they would want, um, reliably. But the, the AgTech stuff coming to some of the open models is better. And so if these things can continue, of course now we’re in a ram crisis and storage crisis and everything else, so who knows when the hardware will get good enough again, and we can, when we as consumers can even reasonably get things ourselves. But, but in, in theory, you know, if, if these sorts of things continue, I could see like a, a world where like, you know, some of the WAN models and some of the other things, uh, potentially, um, or Quinn models rather, um, could, uh. Be things that you could conceivably, like be running on your own equipment to run these sorts of nonstop ag agentic loops. But yeah, right now, like it’s really freaking cool and I’ve played around with it because I’m fortunate enough to have access to a lot of tokens. [00:31:00] Um, but yeah, I can get expensive real, real fast. Uh, but, but it’s still, it’s still pretty awesome. Brett: I do appreciate that. So, guest Town, the name is a reference to Mad Max and in the kind of, uh, vernacular that they built for things like background agents and I, uh, there’s a whole bunch, there are different levels of, of the interface that they kind of extrapolated on the gas town kind of metaphor for. Uh, I, it was, it, it, there were some interesting naming conventions and then they totally went in other directions with some of the names. It, they didn’t keep the theme very well, but, but still, uh, I appreciate Ralph Wig and Mad Max. That’s. It’s at the very least, it’s interesting. Christina: No, it definitely is. It definitely is. Crypto Controversies Christina: I will say that there’s been like a little bit [00:32:00] of a kerfuffle, uh, involved in both of those, uh, developers because, um, they’re both now promoting shit coins and, uh, and so that’s sort of an interesting thing. Um, basically there’s like this, this, this crypto company called bags that I guess apparently like if people want to, they will create crypto coins for popular open source projects, and then they will designate someone to, I guess get the, the gas fees, um, in, um, uh, a Solana parlance, uh, no pun intended, with the gas town, um, where basically like that’s, you know, like the, the, the fees that you spend to have the transaction work off of the blockchain, right? Like, especially if there’s. A lot of times that it would take, like, you pay a certain percentage of something and like those fees could be designated to an individual. And, um, in this case, like both of these guys were reached out to when basically they were like, Hey, this coin exists. You’ve got all this money just kind of sitting in a crypto wallet waiting for you. [00:33:00] Take the money, get, get the, the transaction fees, so to speak. And, uh, I mean, I think that, that, that’s, if you wanna take that money right, it’s, it’s there for you. I’m not gonna certainly judge anyone for that. What I will judge you for is if you then promote your shit coin to your community and basically kind of encourage everyone. To kind of buy into it. Maybe you put in the caveat, oh, this isn’t financial advice. Oh, this is all just for whatever. But, but you’re trying to do that and then you go one step beyond, which I think is actually pretty dumb, which is to be like, okay, well, ’cause like, here’s the thing, I’m not gonna judge anyone. If someone who’s like, Hey, here’s a wallet that we’re gonna give you, and it has real cash in it, and you can do whatever you want with it, and these are the transaction fees, so to speak, like, you know, the gas fees, whatever, you know what you do. You, even if you wanna let your audience know that you’ve done that, and maybe you’re promoting that, maybe some people will buy into it, like, people are adults. Fine. Where, where I do like side eye a little bit is if you are, then for whatever reason [00:34:00] going to be like, oh, I’m gonna take my fees and I’m gonna reinvest it in the coin. Like, okay, you are literally sitting on top of the pyramid, like you could not be in a better position and now you’re, but right. And now you’re literally like paying into the pyramid scheme. It’s like, this is not going to work well for you. These are rug bulls. Um, and so like the, the, the, the gas town coin like dropped like massively. The Ralph coin like dropped massively, like after the, the, the Ralph creator, I think he took out like 300 K or something and people, or, you know, sold like 300 K worth of coins. And people were like, oh, he’s pulling a rug pull. And I’m like, well, A, what did you expect? But B it’s like, this is why don’t, like, if someone’s gonna give you free money from something that’s, you know, kind of scammy, like, I’m not saying don’t take the money. I am saying maybe be smart enough to not to reinvest it into the scam. Brett: Yeah. Christina: Like, I don’t know. Anyway, that’s the only thing I will mention on that. ’cause I don’t think that that takes [00:35:00] anything away from either of those projects or it says that you shouldn’t use or play around with it either of those ideas at all. But that is just a thing that’s happened in the last couple of weeks too, where it’s like, oh, and now there’s like crypto, you know, the crypto people are trying to get kind of involved with these projects and, um, I, I think that that’s, uh, okay. You know, um, like I said, I’m, I’m not gonna judge anybody for taking free money that, that somebody is gonna offer them. I will judge you if you’re gonna try to then, you know, try to like, promote that to your audience and try to be like, oh, this is a great way where we, where you can help me and we can all get rich. It’s like, no, there are, if you really wanna support creators, like there are things like GitHub sponsors and there are like other methods that you can, you can do that, that don’t involve making financial risks on shit coins. Brett: I wish anything I made could be popular enough that I could do something that’s stupid. Yeah. Like [00:36:00] I, I, I, I’m not gonna pull a rug pull on anyone, but the chances that I’ll ever make $300,000 on anything I’m working on, it’s pretty slim. Christina: Yeah, but at the same time, like if you, if you did, if you were in that position, like, I don’t know, I mean, I guess that’d be a thing that you would have to kind of figure out, um, yourself would be like, okay, I have access to this amount of money. Am I going to try to, you know, go all in and, and maybe go full grift to get even more? Some, something tells me that like your own personal ethics would probably preclude you from that. Brett: I, um, I have spent, what, um, how old am I? 47. I, I’ve been, since I started blogging in like 1999, 2000, um, I have always adhered to a very strict code and like turning down sponsors. I didn’t agree with [00:37:00] not doing anything that would be shady. Not taking, not, not taking money from anyone I was writing about. Ethics in Journalism and Personal Dilemmas Brett: Like, it’s been, it’s a pain in the ass to try to be truly ethical, but I feel like I’ve done it for 30 some years and, and I don’t know, I wouldn’t change it. I’m not rich. I’ll never be rich. But yeah, I think ethics are important, especially if you’re in any kind of journalism. Christina: Yeah, if you’re in any sort of journalism. I think so, and I think like how people wanna define those things, I think it’s up to them. And, and like I said, like I’m not gonna even necessarily like, like judge people like for, because I, I don’t know personally like what my situation would be like. Like if somebody was like, Christina, here’s a wallet that has the equivalent of $300,000 in it and it’s just sitting here and we’re not even asking you to do anything with this. I would probably take the money. I’m not gonna lie, I don’t, I don’t, I don’t [00:38:00] know if I would promote it or anything and I maybe I would feel compelled to disclose, Hey, Brett: That is Christina: wallet belongs to me. Brett: money though. Christina: I, I, right. I, I, I might, I might be, I might feel compelled to com to, to disclose, Hey, someone created this coin in this thing. They created the foam grow coin and they are giving me, you know, the, the, the gas fees and I have accepted Brett: could be, I’d feel like you could do it if you were transparent enough about it. Christina: Yeah, I mean, I, I, I think where I draw the line is when you then go from like, because again, it’s fine if you wanna take it. It’s then when you are a. Reinvesting the free money into the coin, which I think is just idiotic. Like, I think that’s just actually dumb. Um, like I just, I just do like, that just seems like you are literally, like I said, you’re at the top of the pyramid and you’re literally like volunteering to get into the bottom again. Um, and, or, or b like if you do that and then you try to rationalize in some way, oh, well, you know, I think [00:39:00] that this could be a great thing for everybody to, you know, I get rich, you know, you could get rich, we could all get money out of this because this is the future of, you know, creator economy or whatever. It’s like, no, it’s not. This is gambling. Um, and, and, and, and you could make the argument to me, and I’d probably be persuaded to be like, this isn’t that different from poly market or any of the other sorts of things. But you know what? I don’t do those things either. And I wouldn’t promote those things to any audience that I had either. Um, but if somebody wanted to give me free money. I probably wouldn’t turn it down. I’m not gonna pretend that my ethics are, are that strong. Uh, I just don’t know if I would, if I would, uh, go on the other end and be like, okay, to the Moom, everyone let, let’s all go in on the crypto stuff. It’s like, okay, The Future of Open Source and Cryptocurrency Brett: So is this the future of open source is, ’cause I mean like open source has survived for decades as like a concept and it’s never been terribly profitable. But a [00:40:00] lot of large companies have invested in open source, and I guess at this point, like most of the big open source projects are either run by a corporation or by a foundation. Um, that are independently financed, but for a project like Gastown, like is it the future? Is this, is this something people are gonna start doing to like, kind of make open source profitable? Christina: I mean, maybe, I don’t know. I think the problem though is that it’s not necessarily predictable, right? And, and not to say that like normal donations or, or support methods are predictable, but at least that could be a thing where you’re like, they’re not, but, but, but it’s not volatile to the extent where you’re like, okay, I’m basing, you know, like my income based on how well this shit coin that someone else controls the supply of someone else, you know, uh, uh, created someone else, you know, burned, so to speak, somebody else’s is going to be, uh, [00:41:00] controlling and, and has other things and could be responsible for, you know, big seismic like market movements like that I think is very different, um, than anything else. And so, I don’t know. I mean, I, I think that they, what I do expect that we’ll see more of is more and more popular projects, things that go viral, especially around ai. Probably being approached or people like proactively creating coins around those things. And there have been some, um, developers who’ve already, you know, stood up oddly and been like, if you see anybody trying to create a coin around this, it is not associated with me. I won’t be associated with any of it. I won’t do it. Right. Uh, and I think that becomes a problem where you’re like, okay, if these things do become popular, then that becomes like another risk if you don’t wanna be involved in it. If you’re involved with a, with a popular project, right? Like the, like the, like the creator of MPM Isaac, like, I think there’s like an MPM coin now, and that, that he’s, you know, like involved in and it’s like, you know, again, he didn’t create it, but he is happy to promote it. He’s happy to take the money. I’m like, look, I’m happy for [00:42:00] Isaac to get money from NPMI am at the same time, you know, bun, which is basically like, you know, the, you know, replacement for, for Node and NPM in a lot of ways, they sold to Anthropic for. I guarantee you a fuck load more money than whatever Isaac is gonna make off of some MPM shitcoin. So, so like, it, it’s all a lottery and it’s not sustainable. But I also feel like for a lot of open source projects, and this isn’t like me saying that the people shouldn’t get paid for the work, quite the contrary. But I think if you go into it with the expectation of I’m going to be able to make a sustainable living off of something, like when you start a project, I think that that is not necessarily going to set you up for, I think that those expectations are misaligned with what reality might be, which again, isn’t to say that you shouldn’t get paid for your work, it’s just that the reason that we give back and the reason we contribute open source is to try to be part of like the, the greater good and to make things more available to everyone. Not to be [00:43:00] like, oh, I can, you know, quit my job. Like, that would be wonderful. I, I wish that more and more people could do that. And I give to a lot of, um, open source projects on, on a monthly basis or on an annual basis. Um, Brett: I, I give basically all the money that’s given to me for my open source projects I distribute among other open source projects. So it’s a, it’s a, it’s a wash for me, but yeah, I am, I, I pay, you know, five, 10 bucks a month to 20 different projects and yeah. Christina: Yeah. I mean, I think it’s important, but, but I, I don’t know. I, I, I hope that it’s not the future. I’m not mad, I think like if that’s a way where people can make, you know, a, a, an income. But I do, I guess worry the sense that like, if, if, if, I don’t want that to be, the reason why somebody would start an open source project is because they’re like, oh, I, I can get rich on a crypto thing. Right? Like, ’cause that that’s the exact wrong Brett: that’s not open source. That’s not the open source philosophy. Christina: no, [00:44:00] it’s not. And, and so, I mean, but I think, I think if it already exists, I mean, I don’t know. I, I also feel like no one should feel obligated. This should go without saying that. If you see a project that you like that is involved in one of those coins. Do you have a zero obligation to be, uh, supportive of that in any way? And in fact, it is probably in your financial best interest to not be involved. Um, it, it is your life, your money, your, you do whatever you want, gamble, however you want. But, uh, I, I, I, I do, I guess I, I bristle a little bit. Like if people try to portray it like, oh, well this is how you can support me by like buying into this thing. I’m like, okay, that’s alright. Like, I, I, if you wanna, again, like I said, if you wanna play poly market with this, fine, but don’t, don’t try to wrap that around like, oh, well this is how you can give back. It’s like, no, you can give back in other ways. Like you can do direct donations, you can do other stuff. Like I would, I would much rather encourage people to be like, rather than putting a hundred dollars in Ralph Coin, [00:45:00] give a hundred dollars to the Ralph Guy directly. Apex 1.0? Brett: So, speaking of unprofitable open source, I have Apex almost to 1.0. Um, it officially handles, I think, all of the syntax that I had hoped it would handle. Um, it does like crazy things, uh, that it’s all built on common mark, GFM, uh, like cmar, GFM, GitHub’s project. Um, so it, it does all of that. Plus it handles stuff from like M mark with like indices. Indices, and it incorporates, uh. Uh, oh, I forget the name of it. Like two different ways of creating indices. It handles all kinds of bibliography syntax, like every known bibliography syntax. Um, I just added, you can, you can create insert tags with plus, plus, uh, the same way you would create a deletion with, uh, til detail. Um, and [00:46:00] I’ve added a full plugin structure, and the plugins now can be project local. So you can have global plugins. And then if you have specific settings, so like I have a, I, my blogs are all based on cramdown and like the bunch documentation is based on cramdown, but then like the mark documentation. And most of my writing is based on multi markdown and they have different. Like the, for example, the IDs that go on headers in multi markdown. If it’s, if it has a space in multi markdown, it gets compressed to no space in common Mark or GFM, it gets a dash instead of a space, which means if I have cross links, cross references in my document, if I don’t have the right header syntax, the cross reference will break. So now I can put a, a config into like my bunch documentation that tells Apex to use, [00:47:00] um, the dash syntax. And in my Mark documentation, I can tell it to use the multi markdown syntax. And then I can just run Apex with no command line arguments and everything works. And I don’t know, I, I haven’t gotten adoption for it. Like the one place I thought it could be really useful was DEVONthink, Christina: Mm-hmm. Brett: which has always been based on multi markdown, which. Um, is I love multi markdown and I love Fletcher and, um, it’s just, it’s missing a lot of what I would consider modern syntax. Christina: Right. Brett: so I, I offered it to Devin think, and it turned out they were working on their own project along the same lines at the same time. Um, but I’m hoping to find some, some apps that will incorporate it and maybe get it some traction. It’s solid, it’s fast, it’s not as fast as common Mark, but it does twice as much. Um, like the [00:48:00] benchmarks, it a complex document renders in common mark in about. Uh, 27 milliseconds, and in Apex it’s more like 46 milliseconds. But in the grand scheme of things, I could render my whole blog 10 times faster than I can with cramm down or Panoc and yeah, and, and I can use all the syntax I want. Challenges and Innovations in Markdown Processing Brett: Did I tell you about, did I tell you about, uh, Panoc Divs? The div extension, um, like you can in with the panoc D extension, you can put colon, colon, colon instead of like back, take, back, take backtick. So normally, like back ticks would create a code block with colons, it creates a div, and you can apply, you can apply inline attribute lists after the colons to make, to give it a class and an ID and any other attributes you wanna apply to it. I extended that so that you can do colon, [00:49:00] colon, colon, and then type a tag name. So if you type colon, colon, colon aside and then applied an attribute list to it, it would create an aside tag with those attributes. Um, the, the only pan deck extension that I wish I could support that I don’t yet is grid tables. Have you ever seen grid tables? Christina: I have not. Brett: There, it’s, it’s kind of like multi markdown table syntax, except you use like plus signs for joints and uh, pipes and dashes, and you actually draw out the table like old ASCI diagrams Christina: Okay. Brett: and that would render that into a valid HTML table. But that supporting that has just been, uh, tables. Tables are the thing. I’ve pulled the most hair out over. Christina: Yeah, I was gonna say, I think I, they feel like tables are hard. I also feel like in a lot of circumstances, I mean obviously people use tables and whatnot, but like, [00:50:00] only thing I would say to you, like, you know, apex is, is so cool and I hope that other projects adopt it. Um, and, uh, potentially with the POC support as far as you’ve gotten with it, maybe, you know, projects that support some of POC stuff could, could, you know, uh, jump into it. But I will say it does feel like. Once you go into like the Panoc universe, like that almost feels like a separate thing from the markdown Flavors like that almost feels like its own like ecosystem. You know what I mean? Brett: Well, yeah, and I haven’t tried to adopt everything Panoc does because you can als, you can also use panoc. You can pipe from Apex into Panoc or vice versa. So I’m not gonna try to like one for one replicate panoc, Christina: No, no. Totally Brett: do all of panoc export options because Panoc can take HTML in and then output PDFs and Doc X and everything. So you can just pipe output from Apex into Panoc to create your PDF or whatever Christina: And like, and, and like to, [00:51:00] and like to me, like that seems ideal, right? But I feel like maybe like adopting some of the other things, especially like, like their grid, you know, table, things like that. Like that would be cool. But like, that feels like that’s a, potentially has the, has the potential, maybe slow down rendering and do other stuff which you don’t want. And then b it’s like, okay, now are we complicated to the point that like, this is, this is now not becoming like one markdown processor to rule them all, but you Brett: Yeah, the whole point, the whole point is to be able to just run Apex and not worry about what cex you’re using. Um, but grid tables are the kind of thing that are so intentional that you’re not gonna accidentally use them. Like the, the, the, the impetus for Apex was all these support requests I get from people that are like the tilde syntax for underline or delete doesn’t work in Mark. And it, it does if you choose the right processor. But then you have to know, yeah, you have to [00:52:00] know what processor supports what syntax and that takes research and time and bringing stuff in from, say, obsidian into mart. You would just kind of expect things to work. And that’s, that’s why I built Apex and Christina: right? Brett: you are correct that grid tables are the kind of thing, no one’s going to use grid tables if they haven’t specifically researched what Christina: I right. Brett: they’re gonna work with. Christina: And they’re going to have a way that has their file marked so that it is designated as poc and then whatever, you know, flags for whatever POC features it supports, um, does. Now I know that the whole point of APEX is you don’t have to worry about this, but, but I am assuming, based on kind of what you said, like if I pass like arguments like in like a, you know, in a config file or something like where I was like, these documents or, or, or this URL or these things are, you know, in this process or in this in another, then it can, it can just automatically apply those rules without having to infer based on the, on the syntax, right. Brett: right. It has [00:53:00] modes for cram down and common mark and GFM and discount, and you can like tell it what mode you’re writing in and it will limit the feature set to just what that processor would handle. Um, and then all of the flags, all of the features have neg negotiable flags on them. So if you wanted to say. Skip, uh, relax table rendering. You could turn that off on the command line or in a config file. Um, so yeah, everything, everything, you can make it behave like any particular processor. Uh, but I focus mostly on the unified mode, which again, like you don’t have to think about which processor you are using. Christina: Are you seeing, I guess like in, in circumstances like, ’cause I, in, in my, like, my experience, like, I would never think to, like, I would probably like, like to, I would probably do like what you do, which is like, I’m [00:54:00] going to use one syntax or, or one, you know, processor for one type of files and maybe another and another. Um, but I, I don’t think that like, I would ever have a, and maybe I’m misunderstanding this, but I don’t think I would ever have an instance where I would be like mixing the two together in the same file. Brett: See, that’s my, so that’s, that’s what’s changing for me is I’m switching my blog over to use Apex instead of Cramdown, which means I can now incorporate syntax that wasn’t available before. So moving forward, I am mixing, um, things from common mark, things from cram down, things from multi markdown. Um, and, and like, so once you know you have the option Christina: right. Then you might do that Brett: you have all the syntax available, you start doing it. And historically you won’t have, but like once you get used to it, then you can. Christina: Okay. So here’s the next existential question for you. At what point then does it go from being, you know, like [00:55:00] a, a, a rendering engine, kind of like an omni rendering engine to being a syntax and a flavor in and of itself? Brett: That is that, yeah, no, that’s a, that’s a very valid question and one that I have to keep asking myself, um, because I never, okay, so what to, to encapsulate what you’re saying, if you got used to writing for Apex and you were mixing your syntax, all of a sudden you have a document that can’t render in anything except Apex, which does eventually make it its own. Yeah, no, it is, it’s always, it’s a concern the whole time. Christina: well, and I, I wouldn’t even necessarily, I mean, like, and I think it could be two things, right? I mean, like, you could have it live in two worlds where, like on the one hand it could be like the rendering engine to end all rendering engines and it can render, you know, files and any of them, and you can specify like whatever, like in, in, in like a tunnel or something. Like, you know, these files are, [00:56:00] are this format, these are these, and you know, maybe have some sort of, you know, um, something, even like a header files or whatever to be like, this is what this rendering engine is. Um, you know, with, with your projects to have it, uh, do that. Um. Or have it infer, you know, based on, on, on, um, the, the logic that you’re importing. But it could also be one of those things where you’re like, okay, I just have created like, you know, the omni syntax. And that’s a thing that maybe, maybe you get people to try to encourage or try, try to adopt, right? Like, it’s like, okay, you can always just use common mark. You can always just use GFM, you can always just use multi markdown, but we support these other things too, from these other, um, systems and you can intermix and match them. Um, because, because I, I do feel like at a certain point, like at least the way you’re running it yourself, you have your own syntax. Like, like, you know. Brett: yeah. No, you have perfectly encapsulated the, the major [00:57:00] design concern. And I think you’re correct. It can exist, it can be both things at once. Um, but I have like, nobody needs another markdown syntax. Like there are so many flavors right now. Okay. There may be a dozen. It’s not like an infinite number, but, but there’s enough that the confusion is real. Um, and we don’t need yet another markdown flavor, but we do need a universal processor that. Makes the differentiations less, but yeah, no, it’s, I need, I need to nail down that philosophy, uh, and really like, put it into writing and say, this is the design goal of this project, uh, which I have like hinted at, but I’m a scattered thinker and like, part of, part of the design philosophy is if someone says, Hey, [00:58:00] could you make this work? I just wanted a project where I could say, yeah, I’m gonna make that work. I, I, I’m gonna add this somewhat esoteric syntax and it’s just gonna work and it’s not gonna affect anything else. And you don’t have to use it, but if you do, there it is. So it’s kind of, it was designed to bloat to a circuit certain extent. Um, but yeah, I need to, I need to actually write a page That’s just the philosophy and really, really, uh, put, put all my thoughts together on that. Christina: Yeah, no, ’cause I was just kind of thinking, I was like, ’cause it’s so cool. Um, but the way that I would’ve envisioned using it, like I, I still like, it’s cool that you can mix all those things in together. I still feel like I probably wouldn’t because I’m not you. And so then I would just have like this additional dependency that it’s like, okay, if something happens to Apex one day and that’s the only thing that can render my documents, then like, you know what I mean? And, and, and if it’s not getting updated [00:59:00] anymore or whatever, then I’m kind of like SOL, um, Brett: Maku. Do you remember Maku? Christina: vaguely. Brett: It’s, the project is kind of dead and a lot of its syntax has been incorporated into various other processors. But if you built your whole blog on Maku, you have to, you have to be able to run like a 7-year-old binary, um, and, and it’ll never be updated, and eventually you’re gonna run into trouble. The nice thing about Unix based stuff is it’s. Has a, you can stop developing it and it’ll work for a decade, um, until, like, there’s a major shift in processors, but like, just the shift to arm. Like if, if Maku was only ever compiled for, uh, for, uh, Intel and it wasn’t open source, you would, it would be gone. You wouldn’t be able to run it anymore. So yeah, these things can happen. Christina: [01:00:00] Well, and I just even think about like, you know, the fact that like, you know, like some of the early processors, like I remember like back, I mean this is a million years ago, but having to use like certain, like pearl, you know, based things, you know, but depending on like whatever your backend system was, then you moved to PHP, they maybe you move, moved to, you know, Ruby, if you’re using like Jekyll and maybe you move to something else. And I was like, okay, you know, what will the thing be in the future? Yeah. If, if I, if it’s open source and there’s a way that, you know, you can write a new, a new processor for that, but it does create like, dependencies on top of dependencies, which is why I, I kind of feel like I like having like the omni processor. I don’t know if, like, for me, I’m like, okay, I, I would probably be personally leery about intermingling all my different syntaxes together. Brett: to that end though, that is why I wanted it in C um, because C will probably never die. C can be compiled on just about any platform. And it can be used with, like, if you have, if you have a Jekyll blog and you wanna [01:01:00] incorporate a C program into a gem, it’s no problem. Uh, you can incorporate it into just about any. Langu

n8n supply chain attack Malicious npm pagackages were used to attempt to obtain user OAUTH credentials for NPM. https://www.endorlabs.com/learn/n8mare-on-auth-street-supply-chain-attack-targets-n8n-ecosystem Gogs 0-Day Exploited in the Wild An at the time unpachted flaw in Gogs was exploited to compromise git repos. https://www.wiz.io/blog/wiz-research-gogs-cve-2025-8110-rce-exploit Telegram Proxy Link Abuse Telegram proxy links have been abused to deanonymize users https://x.com/GangExposed_RU/status/2009961417781457129

Introducing Rob Ruiz Meet Rob Ruiz, a seasoned Senior Full Stack Developer with nearly two decades of expertise in WordPress innovation and open-source magic. As the Lead Maintainer of WP Rig since 2020, Rob has been the driving force behind this groundbreaking open-source framework that empowers developers to craft high-performance, accessible, and progressively enhanced WordPress themes with ease. WP Rig isn’t just a starter theme—it’s a turbocharged toolkit that bundles modern build processes, linting, optimization, and testing to deliver lightning-fast, standards-compliant sites that shine on any device. Show Notes For more on Rob and WP Rig, check out these links: LinkedIn Profile: https://www.linkedin.com/in/robcruiz WP Rig Official Site: https://wprig.io GitHub Repository: https://github.com/wprig/wprig Latest Releases: https://github.com/wprig/wprig/releases WP Rig 3.1 Announcement: https://wprig.io/wp-rig-3-1/ Transcript: Topher DeRosia: Hey everybody. Welcome to Hallway Chats. I’m your host Topher DeRosia, and with me today I have- Rob Ruiz: Rob Ruiz. Topher: Rob. You and I have talked a couple of times, once recently, and I learned about a project you’re working on, but not a whole lot about you. Where do you live? What do you do for a living? Rob: Yeah, for sure. Good question. Although I’m originally from Orlando, Florida, I’ve been living in Omaha, Nebraska for a couple of decades now. So I’m pretty much a native. I know a lot of people around here and I’ve been fairly involved in various local communities over the years. I’m a web developer. Started off as a graphic designer kind of out of college, and then got interested in web stuff. And so as a graphic designer turned future web developer, I guess, I was very interested in content management systems because it made the creating and managing of websites very, very easy. My first couple of sites were Flash websites, sites with macro media Flash. Then once I found content management systems, I was like, “Wow, this is way easier than coding the whole thing from scratch with Flash.” And then all the other obvious benefits that come from that. So I originally started with Joomla, interestingly enough, and used Joomla for about two or three years, then found WordPress and never looked back. And so I’ve been using WordPress ever since. As the years have gone on, WordPress has enabled me to slowly transition from a more kind of web designer, I guess, to a very full-blown web developer and software engineer, and even software architect to some degree. So here we are many years later. Topher: There’s a big step from designer to developer. How did that go for you? I’m assuming you went to PHP. Although if you were doing Flash sites, you probably learned ActionScript. Rob: Yeah. Yeah. That was very convenient when I started learning JavaScript. It made it very easy to learn JavaScript faster because I already had a familiarity with ActionScript. So there’s a lot of similarities there. But yeah. Even before I started doing PHP, I started learning more HTML and CSS. I did do a couple of static websites between there that were just like no content management system at all. So I was able to kind of sharpen my sword there with the CSS and HTML, which wasn’t particularly hard. But yeah, definitely, the PHP… that was a big step was PHP because it’s a proper logical programming language. There was a lot there I needed to unpack, and so it took me a while. I had to stick to it and really rinse and repeat before I finally got my feet under me. Topher: I can imagine. All right. So then you work for yourself or you freelance or do you have a real job, as it were? Rob: Currently, I do have a real job. Currently, I’m working at a company called Bold Orange out of Minneapolis. They’re a web agency. But I kind of bounce around from a lot of different jobs. And then, yes, I do freelance on the side, and I also develop my own products as well for myself and my company. Topher: Cool. Bold Orange sounds familiar. Who owns that? Rob: To be honest, I don’t know who the owners are. It’s just a pretty big web agency out of Minneapolis. They are a big company. You could just look them up at boldorange.com. They work for some pretty big companies. Topher: Cool. All right. You and I talked last about WP Rig. Give me a little background on where that came from and how you got it. Rob: Yeah, for sure. Well, there was a period of time where I was working at a company called Proxy Bid that is in the auction industry, and they had a product or a service — I don’t know how you want to look at that —called Auction Services. That product is basically just building WordPress sites for auction companies. They tasked us with a way to kind of standardize those websites essentially. And what we realized is that picking a different theme for every single site made things difficult to manage and increase tech debt by a lot. So what we were tasked with was, okay, if we’re going to build our own theme that we’re just going to make highly dynamic so we can make it look different from site to site. So we want to build it, but we want to build it smart and we want to make it reusable and maintainable. So let’s find a good framework to build this on so that we can maintain coding standards and end up with as little tech debt as possible, essentially. That’s when I first discovered WP Rig. In my research, I came across it and others. We came across Roots Sage and some of the other big names, I guess. It was actually a team exercise. We all went out and looked for different ones and studied different ones and mine that I found was WP Rig. And I was extremely interested in that one over the other ones. Interestingly enough- Topher: Can you tell me why over the other ones? Rob: That’s a great question. Yeah. I really liked the design patterns. I really liked the focus on WordPress coding standards. So having a system built in that checked all the code against WordPress coding standards was cool. I loved the compiling transpiling, whatever, for CSS and JavaScript kind of built in. That sounded really, really interesting. The fact that there was PHP unit testing built into it. So there’s like a starter testing framework built in that’s easy to extend so that you can add additional unit tests as your theme grows. We really wanted to make sure… because we were very into CICD pipelines. So we wanted to make sure that as developers were adding or contributing to any themes that we built with this, that we could have automated tests run and automated builds run, and just automate as much as possible. So WP rig just seemed like something that gave us those capabilities right out of the box. So that was a big thing. And I loved the way that they did it. Roots Sage does something similar, but they use their blade templating engine built in there. We really wanted to stick to something that was a bit more standard WordPress so that there wasn’t like a large knowledge overhead so that we didn’t have to say like, okay, if we’re bringing on other developers, like junior developers work on it, oh, it would be nice if you use Laravel too because we use this templating engine in all of our themes. We didn’t want to have to worry about that essentially. It was all object-oriented and all that stuff too. That’s what looked interesting to me. We ended up building a theme with WP Rig. I don’t know what they ended up doing with it after that, because I ended up getting let go shortly thereafter because the company had recently been acquired. Also, this was right after COVID too. So there was just a lot of moving parts and changing things at the time. So I ended up getting let go. But literally a week after I got let go, I came across a post on WP Tavern about how this framework was looking for new maintainers. Basically, this was a call put out by Morton, the original author of WP Rig. He reached out to WP Tavern and said, “Look, we’re not interested in maintaining this thing anymore, but it’s pretty cool. We like what we’ve built. And so we’re looking for other people to come in and adopt it essentially.” So I joined a Zoom meeting with a handful of other individuals that were also interested in this whole endeavor, and Morton reached out to me after the call and basically just said, “I looked you up. I liked some of the input that you had during the meeting. Let’s talk a little bit more.” And then that eventually led to conversations about me essentially taking the whole project over entirely. So, the branding, the hosting of the website, being lead maintainer on the project. Basically, gave me the keys to the kingdom in terms of GitHub and everything. So that’s how it ended up going in terms of the handoff between Morton and I. And I’m very grateful to him. They really created something super cool and I was honored to take it over and kind of, I don’t know, keep it going, I guess. Topher: I would be really curious. I don’t think either of us have the answer. I’d be curious to know how similar that path is to other project handoffs. It’s different from like an acquisition. You didn’t buy a plugin from somebody. It was kind of like vibes, I guess. Rob: It was like vibes. It was very vibey. I guess that’s probably the case in an open source situation. It’s very much an open source project. It’s a community-driven thing. It’s for everybody by everybody. I don’t know if all open source community projects roll like that, but that’s how this one worked out. There was some amount of ownership on Morton’s behalf. He did hire somebody to do the branding for WP Rig and the logo. And then obviously he was paying for stuff like the WPrig.io domain and the hosting through SiteGround and so on and so forth. So, we did have to transfer some of that and I’ve taken over those, I guess, financial burdens, if you want to think of it like that. But I’m totally okay with it. Topher: All right. You sort of mentioned some of the things Rig does, compiling and all that kind of stuff. Can you tell me… we didn’t discuss this before. I’m sitting at my desk and I think I want a website. How long does it take to go from that to looking at WordPress and logging into the admin with Rig? Rob: Okay. Rig is not an environment management system like local- Topher: I’m realizing my mistake. Somebody sends me a design in Figma. How long does it take me to go from that to, I’m not going to say complete because I mean, that’s CSS, but you know, how long does it take me to get to the point where I’m looking at a theme that is mine for the client that I’m going to start converting? Rob: Well, if you’re just looking for a starting point, if you’re just like, okay, how long does it take to get to like, okay, here’s my blank slate and I’m ready to start adopting all of these rules that are set up in Figma or whatever, I mean, you’re looking at maybe 5 minutes, 10 minutes, something like that. It’s pretty automated. You just need some simple knowledge of Git. And then there are some prerequisites to using WP Rig. You do have to have composer installed because we do leverage some Composer packages to some of it, although to be honest, you could probably get away with not using Composer. You just have to be okay with sacrificing some of the tools the WP Rig assumes you’re going to have. And then obviously Node. You have to have Node installed. A lot of our documentation assumes that you have NPM, that you’re using NPM for all your Nodes or your package management. But we did recently introduce support for Bun. And so you can use Bun instead of NPM, which is actually a lot faster and better in many ways. Topher: Okay. A lot of my audience are not developers, users, or light developers, like they’ll download a theme, hack a template, whatever. Is this for them? Am I boring those people right now? Rob: That’s a great question. I mean, and I think this is an interesting dichotomy and paradigm in the WordPress ecosystem, because you’ve got kind of this great divide. At least this is something I’ve noticed in my years in the WordPress community is you have many people that are not coders or developers that are very interested in expanding their knowledge of WordPress, but it’s strictly from a more of a marketing perspective where it’s like, I just want to know how to build websites with WordPress and how to use it to achieve my goals online from a marketing standpoint. You have that group of people, and then you have this other group of people that are very developer centric that want to know how to extend WordPress and how to empower those other people that we just discussed. Right? Topher: Right. Rob: So, yeah, that’s a very good question. I would say that WP Rig is very much designed for the developers, not for the marketers. The assumption there is that you’re going to be doing some amount of coding. Now, can you get away with doing a very light amount of coding? Yes. Yes, you can. I mean, if you compare what you’re going to get out of that assumed workflow to something that you would get off like Theme Forest or whatever, it’s going to be a night and day difference because those theme, Forest Themes, have hours, hundreds, sometimes hundreds of hours of development put into them. So, you’re not going to just out of the box immediately get something that is comparable to that. Topher: You need to put in those hundreds of hours of development to make a theme. Rob: As of today, yes. That may change soon though. Topher: Watch this space. Rob: That’s all I’ll say. Topher: Okay. So now we know who it’s for. I’m assuming there’s a website for it. What is it? Rob: Yeah. If you go to WPrig.io, we have a homepage that shows you all the features that are there in WP Rig. And then there’s a whole documentation area that helps people get up and running with WP Rig because there is a small learning curve there that’s pretty palatable for anybody who’s familiar with modern development workflows. So that is a thing. So the type of person that this is designed for anybody that wants to make a theme for anything. Let’s say you’re a big agency and you pull in a big client and that client wants something extremely custom and they come to you with Figma designs. Sure, you could go out there and find some premium theme and try to like child theme and overhaul that if you want. But in many situations, I would say in most situations, if you’re working from a Figma design that’s not based off of another theme already that’s just kind of somebody else’s brainchild, then you’re probably going to want to start from scratch. And so the idea here is that this is something to replace an approach, like underscores an approach. Actually, WP Pig was based off of underscores. The whole concept of it, as Morton explained it to me, was that he wanted to build an underscores that was more modern and full-featured from a development standpoint. Topher: Does it have any opinions about Gutenberg? Rob: It does now, but it did not when I took it over because Gutenberg did not exist yet when I took over WP Rig. Topher: Okay. What are its opinions? Rob: Yeah, sure. The opinion right out of the gate is that you can use Gutenberg as an editor and it has support like CSS rules in it for the standard blocks. So you should be able to use regular Gutenberg blocks in your theme and they should look just fine. There’s no resets in there. It doesn’t start from scratch. There’s not a bunch of styling you have to do for the blocks necessarily. Now, if you go to the full site editing or block-based mentality here, there are some things you need to do in WP Rig to convert the out-of-the-box WP Rig into another paradigm essentially. Right when you pull WP Rig, the assumption is you’re building what most people would refer to as a hybrid theme. The theme supports API or whatever, and the assumption is that you’re not going to be using the site editor. You’re just going to kind of do traditional WordPress, but you might be using Gutenberg for your content. So you’re just using Gutenberg kind of to author your pages and your posts and stuff like that, but not necessarily the whole site. WP Rig has the ability to kind of transform itself into other paradigms. So the first paradigm we built out was the universal theme approach. And the idea there is that you get a combination of the full site editing capabilities. But then you also have the traditional menu manager and the settings customizer framework or whatever is still there, right? These are things that don’t exist in a standard block-based theme. So I guess an easy example would be like the 2025 WordPress theme that comes right out of the box. It comes installed in WordPress. That is a true block-based theme, not a universal theme. So it doesn’t have those features because the assumption there is that it doesn’t need those features. You can kind of transform WP Rig into a universal theme that’s kind of a hybrid between a block-based and a classic theme. And then it can also transform into a strictly block-based theme as well. So following the same architecture as like the WordPress 2025 theme or Ollie or something like that is also a true block-based theme as well. So you can easily convert or transform the starting point of WP Rig into either of those paradigms if that’s the type of theme you’re setting out to build. Topher: Okay. That sounds super flexible. How much work is it to do that? Rob: It’s like one command line. Previously we had some tutorials on the website that showed you step-by-step, like what you needed to change about the theme to do that. You would have to add some files, delete some files, edit some code, add some theme supports into the base support class and some other stuff. I have recently, as of like a year and a half ago or a year ago, created a command line or a command that you can type into the command line that basically does that entire conversion process for you in like the blink of an eye. It takes probably a second to a second and a half to perform those changes to the code and then you’re good to go. It is best to do that conversion before you start building out your whole theme. It’s not impossible to do it after. But you’re more likely to run into problems or conflicts if you’ve already set out building your whole theme under one paradigm, and then you decide how the project you want to switch over to block-based or whatever. You’re likely to run into the need to refactor a bunch of stuff in that situation. So it is ideal to make that choice extremely early on in the process of developing your theme. But either way it’ll still work. That’s just one of the many tools that exist in WP Rig to transform it or convert it in several ways. That’s just one example. There are other examples of ways that Rig kind of converts itself to other paradigms as well. Topher: Yeah. All right. In my development life, I’ve had two parts to it. And one is the weekend hobbyist, or I download cadence and I whip something up in 20 minutes because I just want to experiment and the other is agency life where everything’s in Git, things are compiled, there are versions, blah, blah, blah. This sounds very friendly to that more professional pathway. Rob: Absolutely. Yes. Or, I mean, there’s another situation here too. If you’re a company who develops themes and publishes them to a platform like ThemeForest or any other platform, perhaps you’re selling themes on your own website, whatever, if you’re making things for sale, there’s no reason you couldn’t use WP Rig to build your themes. We have a bundle process that bundles your theme for publication or publishing. Whether you’re an agency or whether you’re putting your theme out for sale, it doesn’t matter, during that bundle process, it does actually white label the entire code base to where there’s no mention of WP Rig in the code whatsoever. Let’s say you were to build a theme that you wanted to put up for sale because you have some cool ideas. Say, page transitions now are completely supported in all modern or in most modern browsers. And when I say print page transitions, for those that are in the know, I am talking about not single page app page transitions, but through website page transitions. You can now do that. Let’s say you were like, “Hey, I’m feeling ambitious and I want to put out some new theme that comes with these page transitions built in,” and that’s going to be fancy on ThemeForest when people look at my demo, people might want to buy that. You could totally use WP Rig to build that out into a theme and the bundle process will white label all of the code. And then when people buy your theme and download that code, if they’re starting to go through and look through your code, they’re not going to have any way of knowing that it was built with WP Rig unless they’re familiar with the base WP Rig architecture, like how it does its object-oriented programming. It might be familiar with the patterns that it’s using and be able to kind of discern like, okay, well, this is the same pattern WP Rig uses, so high likelihood it was built with WP Rig. But they’re not going to be able to know by reading through the code. It’s not going to say WP Rig everywhere. It’s going to have the theme all over the place in the code. Topher: Okay. So then is that still WP Rig code? It just changed its labels? Rob: Yeah. Topher: So, it’s not like you’re exporting HTML, CSS and JavaScript? The underlying Rig framework is still there. Rob: Yeah. During the bundle process, it is bundling CSS and HTML. Well, HTML in the case of a block-based theme. But, yeah, it is bundling your PHP, your CSS, your JavaScript into the theme that you’re going to let people download when they buy it, or that you’re going to ship to your whatever client’s website. But all that code is going to be transpiled. In the case of CSS and JavaScript, there’s only going to be minified versions of that code in that theme. The source code is not actually going to be in there. Topher: This sounds pretty cool. You mentioned some stuff might be coming. You don’t have to tell me what it is, but do you have a timeline? When should we be watching for the next cool thing from Rig? Rob: Okay, cool. Well, I’m going to keep iterating on Rig forever. Regardless of any future products that might be built on WP Rig, WP Rig will always and forever remain an open source product for anybody to use for free and we, I, and possibly others in the future will continue to update it and support it over time. We just recently put out 3.1. You could expect the 3.2 anytime in the next six months to a year, probably closer to six months. One feature I’m looking at particularly closely right now is the new stuff coming out in version 6.9 of WordPress around the various APIs that are there. I think one of them is called the form… There’s a field API and a form API or view API or something like that. So WP Rig comes with a React-based settings framework in it. So if you want your theme to have a bunch of settings in it to make it flexible for whoever buys your theme, you can use this settings framework to easily create a bunch of fields, and then that framework will automatically manage all your fields and store all the data from those fields and make it easy to retrieve the values of the input on those fields, without knowing any React at all. Now, if you know React, you can go in there and, you know, embellish what’s already there, but it takes a JSON approach. So if you just understand JSON, you can go in and change the JSON for the framework, and that will automatically add fields into the settings framework. So you don’t even have to know React to extend the settings page if you want. That will likely get an overhaul using these new APIs being introduced into Rig. Topher: All right. How often have you run into something where, “Oh, look, WordPress has a new feature, I need to rebuild my system”? Rob: Over the last four or five years, it’s happened a lot because, yeah, I mean, like I said, when I first took this thing over, Gutenberg had not even been introduced yet. So, you had the introduction of Gutenberg and blocks. That was one thing. Then this whole full site editing became a thing, which later became the site editor. So that became a whole thing. Then all these various APIs. I mean, it happens quite frequently. So I’ve been working to keep it modern and up to date over the past four years and it’s been an incredible learning experience. It not only keeps my WordPress knowledge extremely sharp, but I’ve also learned how various other toolkits are built. That’s been the interesting thing. From a development standpoint, there’s two challenges here. One of the challenges is staying modern on the WordPress side of things. For instance, WordPress coding standards came out with a version 3 and then a version 3.1 about two years ago. I had to update WP Rig to leverage those modern coding standards. So that’s one example is as WordPress changes, the code in WP Rig also needs to change. Or for instance, if new CSS standards change, right, new CSS properties come out, it is ideal for the base CSS in WP Rig, meaning the CSS that you get right out of the box with it, comes with some of these, for instance, CSS grid, Flexbox, stuff like that. If I was adopting a theme framework to build a theme on, I would expect some of that stuff to be in there. And those things were extremely new when I first took over WP Rig and were not all baked in there essentially. So I’ve had to add a lot of that over time. Now there’s another side to this, which is not just keeping up with WordPress and CSS and PHP, 8. whatever, yada yada yada. You’ve also got the toolkit. There are various node packages and composer packages of power WP Rig and the process in which it does the transpiling, the bundling, the automated manipulation of your code during various aspects of the usage of WP Rig is a whole nother set of challenges because now you have to learn concepts like, well, how do I write custom node scripts? Right? Like there were no WP CLI commands built into WP Rig when I first took it over. Now there’s a whole list. There’s a whole library of WP CLI commands that come in Rig right out of the gate. And so I’ve had to learn about that. So just various things that come with knowing how do you automate the process of converting code, that’s something that was completely foreign to me when I first took over WP Rig. That’s been another incredible learning experience is understanding like what’s the difference between Webpack and Gulp. I didn’t know, right? I would tell people I’m using Gulp and WP Rig and they would be like, “Well, why don’t you just use Webpack?” and I would say, “I don’t know. I don’t know what the difference is.” So over time I could figure out what are the differences? Why aren’t we using Webpack? And I’m glad I spent some time on that because it turns out Webpack is not the hottest thing anymore, so I just skipped right over all that. When I overhauled for version 3, we’re now not using Gulp anymore as of 3.1. We’re now using more of a Vite-like process, far more modern than Webpack and far better and faster and sleeker and lighter. I had to learn a bunch about what powers Vite. What is Vite doing under the hood that we might be able to also do in WP Rig, but do it in a WordPress way. Because Vite is a SaaS tool. If you’re building a SaaS, like React with a… we’re not a SaaS. I guess a spa is a better term to use here. If you’re building a single page application with React or view or belt or whatever, right, then knowing what Vite is and just using Vite right out of the box is perfect. But it doesn’t translate perfectly to WordPress land because WordPress has its own opinions. And so I did have to do some dissecting there and figure out what to keep and what to not keep to what to kind of set aside so that WordPress can keep doing what WordPress does the way WordPress likes to do it, but also improve on how we’re doing some of the compiling and transpiling and the manipulation of the code during these various. Topher: All right. I want to pivot a little bit to some personal-ish questions. Rob: Okay. Topher: This is a big project. I’m sure it takes up plenty of your time. How scalable is that in your life? Do you want to do this for the rest of your life? Rob: That’s a fantastic question. I don’t know about the rest of my life. I mean, I definitely want to do web development for the rest of my life because the web has, let’s be honest, it’s transformed everyone’s way of life, whether you’re a web developer or not. You know, the fact that we have the internet in our pocket now, you know, it has changed everything. Apps, everything. It’s all built on the web. So I certainly want to be involved in the web the rest of my life. Do I want to keep doing WordPress the rest of my life? I don’t know. Do I want to keep doing WP Rig the rest of my life? I don’t know. But I will say that you bring up a very interesting point, which is it does take up a lot of time and also trust in open source over the past four or five years I would argue has diminished a little bit as a result of various events that have occurred over the past two or three years. I mean, we could cite the whole WP Engine Matt Mullerwig thing. We can also cite what’s going on with Oracle and JavaScript. Well, I mean, there’s many examples of this. I mean, we can cite the whole thing that happened… I mean, there’s various packages out there that are used and developed and open source to anybody, and some of them are going on maintained and it’s causing security vulnerabilities and degradation and all this stuff. So it’s a very important point. One thing I started thinking about after considering that in relation to WP Rig was I noticed that there’s usually a for-profit arm of any of these frameworks that seems to extend the lifespan of it. Let’s just talk about React, for example, React is an open source JavaScript framework, but it’s used by Facebook and Facebook is extremely for-profit. So companies that are making infrastructural or architectural decisions, they will base their choice on whether or not to use a framework largely on how long they think this framework is going to remain relevant or valid or maintained, right? A large part of that is, well, is there a company making money off of this thing? Because if there is, the chances- Topher: They’re going to keep doing that. Rob: They’re going to keep doing it. It’s going to stay around. That’s good. I think that’s healthy. A lot of people that like open source and want everything to be free, they might look at something like that and say like, well, I don’t want you to make a paid version of it or there shouldn’t be a pro version. I think that’s a very short-sighted way of looking at that software and these innovations. I think a more experienced way of looking at it is if you want something to remain relevant and maintained for a long period of time, having a for-profit way in which it’s leveraged is a very good thing. I mean, let’s be real. Would WordPress still be what it is today if there wasn’t a wordpress.com or if WooCommerce wasn’t owned by Automattic or whatever, right? They’ll be on top. I mean, it’s obviously impossible to say, but my argument would be, probably not. I mean, look at what’s happened to the other content management systems out there. You know, Joomla Drupal. They don’t really have a flourishing, you know, paid pro service that goes with their thing that’s very popular, at least definitely not as popular as WordPress.com or WordPress VIP or some of these other things that exist out there. And so having something that’s making and generating money that can then contribute back into it the way Automattic has been doing with WordPress over these years has, in my opinion, been instrumental. I mean, people can talk smack about Gutenberg all they want, but let’s be real, it’s 2025, would you still feel that WordPress is an elegant solution if we were still working from the WYSIWYG and using the classic editor? And I know a lot of people are still using the classic editor and there’s classic for us, the fork and all that stuff. But I mean, that only makes sense in a very specific implementation of WordPress, a very specific paradigm. If you want to explore any of these other paradigms out there, that way of thinking about WordPress kind of falls apart pretty quickly. I, for one, am happy that Gutenberg exists. I’m very happy that Automattic continues. And I’m grateful, actually, that Automattic continues to contribute back into WordPress. And not just them, obviously there’s other companies, XWP, 10Up, all these other companies are also contributing as well. But I’m very grateful that this ecosystem exists and that there’s contribution going back in and it’s happening from companies that are making money with this. And I think that’s vital. All that to say that WP Rig may and likely will have paid products in the future that leverage WP Rig. So that’s not to say that WP Rig will eventually cost money. That’s just to say that eventually people can expect other products to come out in the future that will be built on WP Rig and incentivize the continued contributions back into WP Rig. The open source version of WP Rig. Topher: That’s cool. I think that’s wise. If you want anything to stay alive, you have to feed it. Rob: That’s right. Topher: I had some more questions but I had forgotten them because I got caught up in your answer. Rob: Oh, thank you. I’ll take that as a compliment. I mean, my answer was eloquent. But I’m happy to expand on anything, know you, WordPress related, me related, you know, whether it comes to the ecosystem in WordPress, the whole WordCamp meetup thing is very interesting. I led the WP Omaha meetup for many years here in Omaha, Nebraska and I also led the WordCamp, the organizing of WordCamp here in Omaha for several years as well. That whole community, the whole ecosystem, at least in America seems to have largely fallen apart. I don’t know if you want to talk about that at all. But yeah, I’m ready to dive into any topics. Topher: I’m going to have one more question and then we’re going to wrap up. And it was that you were talking about all the things you had to learn. I’m sure there were nights where you were looking at your computer thinking, “Oh man, I had it working, now I gotta go learn a new thing.” I would love for you to go back in time and blog all of that if you would. But given that you can’t, I would be interested in a blog moving forward, documenting what you’re learning, how you’re learning it and starting maybe with a post that’s summarizes all of that. Obviously, that’s up to you and how you want to spend your time, but I think it’d be really valuable to other people starting a project, picking up somebody else’s project to see what the roadmap might look like. You know what I mean? Rob: For sure. Well, I can briefly summarize what I’ve learned over the years and where I’m at today with how I do this kind of stuff. I will say that a lot of the improvements to WP Rig that have happened over the last year or two would not be possible without the advent of AI. Topher: Interesting. Rob: That’s a fancy way of saying that I have been by coding a lot of WP Rig lately. If you know how to use AI, it is extremely powerful and it can help you do many things very quickly that previously would have taken much longer or more manpower. So, yeah, perhaps if there was like five, six, seven people actively, excuse me, actively contributing to WP Rig, then this type of stuff would have been possible previously, but that’s not the case. There is one person, well, one main contributor to WP Rig today and you’re talking to them. There are a handful of other people that have been likely contributing to WP Rig over the versions and you can find their contributions in the change log file in WP Rig. But those contributions have been extremely light compared to what I’ve been doing. I wouldn’t be able to do any of it without AI. I have learned my ability to learn things extremely rapidly has ramped up tenfold since I started learning how to properly leverage LLMs and AI. So that’s not to say that like, you know, WP Rig, all the code is just being completely written by AI and I’m just like. make it better, enter, and then like WP Rig is better. I wish it was that easy. It’s certainly not that. But when I needed to start asking some of these vital questions that I really didn’t have anyone to turn to to help answer them, I was able to turn to AI. For instance, let’s go back to the Webpack versus Gulp situation. Although Gulp is no longer used in WP Rig, you know, it was used in WP Rig until very recently. So I had to understand like, what is this system, how does it work, how do I extend it and how do I update it and all these things, right? And why aren’t we using WebPack and you know, is there validity to this criticism behind you should use webpack instead of Gulp or whatever, right? I was able to use AI to ask these questions and be able to get extremely good answers out of it and give me the direction I needed to make some of these kind of higher level decisions on like architecturally where should WP Rig go? It was through these virtual conversations with LLMs that I was able to refine the direction of WP Rig in a direction that is both modern and forward-thinking and architecturally sound. I learned a tremendous amount from AI about the architecture, about the code, about all of it. My advice to anybody that wants to extend their skill set a little bit in the development side of things is to leverage this new thing that we have in a way that is as productive as possible for you. So that’s going to vary from person to person. But for me, if I’m on a flight or if I’m stuck somewhere for a while, like, let’s say I got to take my kid to practice or something and I’m stuck there for an hour and I got to find some way to kill my time 9 times out of 10, I’m on my laptop or on my phone having conversations with Grok or ChatGPT or Gemini or whatever. I am literally refining… I’m just sitting there asking it questions that are on my mind that I wish I could ask somebody who’s like 10 times more capable than me. It has been instrumental. WP Rig wouldn’t be where it is today if it wasn’t for that. I would just say to anybody, especially now that it’s all on apps and you don’t have to be on a browser anymore, adopt that way of thinking. You know, if you’re on your lunch break or whatever and you have an hour lunch break and you only take 15 minutes to eat, what could you be doing with those other 45 minutes? You could just jump on this magical thing that we have now and start probing it for questions. Like, Hey, here’s what I know. Here’s what I don’t know. Fill these knowledge gaps for me.” And it is extremely good at doing that. Topher: So my question was, can you blog this and your answer told me that there’s more there that I want to hear. That’s the stuff that should be in your book when you write your book. Rob: I’m flattered that you would be interested in reading anything that I write. So thank you. I’ve written stuff in the past and it hasn’t gotten a lot of attention. But I also don’t have any platforms to market it either. But yeah, no, I made some… I’m sorry. Topher: I think your experience is valuable far beyond Rig or WordPress. If you abstract it out of a particular project to say, you know, I did this with a project, I learned this this way, I think that would be super valuable. Rob: Well, I will say that recently at my current job, I was challenged to create an end to end testing framework with Playwright that would speed up how long it takes to test things and also prevent, you know, to make things fail earlier, essentially, to prevent broken things from ending up in the wild, right, and having to catch them the hard way. I didn’t know a lot about Playwright, but I do know how toolkits work now because of WP Rig. And I was able to successfully in a matter of, I don’t know, three days, put together a starter kit for a test framework that we’re already using at work to test any website that we create for any client. It can be extended and it can be hooked into any CI CD pipeline and it generates reports for you and it does a whole bunch of stuff. I was able to do this relatively quickly. This knowledge, yes, does come in handy in other situations. Will I end up developing other toolkits like WP Rig in the future for other things? I guess if I can give any advice to anybody listening out there, another piece of advice I would give people is, you know, especially if you’re a junior developer and you’re still learning or whatever, or you’re just a marketing person and just want to have more control over the functionality side of what you’re creating or more insight into that so you could better, you know, manage projects or whatever. My advice would be to take on a small little project that is scoped relatively small that’s not too much for you to chew and go build something and do it with… Just doing that will be good. But if you can do it with the intent to then present it in some fashion, whether it be a blog article or creating a YouTube video or going to a meetup and giving a talk on it or even a lunch and learn at work or whatever, right, that will, in my experience, it will dramatically amplify how much you learn from that little pet project that’s kind of like a mini learning experience. And I highly encourage anybody out there to do that on the regular. Actually, no matter what your experience level is in development, I think you should do these things on a regular basis. Topher: All right. I’m going to wrap this up. I got to get back to work. You probably have to get back to work. Rob: Yeah. Topher: Thanks for talking. Rob: Thanks for having me, Topher. Really appreciate it. Topher: Where could people find you? WPrig.io?  Rob: Yeah, WPrig.io. WP rig has accounts on all of the major platforms and, even on Bluesky and Mastodon. You can look me up, Rob Ruiz. You can find me on LinkedIn. You can find me on all of those same platforms as well. You can add me on Facebook if you want, whatever. And I’m also in the WordPress Slack as well as Rob Ruiz. You can find me in the WordPress Slack. And then I’m on the WordPress Reddit and all that stuff. So yeah, reach out. If anybody wants to have any questions about Rig or anything else, I’m happy to engage.  Topher: Sounds good. All right, I’ll see you. Rob: All right, thanks, Topher. Have a good day. Topher: This has been an episode of the Hallway Chats podcast. I’m your host Topher DeRosia. Many thanks to our sponsor Nexcess. If you’d like to hear more Hallway Chats, please let us know on hallwaychats.com.

An airhacks.fm conversation with Johan Haleby (@johanhaleby) about: first computer experience with Commodore C64 and typing Basic programs from instruction manuals, early gaming experiences and interest in understanding load commands, transition to Amiga 500 Plus for demo scene scripting and composition, moving to PC era with 486 SX25 and four megabytes of RAM, learning Turbo Pascal and creating 2D Super Mario-inspired games, experimenting with inline assembler in Pascal and reading "The Art of Assembly Programming", reverse engineering games using Win32 disassembler to bypass license checks, studying computer science at Blekinge and Lund University in Sweden, first job at JayWay consultancy firm working on IKEA project in 2005, early adoption of Spring framework and automated testing practices, comparison of old-style EJB with heavy XML configuration versus Spring's lightweight approach, the evolution from XML-based configuration to annotation-based Java EE 5 and 6, creating PowerMock with colleague Jan Kronqvist to mock static methods and final classes, using asm and JavaAssist for bytecode manipulation instead of AspectJ, implementing custom class loaders where each JUnit method executed in different class loader, deep clone module for cloning object graphs between class loaders, tight coupling challenges between PowerMock and Mockito/EasyMock/JUnit versions, transition from EasyMock's record-replay pattern to Mockito's when-then approach, modern preference for avoiding mocks and testing against real cloud environments, optimizing for fast CI/CD pipelines rather than local simulation, structuring code to separate infrastructure concerns from pure business logic, using Java Records as pure data carriers versus adding behavior to records, Clojure-inspired philosophy of decoupling state from behavior and identity, Rich Hickey's "Simple Made Easy" talk and definitions of simple versus easy, multi-methods in functional languages as alternative to polymorphism, domain modeling example with network devices and fiber channel connections, benefits of object-oriented polymorphism for transparent persistence and simple code, avoiding religious adherence to patterns in favor of pragmatic solutions, Maven's stability and opinionated approach versus Gradle's flexibility, reducing external dependencies and Maven plugins in favor of CI/CD automation, the NPM ecosystem's over-modularization compared to Java's more reasonable approach, decline of OSGi hype and return to simpler monolithic architectures, Johan's current work on Occurrent Event Sourcing library and cloud events Johan Haleby on twitter: @johanhaleby

⬥EPISODE NOTES⬥Modern application development depends on open source packages moving at extraordinary speed. Paul McCarty, Offensive Security Specialist focused on software supply chain threats, explains why that speed has quietly reshaped risk across development pipelines, developer laptops, and CI environments.JavaScript dominates modern software delivery, and the npm registry has become the largest package ecosystem in the world. Millions of packages, thousands of daily updates, and deeply nested dependency chainsഴ് often exceeding a thousand indirect dependencies per application. That scale creates opportunity, not only for innovation, but for adversaries who understand how developers actually build software.This conversation focuses on a shift that security leaders can no longer ignore. Malicious packages are not exploiting accidental coding errors. They are intentionally engineered to steal credentials, exfiltrate secrets, and compromise environments long before traditional security tools see anything wrong. Attacks increasingly begin on developer machines through social engineering and poisoned repositories, then propagate into CI pipelines where access density and sensitive credentials converge.Paul outlines why many existing security approaches fall short. Vulnerability databases were built for mistakes, not hostile code. AppSec teams are overloaded burning down backlogs. Security operations teams rarely receive meaningful telemetry from build systems. The result is a visibility gap where malicious code can run, disappear, and leave organizations unsure what was touched or stolen.The episode also explores why simple advice like “only use vetted packages” fails in practice. Open source ecosystems move too fast for manual approval models, and internal package repositories often collapse under friction. Meanwhile, attackers exploit maintainer accounts, typosquatting domains, and ecosystem trust to reach billions of downstream installations in a single event.This discussion challenges security leaders to rethink how software supply chain risk is defined, detected, and owned. The problem is no longer theoretical, and it no longer lives only in development teams. It sits at the intersection of intellectual property, identity, and delivery velocity, demanding attention from anyone responsible for protecting modern software-driven organizations.⬥GUEST⬥Paul McCarty, NPM Hacker and Software Supply Chain Researcher  | On LinkedIn: https://www.linkedin.com/in/mccartypaul/⬥HOST⬥Sean Martin, Co-Founder at ITSPmagazine and Host of Redefining CyberSecurity Podcast | On LinkedIn: https://www.linkedin.com/in/imsmartin/ | Website: https://www.seanmartin.com⬥RESOURCES⬥LinkedIn Post: https://www.linkedin.com/posts/mccartypaul_i-want-to-introduce-you-to-my-latest-project-activity-7396297753196363776-1N-TOpen Source Malware Database: https://opensourcemalware.comOpenSSF Scorecard Project: https://securityscorecards.dev⬥ADDITIONAL INFORMATION⬥✨ More Redefining CyberSecurity Podcast: 

⬥EPISODE NOTES⬥Modern application development depends on open source packages moving at extraordinary speed. Paul McCarty, Offensive Security Specialist focused on software supply chain threats, explains why that speed has quietly reshaped risk across development pipelines, developer laptops, and CI environments.JavaScript dominates modern software delivery, and the npm registry has become the largest package ecosystem in the world. Millions of packages, thousands of daily updates, and deeply nested dependency chainsഴ് often exceeding a thousand indirect dependencies per application. That scale creates opportunity, not only for innovation, but for adversaries who understand how developers actually build software.This conversation focuses on a shift that security leaders can no longer ignore. Malicious packages are not exploiting accidental coding errors. They are intentionally engineered to steal credentials, exfiltrate secrets, and compromise environments long before traditional security tools see anything wrong. Attacks increasingly begin on developer machines through social engineering and poisoned repositories, then propagate into CI pipelines where access density and sensitive credentials converge.Paul outlines why many existing security approaches fall short. Vulnerability databases were built for mistakes, not hostile code. AppSec teams are overloaded burning down backlogs. Security operations teams rarely receive meaningful telemetry from build systems. The result is a visibility gap where malicious code can run, disappear, and leave organizations unsure what was touched or stolen.The episode also explores why simple advice like “only use vetted packages” fails in practice. Open source ecosystems move too fast for manual approval models, and internal package repositories often collapse under friction. Meanwhile, attackers exploit maintainer accounts, typosquatting domains, and ecosystem trust to reach billions of downstream installations in a single event.This discussion challenges security leaders to rethink how software supply chain risk is defined, detected, and owned. The problem is no longer theoretical, and it no longer lives only in development teams. It sits at the intersection of intellectual property, identity, and delivery velocity, demanding attention from anyone responsible for protecting modern software-driven organizations.⬥GUEST⬥Paul McCarty, NPM Hacker and Software Supply Chain Researcher  | On LinkedIn: https://www.linkedin.com/in/mccartypaul/⬥HOST⬥Sean Martin, Co-Founder at ITSPmagazine and Host of Redefining CyberSecurity Podcast | On LinkedIn: https://www.linkedin.com/in/imsmartin/ | Website: https://www.seanmartin.com⬥RESOURCES⬥LinkedIn Post: https://www.linkedin.com/posts/mccartypaul_i-want-to-introduce-you-to-my-latest-project-activity-7396297753196363776-1N-TOpen Source Malware Database: https://opensourcemalware.comOpenSSF Scorecard Project: https://securityscorecards.dev⬥ADDITIONAL INFORMATION⬥✨ More Redefining CyberSecurity Podcast: 

Get featured on the show by leaving us a Voice Mail: https://bit.ly/MIPVM

In this episode of The Cybersecurity Defenders Podcast, we discuss some intel being shared in the LimaCharlie community.For for more information about Cybersecurity Cares, visit cybersecurity-cares.comThe Tomiris cyber-espionage group, which has been under Kaspersky's watch since 2021, has evolved its tactics in a new wave of attacks observed in early 2025. Article #2.CISA has recently added CVE-2021-26829 to its known exploited vulnerabilities, or KEV catalog, marking it as a confirmed threat based on real world exploitation. Researchers at KOI Security have identified a malicious NPM package, which not only performs typical credential stealing behavior, but also includes a new, subtle tactic attempting to manipulate AI-driven security scanners via embedded prompt engineering. Article #2.Iranian state sponsored threat group MuddyWater has launched a new wave of cyber espionage attacks targeting Israeli organizations across sectors including academia, civil infrastructure, engineering, technology and utilities.Support our show by sharing your favorite episodes with a friend, subscribe, give us a rating or leave a comment on your podcast platform.This podcast is brought to you by LimaCharlie, maker of the SecOps Cloud Platform, infrastructure for SecOps where everything is built API first. Scale with confidence as your business grows. Start today for free at limacharlie.io.

On this week's episode, esVolta CEO Randy Mann joins Andrew Burnes to discuss some of the issues facing a well-established storage IPP in the 2025 market landscape.The conversation includes a look into the realities of FEOC and the status of domestic and alternative supply, including alternate chemistries, as well as a look at how storage values are holding in ERCOT as new storage capacity enters the market.Randy also discusses the logistics and risk of entering newer markets and gets specific on which ones the firm will be targeting in the next couple of years.NPM is a leading data, intelligence & events company providing business development led coverage of the US & European power, storage & data center markets for the development, finance, M&A and corporate community.Download our mobile app.

Linux 6.18 is officially out, and officially an LTS release, 6.19 has plenty to be excited about, including the color pipeline API. NVIDIA is making progress with Wayland and other regions, Fedora is moving away from FBCON, and Flowblade sees a Wayland-only future. NPM has a worm problem, and we're still gaining ground on Steam! For tips, we have scx for rolling your own userspace scheduler, and a fix for Yakuake for your old-school terminal needs. You can find the show notes at https://bit.ly/44ISvVi and have a great week! Host: Jonathan Bennett Co-Host: Jeff Massie Download or subscribe to Untitled Linux Show at https://twit.tv/shows/untitled-linux-show Want access to the ad-free video and exclusive features? Become a member of Club TWiT today! https://twit.tv/clubtwit Club TWiT members can discuss this episode and leave feedback in the Club TWiT Discord.

Linux 6.18 is officially out, and officially an LTS release, 6.19 has plenty to be excited about, including the color pipeline API. NVIDIA is making progress with Wayland and other regions, Fedora is moving away from FBCON, and Flowblade sees a Wayland-only future. NPM has a worm problem, and we're still gaining ground on Steam! For tips, we have scx for rolling your own userspace scheduler, and a fix for Yakuake for your old-school terminal needs. You can find the show notes at https://bit.ly/44ISvVi and have a great week! Host: Jonathan Bennett Co-Host: Jeff Massie Download or subscribe to Untitled Linux Show at https://twit.tv/shows/untitled-linux-show Want access to the ad-free video and exclusive features? Become a member of Club TWiT today! https://twit.tv/clubtwit Club TWiT members can discuss this episode and leave feedback in the Club TWiT Discord.

This week we welcome Ed Skoudis to talk about the holiday hack challenge (https://sans.org/HolidayHack). In the security news: Oh Asus Dashcam botnets Weird CVEs being issued CodeRED, but not the worm Free IP checking Internet space junk and IoT Decade old Linux kernel vulnerabilities Breaking out of Claude code Malicious LLMs Hacker on a plan gets 7 years Putting passwords into random websites NPM supply chains strike again LLMs will never be intelligent Visit https://www.securityweekly.com/psw for all the latest episodes! Show Notes: https://securityweekly.com/psw-903

This week we welcome Ed Skoudis to talk about the holiday hack challenge (https://sans.org/HolidayHack). In the security news: Oh Asus Dashcam botnets Weird CVEs being issued CodeRED, but not the worm Free IP checking Internet space junk and IoT Decade old Linux kernel vulnerabilities Breaking out of Claude code Malicious LLMs Hacker on a plan gets 7 years Putting passwords into random websites NPM supply chains strike again LLMs will never be intelligent   Show Notes: https://securityweekly.com/psw-903

This week we welcome Ed Skoudis to talk about the holiday hack challenge (https://sans.org/HolidayHack). In the security news: Oh Asus Dashcam botnets Weird CVEs being issued CodeRED, but not the worm Free IP checking Internet space junk and IoT Decade old Linux kernel vulnerabilities Breaking out of Claude code Malicious LLMs Hacker on a plan gets 7 years Putting passwords into random websites NPM supply chains strike again LLMs will never be intelligent   Visit https://www.securityweekly.com/psw for all the latest episodes! Show Notes: https://securityweekly.com/psw-903

This week we welcome Ed Skoudis to talk about the holiday hack challenge (https://sans.org/HolidayHack). In the security news: Oh Asus Dashcam botnets Weird CVEs being issued CodeRED, but not the worm Free IP checking Internet space junk and IoT Decade old Linux kernel vulnerabilities Breaking out of Claude code Malicious LLMs Hacker on a plan gets 7 years Putting passwords into random websites NPM supply chains strike again LLMs will never be intelligent   Show Notes: https://securityweekly.com/psw-903

SmartTube Android App Compromise The key a developer used to sign the Android YouTube player SmartTube was compromised and used to publish a malicious version. https://github.com/yuliskov/SmartTube/issues/5131#issue-3670629826 https://github.com/yuliskov/SmartTube/releases/tag/notification Two Years, 17K Downloads: The NPM Malware That Tried to Gaslight Security Scanners Over the course of two years, a malicious NPM package was updated to evade detection and has now been identified, in part, due to its attempt to bypass AI scanners through prompt injection. https://www.koi.ai/blog/two-years-17k-downloads-the-npm-malware-that-tried-to-gaslight-security-scanners Stored XSS Vulnerability via SVG Animation, SVG URL, and MathML Attributes Angular fixed a store XSS vulnerability. https://github.com/angular/angular/security/advisories/GHSA-v4hv-rgfq-gp49

Im Podcast kränkelt's: Bei Cloudflare gab es einen dreistündigen Schluckauf, der Co-Host hat Hustenanfälle und Würmer befielen mal wieder NPM. Christopher und Sylvester schauen sich ausgiebig an, was die zweite Ausgabe der Javascript-Schadsoftware "Sha1-Hulud" anders macht als die erste und befassen sich auch noch einmal mit "Glassworm", einem Thema der letzten Folgen. Dort ist im Nachhinein unklar, ob es sich tatsächlich um einen Wurm handelt oder vielleicht eher ein Botnet, wie Christopher mutmaßt. Doch auch der dreistündige Ausfall bei Cloudflare steht auf der Tagesordnung - mit ungewohnt viel Lob der Hosts! - und ob Whatsapp wirklich das größte Datenleck der Geschichte hatte, ergründen die beiden heise-Redakteure ebenfalls. - Cloudflare zum Ausfall am 18. November: https://blog.cloudflare.com/18-november-2025-outage/ - Threema zum WhatsApp-Scraping: https://threema.com/de/blog/whatsapp-datenleck-2025 - Trend Micros technische Analyse von Shai Hulud 2.0: https://www.trendmicro.com/en_us/research/25/k/shai-hulud-2-0-targets-cloud-and-developer-systems.html - Expel zu Cache Smuggling: https://expel.com/blog/cache-smuggling-when-a-picture-isnt-a-thousand-words/ - Folgt uns im Fediverse: - @christopherkunz@chaos.social - @syt@social.heise.de

Laura Pagliarulo, CEO and co-founder of SolaREIT, joins the podcast this week to discuss the rise of powered land banks to support data centers and other forms of load demand. Later in the program, she also discusses the forecast for US battery energy storage and what growth might look like with FEOC restrictions being implemented in January 2026.*This podcast is sponsored by Meter.Meter provides full-stack, integrated networking. They design, deploy, and manage wired, wireless, and cellular infrastructure for large data center campuses, warehouses, and branch offices.With Meter, businesses get fast, secure, and scalable connectivity for a predictable monthly rate, without the complexity of managing multiple providers or tools.Go to meter.com/npm to book a demo today! NPM is a leading data, intelligence & events company providing business development led coverage of the US & European power, storage & data center markets for the development, finance, M&A and corporate community.Download our mobile app.

(Presented by Material Security (https://material.security): We protect your company's most valuable materials -- the emails, files, and accounts that live in your Google Workspace and Microsoft 365 cloud offices.) Three Buddy Problem - Episode 74: We attempt to parse the rumor-fog around Microsoft's CISO at CYBERWARCON and what it reveals about the company's shifting posture on intel sharing, regulation, and its outsized grip on the security ecosystem. Plus, coverage of the Shai-Hulud npm supply-chain mess, CISA's mobile spyware guidance, NSO's legal contortions, a sharp new GRU-linked intrusion from Arctic Wolf. We also discuss the FCC retreating on telco security rules, and the emerging AI arms race shaping how cloud giants hunt threats and how Washington misunderstands all of it. Cast: Juan Andres Guerrero-Saade (https://twitter.com/juanandres_gs), Ryan Naraine (https://twitter.com/ryanaraine) and Costin Raiu (https://twitter.com/craiu).

In this episode, the host addresses a previous mistake in naming a company involved in a breach, correcting SitusAMC for Ascensus, and extends apologies. Key topics include US banks assessing a breach fallout from financial tech vendor SitusAMC, ransomware group CioP targeting Broadcom through Oracle's vulnerabilities, a new malware campaign hiding in Blender 3D models named SteelC, supply chain attacks in the JavaScript ecosystem through NPM packages with Shai-Hulud malware, and a phishing scam using lookalike domains to deceive Microsoft account holders. Listeners are reminded to manually type URLs to avoid phishing scams, and are informed about the Thanksgiving weekend schedule change. 00:00 Introduction and Apology 01:26 Cybersecurity Headlines 02:13 US Banks Data Theft Incident 03:44 Broadcom and Oracle ERP Breach 05:29 Blender Malware Campaign 07:45 Shai-Hulud NPM Package Attack 09:41 Phishing Campaign Targeting Microsoft Accounts 11:39 Final Thoughts and Thanksgiving Wishes

In today's episode of Cybersecurity Today, hosted by Jim Love, several major cybersecurity incidents are discussed. US banks are assessing the impact of a security breach at SitusAMC, where the ALFV ransomware group claimed to have stolen three terabytes of data. CIOP has targeted Broadcom through Oracle's E-Business Suite vulnerabilities. A new malware campaign hides inside Blender 3D models, exploiting the auto-run feature to deploy Steel C malware. The JavaScript ecosystem faces a supply chain attack from the Shai-Hulud malware compromising 500 NPM packages. Additionally, a phishing campaign leveraging visual deception with look-alike domains is targeting Microsoft account holders. The show is brought to you by Meter, which provides integrated networking solutions. 00:00 Introduction and Sponsor Message 00:21 US Banks Data Theft Incident 02:24 Broadcom and Oracle ERP Breach 04:09 Blender Files Supply Chain Attack 06:24 NPM Packages Compromised 08:21 Phishing Campaign Targeting Microsoft Accounts 10:19 Conclusion and Sponsor Message

Conflicts between URL mapping and URL based access control. Mapping different URLs to the same script, and relying on URL based authentication at the same time, may lead to dangerous authentication and access control gaps. https://isc.sans.edu/diary/Conflicts%20between%20URL%20mapping%20and%20URL%20based%20access%20control./32518 Sha1-Hulud, The Second Coming A new, destructive variant of the Shai-Hulud worm is currently spreading through NPM/Github repos. https://www.koi.ai/incident/live-updates-sha1-hulud-the-second-coming-hundred-npm-packages-compromised Hacklore: Cleaning up Outdated Security Advice A new website, hacklore.org, has published an open letter from former CISOs and other security leaders aimed at addressing some outdated security advice that is often repeated. https://www.hacklore.org

The latest episode of Absolute AppSec is here, with Ken Johnson and Seth Law checking in during the busy Q4 holiday season to share some fascinating insights on the evolving landscape of security and technology. They kick off by reflecting on their intensive, ever-changing "Harnessing LLMs for Application Security" courses, noting how rapidly the underlying tech evolves. The conversation quickly turns to a compelling debate: How will the rise of generative AI impact career paths for newcomers, especially given that LLMs fundamentally rely on the contributions of existing experts? While pathways may change, they agree that core human activities—like networking, contributing to projects, and maintaining a hacker mindset—will remain crucial. The hosts then dive into a fascinating discussion on the darker side of SEO, introducing the concept of Generative AI Engine Optimization (GEO), where marketers exploit AI search results through tricks like keyword-stuffed files to game rankings. They tie this to historical examples of exploitation, harkening back to Google hacking days. Finally, they cover the recent Shai Hulud 2 supply chain attack, which infected hundreds of NPM packages and utilized even more sophisticated obfuscation and delayed execution tactics than its predecessor.

Decoding Binary Numeric Expressions Didier updated his number to hex script to support simple arithmetic operations in the text. https://isc.sans.edu/diary/Decoding%20Binary%20Numeric%20Expressions/32490 Tea Token NPM Pollution The NPM repository was hit with around 150,000 submissions that did not contain any useful contributions, but instead attempted to fake contributions to earn a new tea coin. https://aws.amazon.com/blogs/security/amazon-inspector-detects-over-150000-malicious-packages-linked-to-token-farming-campaign/ IBM AIX NIMSH Vulnerabilities IBM patched several critical vulnerablities in the NIMSH daemon https://www.ibm.com/support/pages/node/7251173

Just what’s inside that commercial software you bought? Does it contain open-source components, NPM packages, or other third-party code? How could you find out? The answer is a Software Bill of Materials, or SBOM, a machine-readable inventory of a finished piece of software. Why should you care about SBOMs? Our guest, Natalie Somersall, is here... Read more »

Just what’s inside that commercial software you bought? Does it contain open-source components, NPM packages, or other third-party code? How could you find out? The answer is a Software Bill of Materials, or SBOM, a machine-readable inventory of a finished piece of software. Why should you care about SBOMs? Our guest, Natalie Somersall, is here... Read more »

Alight chairman and co-founder Harald Överholm joins NPM Europe on this week's episode to give us his take on building a Nordic solar developer into an increasingly pan-European operator of both behind-the-meter and utility-scale, grid-connected PV assets.Harald also provides insight on how data centres could power the corporate PPA market across the Nordics for years to come, how Alight is targeting microgrids for future opportunities, as well as tips for solving the grid connection impasse present in several European markets right now.NPM is a leading data, intelligence & events company providing business development led coverage of the US & European power, storage & data center markets for the development, finance, M&A and corporate community.Download our mobile app.

Josh chats with Charlie Eriksen, a security researcher at Aikido Security. We discuss the recent NPM supply chain attacks that affect hundreds of packages. Charlie shares his experiences dealing with recent security breaches, the challenges of maintaining trust in open source software, and the importance of proactive measures to safeguard open source. The rapid pace of change is impacting our security practices and what steps can be taken to foster resilience in the face of evolving threats. The show notes and blog post for this episode can be found at https://opensourcesecurity.io/2025/2025-11-npm-charlie/

AI-powered web browsers are hitting the scene fast, but Steve and Leo unpack why these smart assistants could usher in an era of security chaos most users aren't ready for. Brace yourself for the wild risks, real-world scams, and the privacy questions no one else is asking. Secret radios discovered in Chinese-made busses. Edge & Chrome introduce LLM-based "scareware" blocking. A perfect example of what scareware blocking hopes to prevent. Aardvark: OpenAI's new vulnerability scanner for code. Italy to require age verification from 48 specific sites. Russia to require the use of only Russian software within Russia. Russia further clamping down on non-MAX Telegram and WhatsApp messaging. 187 new malicious NPM packages. Could AI help with that? BadCandy malware has infiltrated Australian Cisco routers. Github's 2025 report with the dominance of TypeScript. Windows 11 gets new extra-secure Admin Protection feature. A bunch of interesting feedback and listener thoughts. And why the new AI-driven web browsers may be bringing a whole new world of hurt Show Notes - https://www.grc.com/sn/SN-1050-Notes.pdf Hosts: Steve Gibson and Leo Laporte Download or subscribe to Security Now at https://twit.tv/shows/security-now. You can submit a question to Security Now at the GRC Feedback Page. For 16kbps versions, transcripts, and notes (including fixes), visit Steve's site: grc.com, also the home of the best disk maintenance and recovery utility ever written Spinrite 6. Join Club TWiT for Ad-Free Podcasts! Support what you love and get ad-free shows, a members-only Discord, and behind-the-scenes access. Join today: https://twit.tv/clubtwit Sponsors: bitwarden.com/twit joindeleteme.com/twit promo code TWIT canary.tools/twit - use code: TWIT bigid.com/securitynow threatlocker.com for Security Now

AI-powered web browsers are hitting the scene fast, but Steve and Leo unpack why these smart assistants could usher in an era of security chaos most users aren't ready for. Brace yourself for the wild risks, real-world scams, and the privacy questions no one else is asking. Secret radios discovered in Chinese-made busses. Edge & Chrome introduce LLM-based "scareware" blocking. A perfect example of what scareware blocking hopes to prevent. Aardvark: OpenAI's new vulnerability scanner for code. Italy to require age verification from 48 specific sites. Russia to require the use of only Russian software within Russia. Russia further clamping down on non-MAX Telegram and WhatsApp messaging. 187 new malicious NPM packages. Could AI help with that? BadCandy malware has infiltrated Australian Cisco routers. Github's 2025 report with the dominance of TypeScript. Windows 11 gets new extra-secure Admin Protection feature. A bunch of interesting feedback and listener thoughts. And why the new AI-driven web browsers may be bringing a whole new world of hurt Show Notes - https://www.grc.com/sn/SN-1050-Notes.pdf Hosts: Steve Gibson and Leo Laporte Download or subscribe to Security Now at https://twit.tv/shows/security-now. You can submit a question to Security Now at the GRC Feedback Page. For 16kbps versions, transcripts, and notes (including fixes), visit Steve's site: grc.com, also the home of the best disk maintenance and recovery utility ever written Spinrite 6. Join Club TWiT for Ad-Free Podcasts! Support what you love and get ad-free shows, a members-only Discord, and behind-the-scenes access. Join today: https://twit.tv/clubtwit Sponsors: bitwarden.com/twit joindeleteme.com/twit promo code TWIT canary.tools/twit - use code: TWIT bigid.com/securitynow threatlocker.com for Security Now

AI-powered web browsers are hitting the scene fast, but Steve and Leo unpack why these smart assistants could usher in an era of security chaos most users aren't ready for. Brace yourself for the wild risks, real-world scams, and the privacy questions no one else is asking. Secret radios discovered in Chinese-made busses. Edge & Chrome introduce LLM-based "scareware" blocking. A perfect example of what scareware blocking hopes to prevent. Aardvark: OpenAI's new vulnerability scanner for code. Italy to require age verification from 48 specific sites. Russia to require the use of only Russian software within Russia. Russia further clamping down on non-MAX Telegram and WhatsApp messaging. 187 new malicious NPM packages. Could AI help with that? BadCandy malware has infiltrated Australian Cisco routers. Github's 2025 report with the dominance of TypeScript. Windows 11 gets new extra-secure Admin Protection feature. A bunch of interesting feedback and listener thoughts. And why the new AI-driven web browsers may be bringing a whole new world of hurt Show Notes - https://www.grc.com/sn/SN-1050-Notes.pdf Hosts: Steve Gibson and Leo Laporte Download or subscribe to Security Now at https://twit.tv/shows/security-now. You can submit a question to Security Now at the GRC Feedback Page. For 16kbps versions, transcripts, and notes (including fixes), visit Steve's site: grc.com, also the home of the best disk maintenance and recovery utility ever written Spinrite 6. Join Club TWiT for Ad-Free Podcasts! Support what you love and get ad-free shows, a members-only Discord, and behind-the-scenes access. Join today: https://twit.tv/clubtwit Sponsors: bitwarden.com/twit joindeleteme.com/twit promo code TWIT canary.tools/twit - use code: TWIT bigid.com/securitynow threatlocker.com for Security Now

AI-powered web browsers are hitting the scene fast, but Steve and Leo unpack why these smart assistants could usher in an era of security chaos most users aren't ready for. Brace yourself for the wild risks, real-world scams, and the privacy questions no one else is asking. Secret radios discovered in Chinese-made busses. Edge & Chrome introduce LLM-based "scareware" blocking. A perfect example of what scareware blocking hopes to prevent. Aardvark: OpenAI's new vulnerability scanner for code. Italy to require age verification from 48 specific sites. Russia to require the use of only Russian software within Russia. Russia further clamping down on non-MAX Telegram and WhatsApp messaging. 187 new malicious NPM packages. Could AI help with that? BadCandy malware has infiltrated Australian Cisco routers. Github's 2025 report with the dominance of TypeScript. Windows 11 gets new extra-secure Admin Protection feature. A bunch of interesting feedback and listener thoughts. And why the new AI-driven web browsers may be bringing a whole new world of hurt Show Notes - https://www.grc.com/sn/SN-1050-Notes.pdf Hosts: Steve Gibson and Leo Laporte Download or subscribe to Security Now at https://twit.tv/shows/security-now. You can submit a question to Security Now at the GRC Feedback Page. For 16kbps versions, transcripts, and notes (including fixes), visit Steve's site: grc.com, also the home of the best disk maintenance and recovery utility ever written Spinrite 6. Join Club TWiT for Ad-Free Podcasts! Support what you love and get ad-free shows, a members-only Discord, and behind-the-scenes access. Join today: https://twit.tv/clubtwit Sponsors: bitwarden.com/twit joindeleteme.com/twit promo code TWIT canary.tools/twit - use code: TWIT bigid.com/securitynow threatlocker.com for Security Now

AI-powered web browsers are hitting the scene fast, but Steve and Leo unpack why these smart assistants could usher in an era of security chaos most users aren't ready for. Brace yourself for the wild risks, real-world scams, and the privacy questions no one else is asking. Secret radios discovered in Chinese-made busses. Edge & Chrome introduce LLM-based "scareware" blocking. A perfect example of what scareware blocking hopes to prevent. Aardvark: OpenAI's new vulnerability scanner for code. Italy to require age verification from 48 specific sites. Russia to require the use of only Russian software within Russia. Russia further clamping down on non-MAX Telegram and WhatsApp messaging. 187 new malicious NPM packages. Could AI help with that? BadCandy malware has infiltrated Australian Cisco routers. Github's 2025 report with the dominance of TypeScript. Windows 11 gets new extra-secure Admin Protection feature. A bunch of interesting feedback and listener thoughts. And why the new AI-driven web browsers may be bringing a whole new world of hurt Show Notes - https://www.grc.com/sn/SN-1050-Notes.pdf Hosts: Steve Gibson and Leo Laporte Download or subscribe to Security Now at https://twit.tv/shows/security-now. You can submit a question to Security Now at the GRC Feedback Page. For 16kbps versions, transcripts, and notes (including fixes), visit Steve's site: grc.com, also the home of the best disk maintenance and recovery utility ever written Spinrite 6. Join Club TWiT for Ad-Free Podcasts! Support what you love and get ad-free shows, a members-only Discord, and behind-the-scenes access. Join today: https://twit.tv/clubtwit Sponsors: bitwarden.com/twit joindeleteme.com/twit promo code TWIT canary.tools/twit - use code: TWIT bigid.com/securitynow threatlocker.com for Security Now

AI-powered web browsers are hitting the scene fast, but Steve and Leo unpack why these smart assistants could usher in an era of security chaos most users aren't ready for. Brace yourself for the wild risks, real-world scams, and the privacy questions no one else is asking. Secret radios discovered in Chinese-made busses. Edge & Chrome introduce LLM-based "scareware" blocking. A perfect example of what scareware blocking hopes to prevent. Aardvark: OpenAI's new vulnerability scanner for code. Italy to require age verification from 48 specific sites. Russia to require the use of only Russian software within Russia. Russia further clamping down on non-MAX Telegram and WhatsApp messaging. 187 new malicious NPM packages. Could AI help with that? BadCandy malware has infiltrated Australian Cisco routers. Github's 2025 report with the dominance of TypeScript. Windows 11 gets new extra-secure Admin Protection feature. A bunch of interesting feedback and listener thoughts. And why the new AI-driven web browsers may be bringing a whole new world of hurt Show Notes - https://www.grc.com/sn/SN-1050-Notes.pdf Hosts: Steve Gibson and Leo Laporte Download or subscribe to Security Now at https://twit.tv/shows/security-now. You can submit a question to Security Now at the GRC Feedback Page. For 16kbps versions, transcripts, and notes (including fixes), visit Steve's site: grc.com, also the home of the best disk maintenance and recovery utility ever written Spinrite 6. Join Club TWiT for Ad-Free Podcasts! Support what you love and get ad-free shows, a members-only Discord, and behind-the-scenes access. Join today: https://twit.tv/clubtwit Sponsors: bitwarden.com/twit joindeleteme.com/twit promo code TWIT canary.tools/twit - use code: TWIT bigid.com/securitynow threatlocker.com for Security Now

AI-powered web browsers are hitting the scene fast, but Steve and Leo unpack why these smart assistants could usher in an era of security chaos most users aren't ready for. Brace yourself for the wild risks, real-world scams, and the privacy questions no one else is asking. Secret radios discovered in Chinese-made busses. Edge & Chrome introduce LLM-based "scareware" blocking. A perfect example of what scareware blocking hopes to prevent. Aardvark: OpenAI's new vulnerability scanner for code. Italy to require age verification from 48 specific sites. Russia to require the use of only Russian software within Russia. Russia further clamping down on non-MAX Telegram and WhatsApp messaging. 187 new malicious NPM packages. Could AI help with that? BadCandy malware has infiltrated Australian Cisco routers. Github's 2025 report with the dominance of TypeScript. Windows 11 gets new extra-secure Admin Protection feature. A bunch of interesting feedback and listener thoughts. And why the new AI-driven web browsers may be bringing a whole new world of hurt Show Notes - https://www.grc.com/sn/SN-1050-Notes.pdf Hosts: Steve Gibson and Leo Laporte Download or subscribe to Security Now at https://twit.tv/shows/security-now. You can submit a question to Security Now at the GRC Feedback Page. For 16kbps versions, transcripts, and notes (including fixes), visit Steve's site: grc.com, also the home of the best disk maintenance and recovery utility ever written Spinrite 6. Join Club TWiT for Ad-Free Podcasts! Support what you love and get ad-free shows, a members-only Discord, and behind-the-scenes access. Join today: https://twit.tv/clubtwit Sponsors: bitwarden.com/twit joindeleteme.com/twit promo code TWIT canary.tools/twit - use code: TWIT bigid.com/securitynow threatlocker.com for Security Now

Episode 302 of Absolute AppSec has hosts Ken Johnson and Seth Law speculating on the upcoming Global AppSec DC conference, predicting the announcement of the OWASP Top Ten 2025 edition, with Brian Glass scheduled to discuss it on the podcast. The conversation shifts to a technical discussion of OpenAI's new browser, Atlas, which is built on Chromium and includes AI capabilities. The hosts noted concern over the discovered prompt instructions for Atlas, which direct the ChatGPT agent to use browser history and available APIs to find data from the user's logged-in sites to answer ambiguous queries or fulfill requests. This functionality raises significant security concerns, as the agent's ability to comb the cache and logged-in sites could be exploited, effectively creating a "honeypot for cross-site scripting" with malicious potential like unauthorized money transfers. The hosts discussed the lack of talk submissions on Mobile Context Protocol (MCP) security at the conference, despite its growing relevance in a world of AI agents and tooling. Finally, they highlighted a new tool called SlopGuard, developed to prevent the risk of AI hallucinating non-existent, potentially malicious packages (which occurs 5-21% of the time) and attempting to install them from registries like NPM.

Hey everyone—it's Steve Edwards here, and in this episode of JavaScript Jabber, I'm joined by returning guest Feross Aboukhadijeh, founder of Socket.dev, for a deep dive into the dark and fascinating world of open source supply chain security. From phishing campaigns targeting top NPM maintainers to the now-infamous Chalk library compromise, we unpack the latest wave of JavaScript package attacks and what developers can learn from them.Feross explains how some hackers are even using AI tools like Claude and Gemini as part of their payloads—and how defenders like Socket are fighting back with AI-powered analysis of their own. We also dive into GitHub Actions vulnerabilities, the role of two-factor authentication, and the growing need for “phishing-resistant 2FA.” Whether you're an open source maintainer or just someone who runs npm install a little too often, this episode will open your eyes to how much happens behind the scenes to keep your code safe.

This is a recap of the top 10 posts on Hacker News on October 30, 2025. This podcast was generated by wondercraft.ai (00:30): Affinity Studio now freeOriginal post: https://news.ycombinator.com/item?id=45761445&utm_source=wondercraft_ai(01:53): Free software scares normal peopleOriginal post: https://news.ycombinator.com/item?id=45760878&utm_source=wondercraft_ai(03:17): The ear does not do a Fourier transform (2024)Original post: https://news.ycombinator.com/item?id=45762259&utm_source=wondercraft_ai(04:41): US declines to join more than 70 countries in signing UN cybercrime treatyOriginal post: https://news.ycombinator.com/item?id=45760328&utm_source=wondercraft_ai(06:05): Ventoy: Create bootable USB drive for ISO/WIM/IMG/VHD(x)/EFI FilesOriginal post: https://news.ycombinator.com/item?id=45760340&utm_source=wondercraft_ai(07:29): A change of address led to our Wise accounts being shut downOriginal post: https://news.ycombinator.com/item?id=45766253&utm_source=wondercraft_ai(08:52): Denmark reportedly withdraws Chat Control proposal following controversyOriginal post: https://news.ycombinator.com/item?id=45765664&utm_source=wondercraft_ai(10:16): Falling panel prices lead to global solar boom, except for the USOriginal post: https://news.ycombinator.com/item?id=45761902&utm_source=wondercraft_ai(11:40): Language models are injective and hence invertibleOriginal post: https://news.ycombinator.com/item?id=45758093&utm_source=wondercraft_ai(13:04): NPM flooded with malicious packages downloaded more than 86k timesOriginal post: https://news.ycombinator.com/item?id=45755027&utm_source=wondercraft_aiThis is a third-party project, independent from HN and YC. Text and audio generated using AI, by wondercraft.ai. Create your own studio quality podcast with text as the only input in seconds at app.wondercraft.ai. Issues or feedback? We'd love to hear from you: team@wondercraft.ai

Consumer Reports on Windows 10 updates. Waste (not fraud or abuse) within DoD Cyberoperations. China's DeepSeek produces deliberately flawed code. WebAssembly v3.0 officially released. Firefox v143 updates and new features. Firefox for Android now offers DoH. A nearly terminal flaw in Microsoft's Entra ID. Chrome hits its 6th 0-day this year. Emergency update. DRAM (now DDR5) still vulnerable to RowHammer. SAMSUNG kitchen refrigerators begin showing ads. China says no to NVIDIA. 300 more (new) NPM maliciouspackages found and removed. The EU is already testing proper online age verification. Show Notes - https://www.grc.com/sn/SN-1044-Notes.pdf Hosts: Steve Gibson and Leo Laporte Download or subscribe to Security Now at https://twit.tv/shows/security-now. You can submit a question to Security Now at the GRC Feedback Page. For 16kbps versions, transcripts, and notes (including fixes), visit Steve's site: grc.com, also the home of the best disk maintenance and recovery utility ever written Spinrite 6. Join Club TWiT for Ad-Free Podcasts! Support what you love and get ad-free shows, a members-only Discord, and behind-the-scenes access. Join today: https://twit.tv/clubtwit Sponsors: bigid.com/securitynow go.acronis.com/twit zscaler.com/security 1password.com/securitynow hoxhunt.com/securitynow

Distracting the Analyst for Fun and Profit Our undergraduate intern, Tyler House analyzed what may have been a small DoS attack that was likely more meant to distract than to actually cause a denial of service https://isc.sans.edu/diary/%5BGuest%20Diary%5D%20Distracting%20the%20Analyst%20for%20Fun%20and%20Profit/32308 GitHub s plan for a more secure npm supply chain GitHub outlined its plan to harden the supply chain, in particular in light of the recent attack against npm packages https://github.blog/security/supply-chain-security/our-plan-for-a-more-secure-npm-supply-chain/ SolarWinds Web Help Desk AjaxProxy Deserialization of Untrusted Data Remote Code Execution Vulnerability (CVE-2025-26399) SolarWinds Web Help Desk was found to be susceptible to an unauthenticated AjaxProxy deserialization remote code execution vulnerability that, if exploited, would allow an attacker to run commands on the host machine. This vulnerability is a patch bypass of CVE-2024-28988, which in turn is a patch bypass of CVE-2024-28986. https://www.solarwinds.com/trust-center/security-advisories/cve-2025-26399 Vulnerabilities in Supermicro BMC Firmware CVE-2025-7937 CVE-2025-6198 Supermicro fixed two vulnerabilities that could allow an attacker to compromise the BMC with rogue firmware. https://www.supermicro.com/en/support/security_BMC_IPMI_Sept_2025

Consumer Reports on Windows 10 updates. Waste (not fraud or abuse) within DoD Cyberoperations. China's DeepSeek produces deliberately flawed code. WebAssembly v3.0 officially released. Firefox v143 updates and new features. Firefox for Android now offers DoH. A nearly terminal flaw in Microsoft's Entra ID. Chrome hits its 6th 0-day this year. Emergency update. DRAM (now DDR5) still vulnerable to RowHammer. SAMSUNG kitchen refrigerators begin showing ads. China says no to NVIDIA. 300 more (new) NPM maliciouspackages found and removed. The EU is already testing proper online age verification. Show Notes - https://www.grc.com/sn/SN-1044-Notes.pdf Hosts: Steve Gibson and Leo Laporte Download or subscribe to Security Now at https://twit.tv/shows/security-now. You can submit a question to Security Now at the GRC Feedback Page. For 16kbps versions, transcripts, and notes (including fixes), visit Steve's site: grc.com, also the home of the best disk maintenance and recovery utility ever written Spinrite 6. Join Club TWiT for Ad-Free Podcasts! Support what you love and get ad-free shows, a members-only Discord, and behind-the-scenes access. Join today: https://twit.tv/clubtwit Sponsors: bigid.com/securitynow go.acronis.com/twit zscaler.com/security 1password.com/securitynow hoxhunt.com/securitynow

Consumer Reports on Windows 10 updates. Waste (not fraud or abuse) within DoD Cyberoperations. China's DeepSeek produces deliberately flawed code. WebAssembly v3.0 officially released. Firefox v143 updates and new features. Firefox for Android now offers DoH. A nearly terminal flaw in Microsoft's Entra ID. Chrome hits its 6th 0-day this year. Emergency update. DRAM (now DDR5) still vulnerable to RowHammer. SAMSUNG kitchen refrigerators begin showing ads. China says no to NVIDIA. 300 more (new) NPM maliciouspackages found and removed. The EU is already testing proper online age verification. Show Notes - https://www.grc.com/sn/SN-1044-Notes.pdf Hosts: Steve Gibson and Leo Laporte Download or subscribe to Security Now at https://twit.tv/shows/security-now. You can submit a question to Security Now at the GRC Feedback Page. For 16kbps versions, transcripts, and notes (including fixes), visit Steve's site: grc.com, also the home of the best disk maintenance and recovery utility ever written Spinrite 6. Join Club TWiT for Ad-Free Podcasts! Support what you love and get ad-free shows, a members-only Discord, and behind-the-scenes access. Join today: https://twit.tv/clubtwit Sponsors: bigid.com/securitynow go.acronis.com/twit zscaler.com/security 1password.com/securitynow hoxhunt.com/securitynow

Consumer Reports on Windows 10 updates. Waste (not fraud or abuse) within DoD Cyberoperations. China's DeepSeek produces deliberately flawed code. WebAssembly v3.0 officially released. Firefox v143 updates and new features. Firefox for Android now offers DoH. A nearly terminal flaw in Microsoft's Entra ID. Chrome hits its 6th 0-day this year. Emergency update. DRAM (now DDR5) still vulnerable to RowHammer. SAMSUNG kitchen refrigerators begin showing ads. China says no to NVIDIA. 300 more (new) NPM maliciouspackages found and removed. The EU is already testing proper online age verification. Show Notes - https://www.grc.com/sn/SN-1044-Notes.pdf Hosts: Steve Gibson and Leo Laporte Download or subscribe to Security Now at https://twit.tv/shows/security-now. You can submit a question to Security Now at the GRC Feedback Page. For 16kbps versions, transcripts, and notes (including fixes), visit Steve's site: grc.com, also the home of the best disk maintenance and recovery utility ever written Spinrite 6. Join Club TWiT for Ad-Free Podcasts! Support what you love and get ad-free shows, a members-only Discord, and behind-the-scenes access. Join today: https://twit.tv/clubtwit Sponsors: bigid.com/securitynow go.acronis.com/twit zscaler.com/security 1password.com/securitynow hoxhunt.com/securitynow

Nvidia is set to invest $100 billion in OpenAI as it works toward a gigawatt of new infrastructure per week, and GitHub is rolling out new security controls for NPM.Starring Jason Howell and Tom Merritt.Show notes found here. Hosted on Acast. See acast.com/privacy for more information.

A new self-replicating malware infects the NPM repository. Microsoft and Cloudflare disrupt a Phishing-as-a-Service platform. Researchers uncover a new Fancy Bear backdoor campaign. The VoidProxy phishing-as-a-service (PhaaS) platform targets Microsoft 365 and Google accounts. A British telecom says its ransomware recovery may stretch into November. A new Rowhammer attack variant targets DDR5 memory. Democrats warn proposed budget cuts could slash the FBI's cyber division staff by half at a heated Senate Judiciary Committee hearing. On our Industry Voices segment, we are joined by Abhishek Agrawal from Material security discussing challenges of securing the Google Workspace. Pompompurin heads to prison.  Remember to leave us a 5-star rating and review in your favorite podcast app. Miss an episode? Sign-up for our daily intelligence roundup, Daily Briefing, and you'll never miss a beat. And be sure to follow CyberWire Daily on LinkedIn. CyberWire Guest On our Industry Voices segment, we are joined by Abhishek Agrawal, CEO and Co-Founder of Material Security, discussing challenges of securing the Google Workspace. You can hear Abhishek's full conversation here. Selected Reading Self-Replicating Worm Hits 180+ Software Packages (Krebs on Security) Microsoft disrupts the RaccoonO365 Phishing-as-a-Service operation, names alleged leader (Help Net Security) Fancy Bear attacks abuse Office macros, legitimate cloud services (SC Media) VoidProxy phishing operation targets Microsoft 365, Google accounts (SC Media) UK telco Colt's cyberattack recovery seeps into November (The Register) Ruh-roh. DDR5 memory vulnerable to new Rowhammer attack (The Register) Senators, FBI Director Patel clash over cyber division personnel, arrests (CyberScoop) House lawmakers move to extend two key cyber programs, for now (The Record) BreachForums founder caged after soft sentence overturned (The Register) Share your feedback. What do you think about CyberWire Daily? Please take a few minutes to share your thoughts with us by completing our brief listener survey. Thank you for helping us continue to improve our show. Want to hear your company in the show? You too can reach the most influential leaders and operators in the industry. Here's our media kit. Contact us at cyberwire@n2k.com to request more info. The CyberWire is a production of N2K Networks, your source for strategic workforce intelligence. © N2K Networks, Inc. Learn more about your ad choices. Visit megaphone.fm/adchoices

Why You Need Phishing-Resistant Authentication NOW. The recent compromise of a number of high-profile npmjs.com accounts has yet again shown how dangerous a simple phishing email can be. https://isc.sans.edu/diary/Why%20You%20Need%20Phishing%20Resistant%20Authentication%20NOW./32290 S1ngularity/nx Attackers Strike Again A second wave of attacks has hit over a hundred npm-related GitHub repositories. The updated payload implements a worm that propagates itself to other repositories. https://www.aikido.dev/blog/s1ngularity-nx-attackers-strike-again ChatGPT s Calendar Integration Can Be Exploited to Steal Emails ChatGPT s new MCP integration can be used, via prompt injection, to affect software connected to ChatGPT via MCP. https://www.linkedin.com/posts/eito-miyamura-157305121_we-got-chatgpt-to-leak-your-private-email-activity-7372306174253256704-xoX1/

Apple Updates Apple released major updates for all of its operating systems. In addition to new features, these updates patch 33 different vulnerabilities. https://isc.sans.edu/diary/Apple%20Updates%20Everything%20-%20iOS%20macOS%2026%20Edition/32286 Microsoft End of Life October 14th, support for Windows 10, Exchange 2016, and Exchange 2019 will end. https://support.microsoft.com/en-us/windows/windows-10-support-ends-on-october-14-2025-2ca8b313-1946-43d3-b55c-2b95b107f281#:~:text=As%20a%20reminder%2C%20Windows%2010,one%20that%20supports%20Windows%2011. https://techcommunity.microsoft.com/blog/exchange/t-9-months-exchange-server-2016-and-exchange-server-2019-end-of-support/4366605 Phishing Targeting Rust Developers Rust developers are reporting similar phishing emails as the emails causing the major NPM compromise last week. https://github.com/rust-lang/crates.io/discussions/11889#discussion-8886064 Samsung Patches 0-Day Samsung released its monthly updates for its flagship phones fixing, among other vulnerability, an already exploited 0-day. https://security.samsungmobile.com/securityUpdate.smsb

Show DescriptionDave's got a Whiskey related content warning, recent security vulnerabilities in NPM, challenges with password management, and the complexities of digital security. They delve into Google's antitrust issues and the dynamics of the browser market, before transitioning to innovations in CSS, including custom properties and functions. The conversation wraps up with thoughts on the future of CSS and web development. Listen on WebsiteLinks Whiskey Web and Whatnot: Web Development, Neat Storybook: Frontend workshop for UI development Largest NPM Compromise in History - Supply Chain Attack : r/programming We all dodged a bullet - Xe Iaso Post by @cabel.panic.com — Bluesky Special: One on One with a Hacker – ShopTalk 1Password Watchtower This 25-minute video is the most riveting sudoku puzzle you will ever watch | The Verge Many years on the job and I still don't get it. - daverupert.com if() - CSS | MDN CSS at-rule functions - CSS | MDN CSS color-scheme-dependent colors with light-dark() – Bram.us Matthias Ott

The crypto community once again is dodging digital landmines as Ledger’s CTO screams “stop those onchain transactions!” thanks to a sneaky NPM supply chain attack hitting over a billion downloads. That’s right, hackers are out here snatching crypto like it’s candy. Meanwhile, Bitcoin Hyper’s presale is going full supernova, Oracle’s AI cloud dreams are spiking their stock, and Trump Media is hoarding $6 billion in CRO tokens for Truth Social’s big flex. From Nasdaq’s $50M Gemini IPO bet to Worldcoin’s AI identity takeover, we’re unpacking it all with our signature badness. Grab your hardware wallet, strap in, or strap on if you are into that kind of thing, and jump on board for our bad news episode #789 of The Bad Crypto Podcast. Full Show Notes at: http://badco.in/789 SUBSCRIBE, RATE, & REVIEW: Apple Podcast: http://badco.in/itunes Google Podcasts: http://badco.in/google Spotify: http://badco.in/spotify Amazon Music: http://badco.in/amazon FREE NFTs when you JOIN THE BAD CRYPTO NIFTY CLUB at https://badcrypto.uncut.network FOLLOW US ON SOCIAL MEDIA: Twitter: @badcryptopod - @joelcomm - @teedubya Facebook: /BadCrypto - /JoelComm - /teedubyaw Facebook Mastermind Group: /BadCrypto LinkedIn: /in/joelcomm - /in/teedubya Instagram: @BadCryptoPodcast Email: badcryptopodcast[at]gmail[dot]com Phone: SEVEN-OH-8-88FIVE- 90THIRTY DISCLAIMER: Do your own due diligence and research. Joel Comm and Travis Wright are NOT FINANCIAL ADVISORS. We are sharing our journey with you as we learn more about this crazy little thing called cryptocurrency. We make NO RECOMMENDATIONS. Don't take anything we say as gospel. Do not come to our homes with pitchforks because you lost money by listening to us. We only share with you what we are learning and what we are investing it. We will never "pump or dump" any cryptocurrencies. Take what we say with a grain of salt. You must research this stuff on your own! Just know that we will always strive for RADICAL TRANSPARENCY with any show associations.Support the show: https://badcryptopodcast.comSee omnystudio.com/listener for privacy information.

Major npm compromise A number of high-profile npm libraries were compromised after developers fell for a phishing email. This compromise affected libraries with a total of hundreds of millions of downloads a week. https://bsky.app/profile/bad-at-computer.bsky.social/post/3lydioq5swk2y https://github.com/orgs/community/discussions/172738 https://github.com/chalk/chalk/issues/656#issuecomment-3266894253 https://www.aikido.dev/blog/npm-debug-and-chalk-packages-compromised HTTP Request Signatures It looks like some search engines and AI bots are starting to use the HTTP request signature. This should make it easier to identify bot traffic. https://isc.sans.edu/diary/HTTP%20Request%20Signatures/32266