Philip Jennings

do this to protect yourself against supply chain attacks $ cat ~/.npmrc min-release-age=7 $ cat ~/.config/uv/uv.toml exclude-newer = "7 days"

For my friends who are still using UV and might be a little weary about recent compromises to PyPi packages, stick this in your pyproject.toml. You can let all of those pip users find and report the compromises...

@N3mes1s The thing is that: what do you want them to scan for? It's like virus scanners, easy to circumvent, especially if the attackers can also see those results.

I'm extracting some data to understand the sheer volume of the release hitting the package managers, at least starting with ONLY: python, rust, javascript. ~8100 hours. Will update more later with more observations.

@yifanlu @Hacker0x01 What the hell... This is just unacceptable, they are willingly exposing their users to complete compromise of the trust ecosystem.... Good for exposing them

Lmao @Hacker0x01 told me the backdoor was known "through internal security assessments" and they're "closing this report as out of scope". But now are pissed I disclosed it. Nobody should use this joke of a platform who put the interests of companies over that of users.

Why literally no one of the “scanning your dependencies” company found this in ~realtime and we had someone manually finding this because crashed the machine ? Something is wrong. Everyone is good writing after the fact.

🚨 Security Alert 🚨 The PyPI package litellm has been found to contain a malicious payload in versions 1.82.7 and 1.82.8. If you're using these versions, take immediate action to review and mitigate potential impact. More details will be shared soon.

Kubernetes starter pack: - CrashLoopBackOff - ImagePullBackOff - OOMKilled - Pod Pending - 502/503 via Ingress - RBAC Forbidden - ConfigMap Not Updating - DNS Lookup Failed Congratulations. You are now a DevOps engineer.

We've published a new blog post by RyotaK @ryotkak ! He exploited a directory deletion race condition in Google Cloud's Looker, leading to full RCE and K8s privilege escalation. Read the technical details here: flatt.tech/research/posts…

a hacker uses claude to find a bug -> reports it. the triager uses claude to validate it -> confirmed. the developer uses claude to verify, agrees -> patch shipped. and all of them did thier job except it wasn't a vulnerability, there was no job, all of them consulted one oracle to validate the information and had shared psychosis together because their source of information is one in different layers. now apply this everywhere, programming, governemnts, medicine, etc. different people asking the same oracle independently, and all grounding their reality to an LLM. there is a good chance whole new startups are in this shared delusion spinning out of these llms, even their customers using llm to make their buying decision. we once built religions out of information scarcity. now it seems we have information abundance but lacking comprehension, and we’re building new kind of religions?

Let’s be clear: @Hacker0x01 is using researchers’ work to train their AI and profit from it without consent. That’s not “innovation” — that’s exploitation. Our reports, our research, our time — turned into their product, while we get nothing. This violates client agreements. Vulnerabilities belong to the companies and the researchers — not HackerOne. Yet they’re monetizing it anyway. Layoffs, shrinking bounties, and now this? The platform is collapsing, and instead of fixing it, they’re squeezing the community that built it. Researchers made HackerOne. Programs trusted HackerOne. And now both are being treated like disposable data sources. If you’re a company, review your contracts immediately. If you’re a researcher, stop feeding them your work. HackerOne isn’t supporting the community anymore it’s exploiting it. And people are finally waking up. Many programs have already shifted to self-hosted , such as Salesforce. #BugBounty

Awesome CTO A great github repo full of resources for software engineers and aspiring CTOs: - Software Development Processes - Hiring for technical roles - Software Architecture - Product and Project Management - Career growth Check it here: github.com/kuchin/awesome…

Our Kubernetes cluster was eating $12k/month. Teams requested resources like this: - "I need 4 CPU and 8GB RAM" - Actual usage: 0.3 CPU and 600MB RAM We implemented: - Goldilocks for right-sizing recommendations - Vertical Pod Autoscaler in recommend mode - Monthly resource review meetings - Showback reports per team Result: - Cluster cost dropped to $4.8k/month - Same workloads, same performance - Teams now think about resources before requesting The fix wasn't Kubernetes. It was visibility.

Golang libraries I refuse to build backend systems without in 2026: 🔶 chi (or gin) = HTTP routing that stays out of your way 🔶 zap (or slog) = structured logging that won’t slow prod 🔶 validator/v10 = request validation that isn’t “if err != nil” spaghetti 🔶 sqlc = type-safe SQL without ORM magic 🔶 pgx = Postgres driver that actually performs 🔶 redis/go-redis = caching + rate limits + locks 🔶 grpc-go = service-to-service calls done right 🔶 protobuf = contracts that don’t break silently 🔶 go-playground/middleware patterns = timeouts, recover, request IDs 🔶 prometheus/client_golang = metrics you can alert on 🔶 OpenTelemetry (otel) = tracing when “it’s slow sometimes” happens 🔶 testify = tests that don’t make you cry 🔶 mockery = sane mocking for interfaces 🔶 uber-go/fx (optional) = DI when the codebase gets big 🔶 golangci-lint = one command to keep code quality honest Which 3 Go libs are non-negotiable for you?

Let me tell you a story. A mid-sized company. 500 employees. They had all the security boxes checked. Two-factor authentication on everything. Regular security training. Passed all their audits. Their security chief was confident they were protected. Then one Tuesday morning, their entire customer database showed up on the dark web. The investigation took weeks. Nobody clicked a phishing link. No passwords were stolen. No employee did anything wrong. So what happened? They found a digital account created back in 2019 by a developer named Sarah. She left the company in 2020. Nobody disabled her account. Nobody changed its password. For four years, it just sat there with full access to their production systems. The hacker didn't need to trick anyone. They found an access key Sarah accidentally left in public code online back in 2019. That key still worked. Game over. Here's what's wild: When they did a full audit, they found 847 of these digital accounts. Over 400 hadn't been used in over a year. 67 belonged to people who no longer worked there. Nobody even knew what most of them were for. We spend all our energy protecting people. Training employees not to click suspicious links. Adding security checks at every login. But what about all the automated systems running in the background? The digital accounts that connect your apps, run your services, sync your data? There are roughly 46 of these for every single employee in most companies. Most have way more access than they need. Most never expire. And most companies have no idea where they all are. From what I see in security assessments, this is where breaches actually happen now. Not from someone falling for a scam. From a forgotten digital account that's been sitting there for years with keys to the kingdom. We're trying to manage thousands of digital identities with tools built for managing people. And hackers know it. They're not trying to fool your employees anymore. They're just looking for the back doors nobody's watching. That company's breach cost them over $4 million. Fines. Legal fees. Customer notifications. Reputation damage. All because of an account nobody remembered and a key left in public code. If there's one thing to take away: those automated accounts and access keys running your systems in the background? They're probably your biggest security risk. And most organizations aren't even tracking them. Time to start paying attention to the machines, not just the people.

Fun fact: OpenAI handles 800 million users on ChatGPT with just one PostgreSQL primary and 50 read replicas 🤯 Today, OpenAI published an engineering blog explaining how they scaled their Postgres setup to support a massive 800 million users using a single primary and 50 multi-region replicas. They dive into details around their scaling approach, the PgBouncer proxy, cache locking, and cascading read replicas. It is genuinely neat and impressive. I just published a video on my YouTube channel where I dissect the blog and break down the nuances. Give it a watch - it is short and fun.

If you have 2+ years exp in Go. Don’t skip these 6 concurrency problems 1. Producer–Consumer : Use chan (buffered/unbuffered) + context for cancellation. 2. Print 1–100 (2 Goroutines) : Alternate with two channels (ping/pong) or a sync.Cond. 3. Print “ABCABC...” : Sync 3 goroutines using 3 channels in a ring (A -> B -> C -> A). 4. Custom Worker Pool : Build with jobs chan, N workers, WaitGroup, and a results chan. 5. Deadlock Scenario : Simulate with two goroutines + two locks, prevent via lock ordering / “single owner goroutine” pattern. 6. Rate Limiter : Token bucket with time.Ticker + buffered channel, or golang.org/x/time/rate.

Hacking a GraphQL API but introspection is disabled? Clairvoyance, a tool by @_nikitastupin, can reconstruct GraphQL API schema even if the introspection is disabled.  For installation and usage 👇 github.com/nikitastupin/c…

golang is killing it for cloud-native services. try building a rate limiter or worker queue to grasp concurrency; it's practical and companies love it.