Alexander Wagner 🇺🇦🦋

@dataenggdude I don't understand these kind of posts. The user interface is just different and it's not a replacement, it's a developer interface change. Just a different thing imo.

Why I'm replacing Polars with DuckDB open.substack.com/pub/dataengine…

Tendon pain is the most common reason people come to see me. Most of it is self-inflicted — from doing too much, too soon, or from doing too little for too long. Let's review what most people (including many doctors) don't understand about why tendons hurt and how to fix them. 🧵

Excellent course!

@AzureDevOps Much appreciated! Already using it.

Azure DevOps shipped a cleaner Markdown editing flow: • Large text fields now open in preview • Editing is explicit via the edit icon • No more surprise double‑click edits • Smoother read → edit → preview loop Blog: buff.ly/YuxFQGd

NEW paper from Google on multi-agent research agents. It's one of the first systems that handles end-to-end LaTeX generation, targeted literature reviews, and conceptual diagrams as a decoupled, standalone writer. Automated research frameworks can run experiments, but their writing modules remain the weakest link. Literature reviews are shallow, citations are sparse, and no system generates conceptual diagrams. This new research introduces a standalone writing framework that addresses all of this. PaperOrchestra is a multi-agent system that transforms unconstrained pre-writing materials, raw ideas, experimental logs, notes, into submission-ready LaTeX manuscripts. It uses specialized agents for deep literature synthesis, plot generation, conceptual diagram creation, and iterative refinement. The team also releases PaperWritingBench, the first standardized benchmark with reverse-engineered materials from 200 top-tier AI conference papers. Why does it matter? In side-by-side human evaluations, PaperOrchestra achieved absolute win rate margins of 50 to 68% in literature review quality and 14 to 38% in overall manuscript quality over autonomous baselines. Paper: arxiv.org/abs/2604.05018 Learn to build effective AI agents in our academy: academy.dair.ai

On April 8, 2022, nearly 4,000 people were at Kramatorsk railway station waiting for evacuation trains when Russia fired a Tochka-U missile loaded with cluster munitions into the crowd, killing 61 people, including 9 children, and injuring 121 others.

if you want to learn agent-first development from scratch, we just published the foundational series on how to do so with @code and GitHub Copilot. we cover: model picker thinking effort levels, tool call approvals, bypass/autopilot modes, inline diffs with per-edit keep/undo, checkpoint restore, session forking, context window management, agent debug logs, cloud agents and more! all here: aka.ms/vsc-learn youtu.be/uu4sf8z9n8c?si…

Trying to manage a budget when your team is jumping between OpenAI, Anthropic, and other providers is a massive headache. Since every provider has its own billing silo, you’re usually flying blind on total costs. 💰 With MLflow 3.11, we’ve added budget controls directly into the AI Gateway. You can now set clear spending limits and track exactly what’s being used across your entire organization from one spot. ✅ 🎥 Watch the full webinar to see how you can get your AI costs under control: youtube.com/live/8zBu8F6_f… #MLflow #AIGateway #CloudCosts #FinOps #LLM

We're releasing the PBIR CLI shortly in the next days (some late issues with the distribution). We already published the pbir-cli skill a few days ago to help testers and get it integrated with the plugins. github.com/data-goblin/po… But someone already capitalized on this - it strongly seems they pointed their agent at the skill and told it "make this" to slap together a CLI that works as the skill describes. They didn't even change the commands, flags, and even took the skills. They just shuffled skill content around in the markdowns, then published it on their own repo. Of course they didn't have the source code so what's behind it isn't comparable... we have a full schema-driven object model, for instance. We knew this would likely happen when I started sharing the plugins. We anticipated it; it's obvious - it's why we never bothered trying to commercialize this. It seemed almost inevitable. We didn't anticipate it would happen so quickly, though! The commit trail is literally 1-2 days apart. Better than hours I guess. This is just the way it is now. Anyone can just point their slopcannon at something shared and then copy it, make some noise, and benefit... in a matter of days or less. The work speaks for itself, but still - it's clear that whatever new era we're entering plays by some different rules.

I'm not sure what's going on with GitHub, but randomly cosing accounts (cant log in, all repos are not visible), after support told me today everything has been resolved and no reason what was wrong. This is now the second time in a couple of days. Is that the thank for sharing all my work on GitHub? Not sure what to think anyore..

[GitHub Repo] #PowerBI Agentic Development github.com/data-goblin/po… #MachineLearning #ChatGPT

EVoC is a library designed specifically for fast clustering of high dimensional embedding vectors. It can produce high quality clusters extremely efficiently, and requires little to no hyperparameter tuning. Better clustering than UMAP + HDBSCAN; faster clustering than KMeans.

🚨 CRITICAL: Active supply chain attack on axios -- one of npm's most depended-on packages. The latest axios@1.14.1 now pulls in plain-crypto-js@4.2.1, a package that did not exist before today. This is a live compromise. This is textbook supply chain installer malware. axios has 100M+ weekly downloads. Every npm install pulling the latest version is potentially compromised right now. Socket AI analysis confirms this is malware. plain-crypto-js is an obfuscated dropper/loader that: • Deobfuscates embedded payloads and operational strings at runtime • Dynamically loads fs, os, and execSync to evade static analysis • Executes decoded shell commands • Stages and copies payload files into OS temp and Windows ProgramData directories • Deletes and renames artifacts post-execution to destroy forensic evidence If you use axios, pin your version immediately and audit your lockfiles. Do not upgrade.

🚨 Microsoft just open sourced a voice AI that was too dangerous to keep live. They took it down. Added watermarks and safety controls. Then re-released it. For free. It's called VibeVoice. Microsoft's frontier open source voice AI. Clone any voice from 10 seconds of audio. Generate 90 minutes of multi-speaker conversation. Real-time streaming. All running locally on your machine. No ElevenLabs. No $99/month subscription. No per-minute pricing. Here's what this thing does: → Text-to-speech that sounds indistinguishable from a real human → Generate up to 90 minutes of audio in a single pass → 4 distinct speakers in one conversation with natural turn-taking → Clone any voice from just 10 seconds of audio → Real-time streaming TTS. First audio in ~200 milliseconds. → Speech-to-text that processes 60 minutes of audio in one pass → Identifies who said what and when. Speaker labels + timestamps. → Supports 50+ languages for transcription → Custom hotwords for names, technical terms, domain-specific accuracy Here's the wildest part: Give it a podcast script. It generates a full multi-speaker conversation that sounds like two real humans talking. Natural pauses. Emotional nuance. Turn-taking. 90 minutes. One command. Microsoft had to take this repo down once because people were misusing it for deepfakes and disinformation. They brought it back with embedded watermarks, audio disclaimers, and safety controls. That's how powerful this is. A $3 trillion company built it. Released it. Pulled it. Fixed it. And gave it back to the world. ElevenLabs: $99/month. Play.ht: $39/month. Amazon Polly: pay per character. This: Free. Local. MIT License. 23.5K GitHub stars. 2.6K forks. Backed by Microsoft Research. 100% Open Source.

- Drafted a blog post - Used an LLM to meticulously improve the argument over 4 hours. - Wow, feeling great, it’s so convincing! - Fun idea let’s ask it to argue the opposite. - LLM demolishes the entire argument and convinces me that the opposite is in fact true. - lol The LLMs may elicit an opinion when asked but are extremely competent in arguing almost any direction. This is actually super useful as a tool for forming your own opinions, just make sure to ask different directions and be careful with the sycophancy.

@alexott_en Exciting. Thanks for your service :-)

It was a very busy week, but it was rewarding to see customers interest to it during the RSA...

For my friends who are still using UV and might be a little weary about recent compromises to PyPi packages, stick this in your pyproject.toml. You can let all of those pip users find and report the compromises...

Databases are arguably the most commonly used enterprise tool, and enterprises typically have many of them. Yet no popular AI agent benchmark actually tests how well agents can query, join, and make sense of data across different databases! So, we built DAB (Data Agent Benchmark): 54 queries, 12 datasets, 9 domains, and 4 database management systems, grounded in a formative study of real enterprise data agent workloads. The best frontier model only gets 38% pass@1 (across 50 trials). Lots of room for improvement!

Introducing TurboQuant: Our new compression algorithm that reduces LLM key-value cache memory by at least 6x and delivers up to 8x speedup, all with zero accuracy loss, redefining AI efficiency. Read the blog to learn how it achieves these results: goo.gle/4bsq2qI

Software horror: litellm PyPI supply chain attack. Simple `pip install litellm` was enough to exfiltrate SSH keys, AWS/GCP/Azure creds, Kubernetes configs, git credentials, env vars (all your API keys), shell history, crypto wallets, SSL private keys, CI/CD secrets, database passwords. LiteLLM itself has 97 million downloads per month which is already terrible, but much worse, the contagion spreads to any project that depends on litellm. For example, if you did `pip install dspy` (which depended on litellm>=1.64.0), you'd also be pwnd. Same for any other large project that depended on litellm. Afaict the poisoned version was up for only less than ~1 hour. The attack had a bug which led to its discovery - Callum McMahon was using an MCP plugin inside Cursor that pulled in litellm as a transitive dependency. When litellm 1.82.8 installed, their machine ran out of RAM and crashed. So if the attacker didn't vibe code this attack it could have been undetected for many days or weeks. Supply chain attacks like this are basically the scariest thing imaginable in modern software. Every time you install any depedency you could be pulling in a poisoned package anywhere deep inside its entire depedency tree. This is especially risky with large projects that might have lots and lots of dependencies. The credentials that do get stolen in each attack can then be used to take over more accounts and compromise more packages. Classical software engineering would have you believe that dependencies are good (we're building pyramids from bricks), but imo this has to be re-evaluated, and it's why I've been so growingly averse to them, preferring to use LLMs to "yoink" functionality when it's simple enough and possible.