Brian Clark

FYI:🟦☁️ 👉 @clarkio.com

@LawrenceDCodes @tdesseyn I’m with you. If we’re talking strictly offline I might tinker but still wouldn’t give it full autonomy

@tdesseyn hard pass for me, no way. no thanks absolutely not under no conditions never. But have fun!

am i the only one that feels this at this point i would gladly give ai all my personal info so i can let it run tasks for my personal life ai is amazing at work but its only getting me 76% of the way there for what i need personally

Versions of - laravel-lang/lang - laravel-lang/http-statuses - laravel-lang/attributes - laravel-lang/actions have been published with malicious versions Packagist has unlisted the packages, but if you installed any of them between May 22–23, treat the environment as compromised

Your first instinct after getting hit by the TanStack npm attack is to revoke your GitHub token. Don't. The malware polls GitHub every 60 seconds. Gets a 401? It runs rm -rf ~/ Here's the right remediation order before you touch a single credential. youtu.be/YrwM2EFYrUY

1/ We are sharing additional details regarding our investigation into unauthorized access to GitHub's internal repositories. Yesterday we detected and contained a compromise of an employee device involving a poisoned VS Code extension. We removed the malicious extension version, isolated the endpoint, and began incident response immediately.

A government contractor just leaked a ton of sensitive info including admin passwords for CISA's AWS GovCloud accounts - all to a public GitHub repo. CISA says they "hold our team members to the highest standards of integrity and operational awareness" Followed by evidence of them turning off basic GitHub defaults that would protect from publishing secrets. And dictionary passwords that were the name of the service + the year.

💥 Game changer for Web Development announced at GoogleIO- Modern Web Guidance! It’s expert-vetted skills for web development based on best practices of latest specs and APIs. It ensures your agent/coding harness doesn’t default to older and out of date patterns to build sites.

We are investigating unauthorized access to GitHub’s internal repositories. While we currently have no evidence of impact to customer information stored outside of GitHub’s internal repositories (such as our customers’ enterprises, organizations, and repositories), we are closely monitoring our infrastructure for follow-on activity.

@onlylarp @mattjay @tuckner @SocketSecurity Beat me to it! Good call

@mattjay @tuckner @SocketSecurity No, use a PreToolUse hook, intercept all npm* commands and redirect to sfw npm. Most agent harnesses support hooks these days. Just ask claude to add the hook for you. #what-hooks-can-enforce" target="_blank" rel="nofollow noopener">agentpatterns.ai/verification/h…

Everyone using Claude code and/or Codex - how are you enforcing them to not pull in new/potentially malicious packages from npm or PyPi?

@mattjay @tuckner @SocketSecurity Hooks are deterministic and make sure what you want to happen, happens

@tuckner @SocketSecurity that the agents respect?

AI wanted to copy node_modules between two stages in a Dockerfile. One where devDeps are needed and one they're not (production). I called this out and it of course replied with "You're right — I should walk that back."

The timing of this is perfect. I just had a scenario where having learned something on my own helped me catch a bad suggestion by AI...

@wesbos I was thinking maybe if it got to a solution faster it might be less expensive

@_clarkio it would have been way more expensive with opus

Just realized I ran all of this with sonnet 4.6

More and more companies are deploying AI-generated code into production. Much of that code contains vulnerabilities. Making traditional AppSec struggle to keep up. @snyksec + @AnthropicAI's Claude = security at AI speed 👇 snyk.io/news/snyk-embe…

@nickytonline Same here!

Looking forward to chatting with @_clarkio today! Happening in 5 hours. Come hang with us! youtube.com/live/nt8KvxQiG…

@liran_tal I'm thinking about the monthly/annual subscriptions changing for them all. Do you think they'll move everything to usage based billing vs. subs?

@_clarkio Uhmmm, isn't the API per 1M token already the usage based pricing? I think GitHub is likely going to have to figure out pricing or some sort of limits around the GitHub core product (PRs, GitHub Actions etc)

Any guesses on when the same happens at Anthropic, OpenAI, Cursor? I think it's gonna be in the next 2-3 months. github.blog/news-insights/…

Here we go... x.com/github/status/…