Diego Sapriza

When you are cheering on your daughters soccer theme and you don't know the exact terms in English... So you vibe-code an app on your phone. #googleaistudio #gemini

🚨 BREAKING: Google DeepMind just mapped the attack surface that nobody in AI is talking about. Websites can already detect when an AI agent visits and serve it completely different content than humans see. > Hidden instructions in HTML. > Malicious commands in image pixels. > Jailbreaks embedded in PDFs. Your AI agent is being manipulated right now and you can't see it happening. The study is the largest empirical measurement of AI manipulation ever conducted. 502 real participants across 8 countries. 23 different attack types. Frontier models including GPT-4o, Claude, and Gemini. The core finding is not that manipulation is theoretically possible it is that manipulation is already happening at scale and the defenses that exist today fail in ways that are both predictable and invisible to the humans who deployed the agents. Google DeepMind built a taxonomy of every known attack vector, tested them systematically, and measured exactly how often they work. The results should alarm everyone building agentic systems. The attack surface is larger than anyone has publicly acknowledged. Prompt injection where malicious instructions hidden in web content hijack an agent's behavior works through at least a dozen distinct channels. Text hidden in HTML comments that humans never see but agents read and follow. Instructions embedded in image metadata. Commands encoded in the pixels of images using steganography, invisible to human eyes but readable by vision-capable models. Malicious content in PDFs that appears as normal document text to the agent but contains override instructions. QR codes that redirect agents to attacker-controlled content. Indirect injection through search results, calendar invites, email bodies, and API responses any data source the agent consumes becomes a potential attack vector. The detection asymmetry is the finding that closes the escape hatch. Websites can already fingerprint AI agents with high reliability using timing analysis, behavioral patterns, and user-agent strings. This means the attack can be conditional: serve normal content to humans, serve manipulated content to agents. A user who asks their AI agent to book a flight, research a product, or summarize a document has no way to verify that the content the agent received matches what a human would see. The agent cannot tell the user it was served different content. It does not know. It processes whatever it receives and acts accordingly. The attack categories and what they enable: → Direct prompt injection: malicious instructions in any text the agent reads overrides goals, exfiltrates data, triggers unintended actions → Indirect injection via web content: hidden HTML, CSS visibility tricks, white text on white backgrounds invisible to humans, consumed by agents → Multimodal injection: commands in image pixels via steganography, instructions in image alt-text and metadata → Document injection: PDF content, spreadsheet cells, presentation speaker notes every file format is a potential vector → Environment manipulation: fake UI elements rendered only for agent vision models, misleading CAPTCHA-style challenges → Jailbreak embedding: safety bypass instructions hidden inside otherwise legitimate-looking content → Memory poisoning: injecting false information into agent memory systems that persists across sessions → Goal hijacking: gradual instruction drift across multiple interactions that redirects agent objectives without triggering safety filters → Exfiltration attacks: agents tricked into sending user data to attacker-controlled endpoints via legitimate-looking API calls → Cross-agent injection: compromised agents injecting malicious instructions into other agents in multi-agent pipelines The defense landscape is the most sobering part of the report. Input sanitization cleaning content before the agent processes it fails because the attack surface is too large and too varied. You cannot sanitize image pixels. You cannot reliably detect steganographic content at inference time. Prompt-level defenses that tell agents to ignore suspicious instructions fail because the injected content is designed to look legitimate. Sandboxing reduces the blast radius but does not prevent the injection itself. Human oversight the most commonly cited mitigation fails at the scale and speed at which agentic systems operate. A user who deploys an agent to browse 50 websites and summarize findings cannot review every page the agent visited for hidden instructions. The multi-agent cascade risk is where this becomes a systemic problem. In a pipeline where Agent A retrieves web content, Agent B processes it, and Agent C executes actions, a successful injection into Agent A's data feed propagates through the entire system. Agent B has no reason to distrust content that came from Agent A. Agent C has no reason to distrust instructions that came from Agent B. The injected command travels through the pipeline with the same trust level as legitimate instructions. Google DeepMind documents this explicitly: the attack does not need to compromise the model. It needs to compromise the data the model consumes. Every agentic system that reads external content is one carefully crafted webpage away from executing attacker instructions. The agents are already deployed. The attack infrastructure is already being built. The defenses are not ready.

@nicobistolfi yeah yeah.. upsi

🚨 Someone just made our internal tooling public… Runs our entire SDLC from GitHub / Linear issues using headless Claude Code + OpenAI Codex. …so I guess you can use it too now. ⭐️ appreciated github.com/aliengiraffe/v…

Ayer estuve conversando con estudiantes avanzados de ingeniería y licenciatura en sistemas de UDELAR y ORT. Fue una de esas charlas que, más que responder preguntas, te obliga a repensar qué es lo importante decir. No porque falte información sino porque estamos en un momento donde es fácil confundirse sobre qué significa realmente “estar preparado”. Vi talento, curiosidad, ganas de salir a hacer. Y al mismo tiempo, una sensación muy presente: ¿ya debería estar trabajando?, ¿qué debería estar aprendiendo?, ¿en qué enfocarme en medio de tanto cambio? Ahí fue donde me salió una reflexión casi inevitable. No desde la teoría, sino desde contraste. Porque cuando yo estudié, el mundo era radicalmente distinto. No había internet, no había web, no había celulares, no había SaaS. Ni siquiera había una GUI usable como la de hoy. Hasta cuarto de facultad no tuve computadora propia. Programaba en papel. Literal. Llené cuadernos enteros antes de poder ejecutar una línea. Y sin embargo, o quizás por eso, aprendimos algo más importante que cualquier tecnología: aprendimos a aprender. La universidad, en su esencia, no está para enseñarte herramientas. Está para darte estructuras mentales. Matemática. Probabilidad. Arquitectura. Sistemas operativos. Cómo escribir código, sí —pero como forma de pensar, no como fin. Ahora, para los que sienten que ya están listos para trabajar: Tienen razón… pero ojo con interpretar mal qué significa eso. La industria cada vez va a necesitar menos “coders” (entendidos como personas que traducen requerimientos a código). Pero ingeniería nunca fue eso. Entonces, ¿qué hacer? Primero: entiendan que el mundo está lleno de problemas. Y en lo digital, está lleno de problemas mal resueltos. Segundo: acérquense a esos problemas. Hablen con la gente. Escuchen. Entiendan el contexto real. Con gente que quizás tienen más cerca de lo que piensan. Tercero: incorporen lo nuevo, pero con criterio: •entiendan lo básico de Generative AI •construyan su primer agente •comprendan sistemas distribuidos •lean algo de robótica •aprendan UX (arquitectura, interacción, visual) Cuarto: salgan de su burbuja. Hablen con gente de otras facultades. Los problemas reales no vienen separados por carreras. Y quizás lo más importante: No se enamoren de herramientas. El ecosistema cambia. Siempre. Enamórense de problemas. Después de uno. Después de otro. Tienen algo que muchos perdemos con el tiempo: tiempo para explorar. Úsenlo. Porque si realmente aprenden a aprender, esta no va a ser “la revolución de su carrera”. Va a ser la primera de muchas. Si llegaste hasta acá , gracias , realmente lo escribí yo y lo formateo y acomodo ChatGPT , espero les sirva. By the way en la Charla si usamos varias cosas de moda Claude, Gemini, OpenAi , SeeDance, Sumo y Eleven, Clawds y otras, pero nada de eso fue la esencia .

I'm back nominal.dev

@BryanMigliorisi you can ask it to record a gif

Not sure why I've never seen this before but having Claude Code desktop app run an embedded chrome browser, control it, take screen shots is an incredible feature that helps it debug things even more quickly.

Well this is going to be fun.

Software engineering changed more in the last 3 months than the preceeding 30 years. Everything about running a software company needs to be rethought from first principles.

@BryanMigliorisi Yeah, it's very useful for testing/validation. It can record GIFs, too, if you ask for it.

@Minucha01 @frascafrasca Lo que yo recomiendo a los gurises es arrancar urgente a usar IA para armar cualquier proyecto. Es una herramienta como cualquier otra y este es el momento de aprender (está verde). El ecosistema de AI es muy complejo: hablar con chatgpt para hacer algo es la punta del iceberg.

@frascafrasca Y ahora que hace mi hijo programador junior que busca trabajo ? Terminó hace poco y realmente le gusta 🥺

Desde hace un año que tengo varios proyectos de software que intento realizar usando IA. Invariablemente, la IA encontraba un problema que no podía solucionar. Entonces, esperaba unos meses a que saliera un mejor modelo y avanzaba un poco más. Esta semana, luego de un año de

POV: February 2026

Learning: Do your agent stuff in a tmux session to prevent your terminal from closing and losing your work. #auch

@rauchg using git worktrees for each subagent.

The new engineering is building the agents that "take your job", but now do it at 100x the scale. Agents give developers horizontal scalability. The simple version of this is Ghostty splits and tabs, 𝚝𝚖𝚞𝚡 sessions and the like, running CLI agents in parallel. Skills and MCPs help you direct the behavior of these agents. Sandboxes give the ultimate leverage: ~infinite parallelism, run while you sleep, on PRs, when an incident is filed, a customer reports an issue… Automating the full product development loop is now your job, and your edge.

Having ADD while running multiple agents feels like hosting 7 meetings in your own brain. Everyone needs something. Nobody waits for their turn. I opened Slack and forgot why. #vibecoding #agents #fun #add

every tech guy you know working on their @openclaw "productivity" system right now

@thiagoghisi @openclaw I did the same.. this is going to be nuts.

After 3 months of intense Claude Code usage on Obsidian putting all my second brains across all my areas of life together into a single MD repo, I just officially pulled the trigger on @openclaw.

What are the Recurring Expectations for Achieving Staff-Plus Level Across Tech Companies, and Where do Senior Engineers Most Often Fall Short? These are the 3 things I found that, if you do consistency, will make you golden as a Staff-Plus Engineer at pretty much any company. These are also the 3 most common expectations I have seen across the board for Staff Engineers. And by coincidence or not, these are also the 3 things I've seeing struggling Senior Engineers completely neglecting or being completely unaware of. Here is my answer based on my last 8 years of experience on the Management track both as an EM and as a Director. 1️⃣ Blast radius: There is this idea that you need to have a wide impact. As a staff, the impact should go beyond a single group or beyond a single project. There is, on the other side, this idea that you should be technically excellent. You should go deep, and you're the person that knows the most about the topic. (Side-note: @alexewerlof wrote a fantastic article on this called "Beyond Staff Engineer") I actually believe the mistake a lot of people make is that they go so deep on the technical expertise that they forget the organizational surface expectation, or what I call the blast radius of impact of what they are doing. In my view, yes, technical depth is important. We're going to see on part two of my talk, on the behaviors on why that's important. But, where I see a lot of people dropping the ball is on the blast radius, in terms of impacting the broad organization. The reason why I chose blast radius, and not only like high impact, is because there are different shapes of blast radius. You can have an impact on something that's deep, something that almost changes how a product line works. Or, you can create a new platform, a new library or something that is going to make everybody else more productive, all the engineers are going to know who you are or the tool, the innovation you made. Blast radius is the thing that you have to keep in mind in this expectation for staff-plus. If you are working on a project that's only affecting a single repo, and not everybody is or will be knowing about that thing soon, is usually a red flag. On High-Blast Radius, I honestly don't care how technical you are; I care about the blast radius impact of what you work on. It can be a blast radius that is super wide and affects the whole company, or it can be super deep in one area that almost revolutionizes how the product or the product line operates and has profound implications on that particular business area. On both angles, that impacted the company as a whole if you were able to fundamentally change how things were done in a product or product line; although your impact can be considered contained in that area, it impacted the revenue or the cost structure or the customer experience of the whole company. So keep that in mind; even small but deep blast radii are high-blast radii if you look from business eyes into that. ...continue... 🧵

What's your purpose: to solve problems or to code?

> The question is no longer ‘Can I ship this?’. It’s ‘Should I?’, and ‘What else could I build?’ Agree with @thiagoghisi on this. This is what I'm been thinking after developing 3 personal software with cursor / antigravity x.com/thiagoghisi/st…