Arman

We had this one query on prod that just refused to behave. It processed survey responses and user engagement data. Worked fine in staging. On prod? Took 20+ mins. Sometimes just got cancelled. Also raising the CPU to 99% (and we are talking about RDS xlarge here)

Working with @posthog ‘s node sdk is a torture that i would not want even my enemies to endure

wait does gooning not mean coding?

Security things from the last few days: - CopyFail (linux pwn'd) - CopyFail 2/Dirty Frag - 13 advisories in Next.js - Over 70 CVEs addressed in MacOS 26.5 - ~50 CVEs addressed in iOS 26.5 - YellowKey (Windows Bitlocker pwn'd entirely) - GreenPlasma (Windows privilege escalation) - CVE-2026-21510 and CVE-2026-21513 confirmed to be used by Russia for Windows RCE - CVE-2026-32202 separately confirmed to be used by Russia for sensitive document access - Mini-Shai Hulud (over 300 JS and Python packages compromised via GitHub Action cache poisoning) - Google confirms they have identified AI-powered exploitation of zero days in an unidentified "open-source, web-based system administration too" - Canvas (popular LMS used in most schools) pwn'd entirely - PAN-OS (palo alto networks) pwn'd with a 9.3 severity CVE-2026-0300 Are you scared yet?

Lol talk to your agent 💀

TL;DR for open-source maintainers 🚫 NEVER use "pull_request_target" workflows 🚫 NEVER use shared caches in your publish pipeline Combining these 2 in particular is extremely dangerous I've repeated this countless times over the years, but another reminder is always useful

We used to go to a special website, ask strangers for help with programming, and get humiliated in return

Working with people is hard, but making them prioritize your work is even harder. Hence, one of the key skills you have to build is getting things done by others. Ensuring things get done without nagging, micromanaging, or offending the people is an art. I have led many cross-functional teams at Practo, Unacademy, and Google. Here are a few actionable insights 1. be empathetic to others' priorities, as they might have competing tasks 2. phrase your follow-up messages in a way that shows you value their time A well-written message signals that you are not just asking for a status, but also offering support to make progress, something like """ Hi [name], just checking if there is an update on [task]. I know you are busy, so let me know if there is anything I can do to help. """ 3. space out follow-ups, and give people enough breathing room to act 4. build strong relationships with your peers Remember, people naturally prioritize tasks for those they respect and enjoy working with. Invest in building these relationships by acknowledging their contributions in public forums like meetings. When I was a Platform Engineer at Practo, on day 1, I was told to be friends with everyone, and a few months later, I realized why. I learned that people will help you, not because they have to, but because they value your partnership. This stays true in any role. 5. escalations should feel like collaboration, not confrontation. Sometimes, despite your best efforts, a task gets stuck. In such cases, start with direct communication and clarify expectations and blockers with the individual. If things still do not move, loop in a senior, but frame the escalation not as a complaint but as a team effort to unblock the work. For example, """ Hi [senior], I wanted to bring this to your attention since [task] is crucial for [goal]. [Name] and I have discussed this, but we are still facing [specific issue]. Could you help us figure out the next steps? """ 6. people do what gets tracked, so make sure that regular status checks are brought up during common meetings, or periodically over async platforms like Slack and Teams. But irrespective of all the above points, there is one thing that matters the most. After someone helps, do not just move on; thank them meaningfully. Public appreciation in a team call, a quick Slack shoutout, or even a private note goes a long way. When people feel valued, they are more likely to go out of their way to help you or prioritize your work. Hope this helps.

‼️🚨 BREAKING: A new npm supply-chain attack uses a dead-man's switch. The payload plants a watcher on your machine that nukes your home directory the second you revoke the GitHub token it stole from you. The compromise happened today, across 42 official tanstack npm packages, 84 malicious versions in total. tanstack/react-router alone pulls more than 12 million weekly downloads. The attacker forked TanStack's repository and pushed a single hidden commit. From there, they tricked TanStack's own release system into signing the malicious packages as if they were the real thing. To npm, and to anyone checking the cryptographic proof of origin (SLSA provenance), the poisoned versions looked 100% legitimate. Maintainer Tanner Linsley confirmed the whole team had 2FA enabled. It didn't matter. This is the first documented npm worm in history that ships with a valid, signed certificate of authenticity, the same one defenders rely on to know a package wasn't tampered with.

@RhysSullivan @EffectTS_ Still learning it, our codebase is huge and cant introduce something like effect without getting alignment with the team. Loving it so far in all the small apps I made using it though

With agents writing code I’ve become more bullish than ever on Effect and the problems it solves If you’re not using it, I’m curious on why and what you’re using instead to solve the same challenges - interested to see what the ecosystem looks like

Eww

If someone is waiting on you for a code review, that has to be your P0 task. Look, waiting on a code review is one of the most frustrating things because the person is literally blocked on you. It gets even worse when there is a time zone difference to deal with. I get it. You do not have malicious intent and are genuinely busy with something important. But still, I would say it is a prioritization problem. Most people treat code review as something they get to when they have a quiet moment, and that quiet moment rarely comes. Coming from my personal pain point, I would say treat code review as a high-priority task, not a background one. If your teammate has raised a PR and you are the reviewer, that is important work in progress sitting idle. Every hour it waits is an hour of 'blocked momentum' (yeah, fancy term). Also, it is okay to preempt your non-urgent work for it. This matters even more across time zones because a delayed review does not cost an hour; it costs an entire working day for the other person (ohhh, this used to be such a pain). So the next time you see a PR sitting there, wrap up the review, because it is not "someone else's work"; it is yours. Hope this helps.

"AI code is crap." The shit your human engineers get up to:

I hate opening their docs for this. They should provide a toggle to go back to old website

:aahhhhhhhhhhh:

Its high time people stop using slop products

is this some kind of joke?

Most of us review code in the wrong order. We spot a missing test or a style inconsistency before even asking whether the code is correct. We should think about it differently. The first question should always be: Does this code do what it is supposed to do? If the answer is no, nothing else matters. Style, structure, tests - all secondary to correctness. Once you are confident it is correct, ask if it is clear. Can someone else (or you, six months from now) understand what is happening and why? Clarity in code helps ensure it does not become a liability. Then check whether it matches the style and conventions, because inconsistencies add cognitive load for everyone who reads the codebase afterward. After that, look for duplication. Is this solving a problem that is already solved somewhere else? Could this be a shared utility? Finally, ask whether it is well tested. Not just "are there tests" (non-sensical ones), but do the tests actually cover the meaningful cases? Correctness. Clarity. Style. Deduplication. Tests. In that order, every time. Hope this helps.

> be two researchers at wiz > download github enterprise server (same code as github but runs locally) > reverse-engineer the binaries with ai > find that git push -o strings go straight into an internal header > type a semicolon > inject a fake git hook > rce as the git service user > find an enterprise-mode flag gating hooks on github. it's also injectable > type another semicolon > rce on github itself > land on a shared node holding millions of private repos > read someone else's repo > get access to millions of private repos belonging to other users and orgs > github patches the same day, en urgence

Aadhaar is Schrödinger's card: If you have it, it is utterly useless. If you don't have it, all hell breaks loose.