David Winer

948 posts

David Winer

@davidjwiner

GTM agents @GetCiro (YC S22)

San Francisco, CA Katılım Haziran 2009

1.1K Takip Edilen1K Takipçiler

David Winer retweetledi

Theo - t3.gg@theo·5d

Fun fact - if you have a recent commit that mentions OpenClaw in a json blob, Claude Code will either refuse your request or bill you extra money. This is an empty repo, I'm just calling Claude Code directly. Insanity.

English

289

344

5.7K

1.6M

David Winer retweetledi

Andrew Kaczynski@KFILE·8 Nis

Oh my God

English

410

2.1K

18.8K

3.9M

David Winer@davidjwiner·31 Mar

@TheStalwart The official shoe of zero interest rates

English

1.1K

Joe Weisenthal@TheStalwart·31 Mar

Allbirds just sold for $39 million. The company was once worth over $4 billion. bloomberg.com/news/articles/…

English

133

253

2.6K

925.9K

David Winer@davidjwiner·31 Mar

Allbirds (public company) worth less than the average YC W26 company

Joe Weisenthal@TheStalwart

Allbirds just sold for $39 million. The company was once worth over $4 billion. bloomberg.com/news/articles/…

English

173

David Winer@davidjwiner·31 Mar

Not good

Feross@feross

🚨 CRITICAL: Active supply chain attack on axios -- one of npm's most depended-on packages. The latest axios @1.14.1 now pulls in plain-crypto-js@4.2.1, a package that did not exist before today. This is a live compromise. This is textbook supply chain installer malware. axios has 100M+ weekly downloads. Every npm install pulling the latest version is potentially compromised right now. Socket AI analysis confirms this is malware. plain-crypto-js is an obfuscated dropper/loader that: • Deobfuscates embedded payloads and operational strings at runtime • Dynamically loads fs, os, and execSync to evade static analysis • Executes decoded shell commands • Stages and copies payload files into OS temp and Windows ProgramData directories • Deletes and renames artifacts post-execution to destroy forensic evidence If you use axios, pin your version immediately and audit your lockfiles. Do not upgrade.

English

143

David Winer retweetledi

Daniel Hnyk@hnykda·24 Mar

LiteLLM HAS BEEN COMPROMISED, DO NOT UPDATE. We just discovered that LiteLLM pypi release 1.82.8. It has been compromised, it contains litellm_init.pth with base64 encoded instructions to send all the credentials it can find to remote server + self-replicate. link below

English

308

2.3K

9.4K

5.8M

David Winer retweetledi

Andrej Karpathy@karpathy·24 Mar

Software horror: litellm PyPI supply chain attack. Simple `pip install litellm` was enough to exfiltrate SSH keys, AWS/GCP/Azure creds, Kubernetes configs, git credentials, env vars (all your API keys), shell history, crypto wallets, SSL private keys, CI/CD secrets, database passwords. LiteLLM itself has 97 million downloads per month which is already terrible, but much worse, the contagion spreads to any project that depends on litellm. For example, if you did `pip install dspy` (which depended on litellm>=1.64.0), you'd also be pwnd. Same for any other large project that depended on litellm. Afaict the poisoned version was up for only less than ~1 hour. The attack had a bug which led to its discovery - Callum McMahon was using an MCP plugin inside Cursor that pulled in litellm as a transitive dependency. When litellm 1.82.8 installed, their machine ran out of RAM and crashed. So if the attacker didn't vibe code this attack it could have been undetected for many days or weeks. Supply chain attacks like this are basically the scariest thing imaginable in modern software. Every time you install any depedency you could be pulling in a poisoned package anywhere deep inside its entire depedency tree. This is especially risky with large projects that might have lots and lots of dependencies. The credentials that do get stolen in each attack can then be used to take over more accounts and compromise more packages. Classical software engineering would have you believe that dependencies are good (we're building pyramids from bricks), but imo this has to be re-evaluated, and it's why I've been so growingly averse to them, preferring to use LLMs to "yoink" functionality when it's simple enough and possible.

Daniel Hnyk@hnykda

English

1.4K

5.4K

28.1K

66.5M

David Winer@davidjwiner·21 Mar

taps sign

David Winer@davidjwiner

can’t help but wonder how many billions in value Vanta and the SOC 2 cartel have destroyed extremely wasteful software category

English

168

David Winer@davidjwiner·20 Mar

you vs. the open weights model she told you not to worry about

Harveen Singh Chadha@HarveenChadha

things are about to get interesting from here on

English

181

Chris Ford@chrisgford·18 Mar

@davidjwiner and @GetCiro have officially made Cursor for Prospecting. I'm just sitting here watching my agent find QUALIFIED prospects, and it's WORKING HARD. THIS IS INSANE!!

English

235

David Winer@davidjwiner·18 Mar

@chrisgford @GetCiro Thank you @chrisgford for all the awesome feedback along the way 🙏🙏

English

David Winer retweetledi

Michael Seibel@mwseibel·17 Mar

Matt Mahan. Finally someone who is straightforward, honest, and smart, working hard for all Californians. Support him for Governor of California and help him get our state back on the right track.

Mayor Matt Mahan@MattMahanSJ

.@ZohranKMamdani and I have something huge in common — we’re both entirely focused on making life better for working people. We have very different ideas on how to do that, but I think that’s the sign of a healthy democracy: the ability to disagree civilly, debate thoughtfully, and grapple with the fact that what we’ve been doing isn’t working — even, and perhaps most importantly, when you come from the same political party. I love New York, but I’m happy to be on a flight home right now — because California, we have a whole lot of work to do.

English

236

22.3K

David Winer@davidjwiner·12 Mar

everyone hating on MCP just hasn't implemented tool search correctly in their agent harness

English

106

David Winer@davidjwiner·12 Mar

@garrytan Tool search tool might fix this platform.claude.com/docs/en/agents…

English

Garry Tan@garrytan·12 Mar

MCP sucks honestly It eats too much context window and you have to toggle it on and off and the auth sucks I got sick of Claude in Chrome via MCP and vibe coded a CLI wrapper for Playwright tonight in 30 minutes only for my team to tell me Vercel already did it lmao But it worked 100x better and was like 100LOC as a CLI

Morgan@morganlinton

The cofounder and CTO of Perplexity, @denisyarats just said internally at Perplexity they’re moving away from MCPs and instead using APIs and CLIs 👀

English

433

210

3.8K

1.3M

David Winer@davidjwiner·6 Mar

whoever put together this NYT graphic and didn't include Matt Mahan 😭

English

28.7K

David Winer@davidjwiner·4 Mar

Has anyone ever successfully gotten a response from @inngest? Started using it to power our agents a month ago but are having huge reliability issues and can't get through to their support team.

English

303

David Winer@davidjwiner·3 Mar

@thdxr @opencode Wow this is awesome. Thank you!

English

317

dax@thdxr·3 Mar

@davidjwiner @opencode it exists, needs better docs and will be doing a v2 soon opencode.ai/docs/sdk/

English

128

8.1K

David Winer@davidjwiner·3 Mar

.@thdxr @opencode do you plan to offer an SDK for building OpenCode-based agents? (Similar to the Claude Agent SDK) All the existing options are either bad (LangChain) or lock you into one model (Claude Agent SDK)

English

8.4K

David Winer@davidjwiner·1 Mar

there is so much alpha in having fast CI right now

English

159

David Winer retweetledi