Oliver Montes

New supply chain attack this time for npm axios, the most popular HTTP client library with 300M weekly downloads. Scanning my system I found a use imported from googleworkspace/cli from a few days ago when I was experimenting with gmail/gcal cli. The installed version (luckily) resolved to an unaffected 1.13.5, but the project dependency is not pinned, meaning that if I did this earlier today the code would have resolved to latest and I'd be pwned. It's possible to personally defend against these to some extent with local settings e.g. release-age constraints, or containers or etc, but I think ultimately the defaults of package management projects (pip, npm etc) have to change so that a single infection (usually luckily fairly temporary in nature due to security scanning) does not spread through users at random and at scale via unpinned dependencies. More comprehensive article: stepsecurity.io/blog/axios-com…

Software horror: litellm PyPI supply chain attack. Simple `pip install litellm` was enough to exfiltrate SSH keys, AWS/GCP/Azure creds, Kubernetes configs, git credentials, env vars (all your API keys), shell history, crypto wallets, SSL private keys, CI/CD secrets, database passwords. LiteLLM itself has 97 million downloads per month which is already terrible, but much worse, the contagion spreads to any project that depends on litellm. For example, if you did `pip install dspy` (which depended on litellm>=1.64.0), you'd also be pwnd. Same for any other large project that depended on litellm. Afaict the poisoned version was up for only less than ~1 hour. The attack had a bug which led to its discovery - Callum McMahon was using an MCP plugin inside Cursor that pulled in litellm as a transitive dependency. When litellm 1.82.8 installed, their machine ran out of RAM and crashed. So if the attacker didn't vibe code this attack it could have been undetected for many days or weeks. Supply chain attacks like this are basically the scariest thing imaginable in modern software. Every time you install any depedency you could be pulling in a poisoned package anywhere deep inside its entire depedency tree. This is especially risky with large projects that might have lots and lots of dependencies. The credentials that do get stolen in each attack can then be used to take over more accounts and compromise more packages. Classical software engineering would have you believe that dependencies are good (we're building pyramids from bricks), but imo this has to be re-evaluated, and it's why I've been so growingly averse to them, preferring to use LLMs to "yoink" functionality when it's simple enough and possible.

Vamos

España 🇪🇸 vs Serbia 🇷🇸

@juanmacias El uso de la IA ya está normalizado Juan, quien aún esté en la fase de crítica llega tarde 😅, ahora bien hay cuestiones que no cambian, como que sea una app enterprise ready, eso hace que sea mucho más tiempo que 24h, pero es cuestión de tiempo y configuración, pero muy bueno 👏

Otro ejemplo más. Proyecto hecho en 24 horas con Claude Code. Un equipo "standard" de PM, UX, Dev, etc... tardaría 5-6 meses. Show me the code => aquí lo tienes desksupportmonkey.com Ahora criticadme. Seguro que falla y le encontrais mas de un error.

@rulfomanuel muy buena temporada, un crack!

Grande Carlistos!

Fun fact: OpenAI handles 800 million users on ChatGPT with just one PostgreSQL primary and 50 read replicas 🤯 Today, OpenAI published an engineering blog explaining how they scaled their Postgres setup to support a massive 800 million users using a single primary and 50 multi-region replicas. They dive into details around their scaling approach, the PgBouncer proxy, cache locking, and cascading read replicas. It is genuinely neat and impressive. I just published a video on my YouTube channel where I dissect the blog and break down the nuances. Give it a watch - it is short and fun.

🟠 You can now connect Supabase to Levante in just a couple of clicks. Thanks to OAuth integration, setting up your backend is now: -> Fast -> Secure -> Zero manual configuration Less friction. More building. 💙 Levante is open source — contributions, feedback, and stars are welcome. --> Github repo: github.com/levante-hub/le… --> web: levanteapp.com

One of the few clients that support MCP-UI. With MCP-UI integration, servers can return interactive JavaScript components, like this game rendered securely in the client. Dynamic UI, zero friction.

Launching this Thursday, Nov 6, 2025 → Levante v1.3 open beta A local MCP client that makes MCPs practical for developers. Local-first. Multi-provider (OpenRouter, Vercel Gateway, Ollama, Claude, ChatGPT, Groq, xAI, Google AI). Want to collaborate? Get early access → levanteapp.com Repo → github.com/levante-hub/le…

Meet Levante: the open-source MCP desktop client built for privacy. Run AI locally. Connect any model. Your data stays on your machine.

@SEUR_responde @SEUR "Se ha intentado entregar hoy a las 8:06 p. m." pero son las 07:23 PM, usan IA para predecir el futuro! 🤣

LALIGA is trending again, so it's worth giving an update. We previously wrote about how this soccer league in Spain was granted broad internet censorship powers[1]. 1️⃣ Vercel's customers have been unaffected We've taken drastic measures to ensure the uptime of our customers. While we rejected LALIGA's broad approach, our goal at Vercel is to protect and maximize our customers' and developers' freedoms within the limits of the law. We gave them a dedicated email inbox and an incident response automation. We have instructed our on-call SRE to expedite the review of these reports, because they can result in the loss of availability of entire sections of other, law-abiding customers. This is what their email reports look like: 2️⃣ LALIGA's reports have been accurate For every report we've received, we were able to verify that the URLs were hosting illegal streams of their copyrighted material. I have condemned LALIGA's unprecedented and indiscriminate blocks[2], and have warned of the potential for this power to be misused. So far, their reports have so far been valid. We expediently acted on them, in order to minimize the collateral damage. 3️⃣ Blocking hostnames vs blocking networks If you look at their email report above, you'll notice they single out an IP address. The crux of the issue is that in modern CDN networks, that IP address can represent hundreds or thousands of legitimate customers. The appropriate response would be to block *only the infringing hostname* by using the SNI fragment of the TLS handshake (e.g.: imagine blocking "𝚏𝚛𝚎𝚎𝚕𝚊𝚕𝚒𝚐𝚊𝚜𝚝𝚛𝚎𝚊𝚖.𝚝𝚟"). Since some CDNs don't offer this "granular blocking" possibility (given they encrypt SNI via a TLS protocol extension called "Encrypted Client Hello"), and ostensibly due to them not acting on the copyright reports, they're seeing significant collateral damage[3] With over 150,000 paying teams and thousands of Enterprise accounts hosting critical services in areas like health care, emergency response, banking, government, and more, we're always working to protect our uptime, security, and availability. [1] vercel.com/blog/update-on… [2] x.com/rauchg/status/… [3] x.com/dhh/status/199…

@CarolMonroe @wmoralesdev @irenehl26__ ¡Gracias @CarolMonroe por la organización!

Special thanks to @wmoralesdev, @irenehl26__, @devopensource (a Salvadoran doing incredible things in Barcelona!) and Nelson for the ongoing support.

Today we hosted our @Supabase meetup in San Salvador. Well… a breakfast meetup! 💚 Builders showing what they’re shipping, and students demoing an AI-powered public transit app (!!). AI builders from Guatemala 🇬🇹 even made the trip to share what they’ve been building. This community is honestly something special 💚

🫡

@antigravity This product is soo goood, why not pay option? please.

Meet Google Antigravity, your new agentic development platform. An evolution of the IDE, it's built to help you: - Orchestrate agents operating at a higher, task-oriented level - Run parallel tasks with agents across workspaces - Build anything with Gemini 3 Pro.

"Context switching" es el "¿Tienes un momento?" de toda la vida 🤣

@JuanRezzio @cursor_ai @uTombou @Tiendanube Yo hoy enviado a @benln para Alicante, España

Amigos argentinos 🇦🇷 Estamos relanzando la comunidad de @cursor_ai argentina en WhatsApp junto con @uTombou Estaremos informando sobre Cafe Cursor Buenos Aires, un evento con @Tiendanube, y un MeetUp en Cordoba en los próximos dias. Pueden sumarse con este link: chat.whatsapp.com/E4XKkhT7x4C3W6…

We're giving away an 11-page guide titled: “How to clone your voice and make an agent in <10 minutes” (Like we did for Elon and Karan). It can call support to complain on your behalf, make reservations, prank your friends, etc. You also get $100 in free credits so you can play with your voice AI. Retweet and comment "SONIC" below and we'll send you the step-by-step guide and $100 in credits.