gu_ng 🇪🇺

Polling vs Long Polling vs Webhooks vs SSE Four ways to get updates from a server. Each one makes a different tradeoff between simplicity, efficiency, and real-time delivery. Here's how they compare: - Polling: The client sends a request every few seconds asking "anything new?" The server responds immediately, whether or not there's new data. Most of those requests come back empty, wasting client and server resources. For use cases like an order status page where a small delay is acceptable, polling is the simplest option to implement. - Long Polling: The client sends a request, and the server keeps the HTTP connection open until new data is available or a timeout occurs. This means fewer empty responses compared to regular polling. Some chat applications used this pattern to deliver messages closer to real-time communication. - Server-Sent Events (SSE): The client opens a persistent HTTP connection, and the server streams events through it as they're generated. It is one-way, lightweight, and built on plain HTTP. Many AI responses that appear token by token are delivered through SSE, streaming each chunk over a single open connection. - Webhooks: Instead of the client asking for updates, the service sends an HTTP POST to a pre-registered callback URL whenever a specific event occurs. Stripe uses this for payment confirmations. GitHub uses it for push events. The client never polls or holds a connection open, it just waits for the server to call. Many systems don't rely on a single pattern. You may use polling for order status, SSE for streaming AI responses, and webhooks for payment confirmations.

Here's my update to the broader community about the ongoing incident investigation. I want to give you the rundown of the situation directly. A Vercel employee got compromised via the breach of an AI platform customer called Context.ai that he was using. The details are being fully investigated. Through a series of maneuvers that escalated from our colleague’s compromised Vercel Google Workspace account, the attacker got further access to Vercel environments. Vercel stores all customer environment variables fully encrypted at rest. We have numerous defense-in-depth mechanisms to protect core systems and customer data. We do have a capability however to designate environment variables as “non-sensitive”. Unfortunately, the attacker got further access through their enumeration. We believe the attacking group to be highly sophisticated and, I strongly suspect, significantly accelerated by AI. They moved with surprising velocity and in-depth understanding of Vercel. At the moment, we believe the number of customers with security impact to be quite limited. We’ve reached out with utmost priority to the ones we have concerns about. All of our focus right now is on investigation, communication to customers, enhancement of security measures, and sanitization of our environments. We’ve deployed extensive protection measures and monitoring. We’ve analyzed our supply chain, ensuring Next.js, Turbopack, and our many open source projects remain safe for our community. The recommendation for all Vercel customers is to follow the Security Bulletin closely (vercel.com/kb/bulletin/ve…). My advice to everyone is to follow the best practices of security response: secret rotation, monitoring access to your Vercel environments and linked services, and ensuring the proper use of the sensitive env variables feature. In response to this, and to aid in the improvement of all of our customers’ security postures, we’ve already rolled out new capabilities in the dashboard, including an overview page of environment variables, and a better user interface for sensitive env var creation and management. As always, I’m totally open to your feedback. We’re working with elite cybersecurity firms, industry peers, and law enforcement. We’ve reached out to Context to assist in understanding the full scale of the incident, in an effort to protect other organizations and the broader internet. I also want to thank the Google Mandiant team for their active engagement and assistance. It’s my mission to turn this attack into the most formidable security response imaginable. It’s always been a top priority for me. Vercel employs some of the most dedicated security researchers and security-minded engineers in the world. I commit to keeping you updated and rolling out extensive improvements and defenses so you, our customers and community, can have the peace of mind that Vercel always has your back.

i deleted my ChatGPT subscription the moment i found this. Thunderbolt is an open-source AI client built by the team behind Thunderbird that lets you run Claude, GPT, Gemini, local models, and on-prem models from one interface you actually own. No vendor lock-in. No platform fee. No one reading your conversations. → Works on web, iOS, Android, Mac, Linux, and Windows → Connects to frontier models, local models, and self-hosted deployments → Enterprise-grade with zero data leaving your infrastructure → Built by Mozilla's Thunderbird team, not a random startup The model companies still get paid. But you pay them directly at cost, not through a middleman charging you a $20/month wrapper fee. Mozilla Public License 2.0. 100% Opensource. Check it here: thunderbolt.io

Curated list of self-hosted software github.com/awesome-selfho…

Sabías que hay una biblioteca que te permite crear diagramas interactivos con nodos arrastrables y conexiones de forma súper fácil en React? Se llama React Flow y es la misma que usan herramientas como N8N y Stripe. reactflow.dev Ademas es OpenSource

跨平台网络流量监控应用，让用户直观地查看和分析自己电脑的网络连接情况。 github.com/GyulyVGC/sniff… Sniffnet 是一个用 Rust 写的开源桌面应用，用来监控网络流量。它基于 iced 做 GUI、pcap 做底层抓包，支持 Windows、macOS 和 Linux。 你可以选一个网络适配器开始抓包，设定过滤规则，实时看到流量统计图表、连接的地理位置、域名和 ASN 信息，还能识别 6000 多种上层服务协议。

¿Necesitas enviar correos masivos en tu web o app? ¡Este servidor es gratuito y de código abierto! ✓ Envíos ilimitados sin coste ✓ Métricas de aperturas, clics y rebotes ✓ Compatible con AWS SES, Mailgun y cualquier SMTP → github.com/aaPanel/Billio…

RNSEC v1.3.0 is out! 🔐 30+ new security rules for React Native / Expo apps. New coverage includes: • Cross-origin attacks • Dangerous post-install scripts • More real-world mobile attack paths Also, fixed multiple reported false positives to reduce noise. Try it instantly in your project: npx rnsec scan #reactnative #cybersecurity

Programmers were asked to create the worst user experience poossible:

🚨 RETICULUM PHANTOM : 🔥 Imagine un BitTorrent… mais sans trackers, sans serveurs, sans DNS, sans rien du tout. Juste toi, tes potes, et le mesh network Reticulum qui relie tout en direct, même sur LoRa, radio ou packet radio. C’est Reticulum Phantom : le premier vrai client P2P natif sur Reticulum ! 📡🔥 Ce qu’il fait : • Chiffrement E2E total (X25519/Ed25519) même le mesh ne voit rien. Zéro cleartext. 🔒 • Tu partages un fichier, il crée un .ghost (comme un .torrent mais crypto et 100x plus malin). • Les seeders s’annoncent sur le mesh, les downloaders chopent des chunks en parallèle via multi-peer swarming. • PEX intégré : les seeders s’échangent les listes de peers en direct sur des Links chiffrés Contourne toutes les limites d’annonce. 💨 • Tu télécharges ? Tu deviens automatiquement seeder. Le swarm grossit tout seul. 🧬 • Pause/reprise, auto-failover si un seeder tombe, TUI ultra clean pour tout suivre en temps réel. 📊 Zéro config, zéro infrastructure. Tu envoies le .ghost à qui tu veux (même par USB ou pigeon voyageur), et tout le monde se connecte directement sur le mesh global via Sideband Hub. Ça marche même en pleine forêt ou en zone censurée. 🌲🛰️ C’est pas juste un outil : c’est la révolution du partage de fichiers décentralisé. Fini les plateformes qui te surveillent ou qui tombent. Ici, chaque downloader devient un nœud du réseau. Le mesh devient vivant. Si t’es fan de privacy, de mesh, de LoRa ou simplement de dire FUCK aux Big Tech, clone ça tout de suite. Le futur du partage ne passe plus par le cloud… il passe par le mesh.

⚠️ Critical Anthropic’s MCP Vulnerability Enables Remote Code Execution Attacks Source: cybersecuritynews.com/anthropics-mcp… A critical flaw in Anthropic’s Model Context Protocol (MCP) exposes over 150 million downloads to potential compromise. The vulnerability could enable full system takeover across up to 200,000 servers. Unlike a traditional coding bug, this vulnerability is architectural, meaning any developer building on Anthropic's MCP foundation unknowingly inherits the exposure from the ground up. The flaw enables Arbitrary Command Execution (RCE) on any system running a vulnerable MCP implementation. Successful exploitation grants attackers direct access to sensitive user data, internal databases, API keys, and chat histories, effectively handing over complete control of the affected environment. #cybersecuritynews

Windows 11’in arka planda internet hızınızı %30 oranında kısıtladığını ve bu yüzden oyunlarda ping sorunu yaşadığınızı biliyor muydunuz? Microsoft bunu güncelleme kolaylığı adı altında yapıyor ama aslında bant genişliğinizi sömürüyor. Şu ufak ayarla tam hıza dönmek mümkün: 1️⃣ Win+R -> gpedit.msc 2️⃣ Bilgisayar Yapılandırması > Yönetim Şablonları > Windows Bileşenleri > Teslim iyileştirme 3️⃣ Maksimum İndirme Bant Genişliği kısmını bulup değeri 0 (Sınırsız) yapın. Küçük bir dokunuş ama özellikle Valorant ve CS2 gibi ping hassasiyeti olan oyunlarda farkı ciddi hissettiriyor.

🔴 File Upload Bypass Cheat Sheet (Extension Splitting) Credit @therceman If you're testing file upload functionality, this is pure gold 🔥 Attackers don’t just upload shell.php… they play with encoding, null bytes, separators, and edge-case parsing tricks to bypass filters. 💡 Common tricks: • Double extensions (.php.png) • Encoded characters (%0a, %00, %23) • Unicode bypasses • Special chars & separators • Tabs / Newlines injection 🎯 Lesson: If your validation relies ONLY on extension checks → it's already broken. 🧠 Think like an attacker. Validate like a defender. #bugbounty #cybersecurity #pentesting #infosec #websecurity #ethicalhacking #redteam

You can create draggable animations with @motiondotdev with `𝚍𝚛𝚊𝚐` flag, here's a minimal reproduction <𝚖𝚘𝚝𝚒𝚘𝚗.𝚍𝚒𝚟 𝚍𝚛𝚊𝚐="𝚡" 𝚍𝚛𝚊𝚐𝙲𝚘𝚗𝚜𝚝𝚛𝚊𝚒𝚗𝚝𝚜={{ 𝚕𝚎𝚏𝚝: 𝟶, 𝚛𝚒𝚐𝚑𝚝: 𝟶 }} 𝚍𝚛𝚊𝚐𝙴𝚕𝚊𝚜𝚝𝚒𝚌={𝟶.𝟺} 𝚠𝚑𝚒𝚕𝚎𝙳𝚛𝚊𝚐={{ 𝚜𝚌𝚊𝚕𝚎: 𝟷.𝟶𝟻 }} 𝚘𝚗𝙳𝚛𝚊𝚐𝙴𝚗𝚍={(_, 𝚒𝚗𝚏𝚘) => { 𝚒𝚏 (𝙼𝚊𝚝𝚑.𝚊𝚋𝚜(𝚒𝚗𝚏𝚘.𝚟𝚎𝚕𝚘𝚌𝚒𝚝𝚢.𝚡) > 𝟻𝟶𝟶) { 𝚌𝚘𝚗𝚜𝚘𝚕𝚎.𝚕𝚘𝚐("𝚏𝚕𝚒𝚌𝚔𝚎𝚍", 𝚒𝚗𝚏𝚘.𝚘𝚏𝚏𝚜𝚎𝚝.𝚡); } }} /> - `𝚍𝚛𝚊𝚐=𝚡` so that you can only drag in x direction - `𝚍𝚛𝚊𝚐𝙲𝚘𝚗𝚜𝚝𝚛𝚊𝚒𝚗𝚝𝚜` pins the card to origin - `𝚟𝚎𝚕𝚘𝚌𝚒𝚝𝚢` to add a bit of drag speed related animations simple and super intuitive to use

OAuth scams are becoming more and more popular this time a malicious @nylas OAuth client is being used to attack one of our employees (who immediately understood its a scam and has reported it) the playbook is simple: 1. obtain a Google OAuth client 2. pretend to send a .docx 3. immediately open the Google OAuth splash screen 4. Attacker gains full access to Email, Calendar and more officially it falls under phishing, however attackers no longer make fake login forms but instead show official google log in screens most people fall for it because they check the website, see google.⁠com AND nylas.⁠com (which is also legit) and think its safe. signing into google to view a document is also very common

MapLibre #ReactNative just made major release (v11)! It brings long awaited support for the new architecture of React Native as well as APIs that align more closely with MapLibre GL JS. github.com/maplibre/mapli…

Introducing dialectcn - a living library of @shadcn presets paste the code, run init, ship one feed for every dialect of the same components dialectcn[.]xyz

What do Vercel, Rockstar Games, Anthropic, and Adobe have in common? They've all been breached in the last 19 days... Vercel was this morning. Someone is currently selling their source code on BreachForums for $2 million. The attackers got in through an AI tool Vercel had wired into its own internal systems. Let that sit for a second. An AI tool was the door. Two weeks before that, Mercor lost four terabytes of data. Mercor is the $10 billion company that trains the AI models at OpenAI, Anthropic, and Meta. So now someone, somewhere, has four terabytes of whatever that looks like. Anthropic's own source code leaked the week before. Drift Protocol lost $285 million to what was essentially an AI impersonating someone on their team well enough to trick a real employee into handing over access. And that's just the AI column. The full 19-day list also includes Rockstar Games (78 million records), the LAPD (unredacted police files, witness names, medical records), McGraw-Hill, Booking .com, Kraken, Basic-Fit's one million gym members, Kelp DAO for another $293 million, and a dozen smaller ones. Anthropic caught a group of state-backed hackers earlier this year using a jailbroken version of Claude to run an entire cyberattack campaign by itself. The AI did the recon, wrote the exploit code, broke into the systems, and pulled the data. A human checked in occasionally. Thirty targets. Thousands of requests per second. No human team can move at that speed. That was Claude, with every safety guardrail Anthropic could build into it. Mythos is out there now seeded quietly to a handful of entities and OpenAI has the same. What does cybersecurity look like with that level of power open to the world?

Lovable has a mass data breach affecting every project created before november 2025. I made a lovable account today and was able to access another users source code, database credentials, AI chat histories, and customer data are all readable by any free account. nvidia, microsoft, uber, and spotify employees all have accounts. the bug was reported 48 days ago. its not fixed. They marked it as duplicate and left it open.

To check if your Google Workspace has been compromised by the same tool that compromised Vercel: 1. Go to admin.google.com/ac/owl/list?ta… - This is Google Admin Console > Security > Access and Data Control > API Controls > Manage app access > Accessed Apps 2. Filter by ID = …v79i7bbvqj.apps.googleusercontent.com - This is the ID of the compromised OAuth app If you see an app after filtering, you have potentially been compromised