Hackerspace Mumbai

💙 What a day! #GitHubCopilotDevDays – #Mumbai (#Apr26MTP) was a full house at @Microsoft Mumbai 🇮🇳 AI‑native engineering, agentic workflows, and real‑world Copilot usage all in one place. Here’s a quick recap of the sessions 👇🧵 #GitHubCopilot #mumtechup

Microsoft is investigating a new, emerging Mini Shai-Hulud npm supply chain attack targeting antv packages. Attackers compromised an antv maintainer account and published malicious versions of multiple widely used packages (for example, antv/g2). As these packages are widely used as dependencies, the compromise propagated into downstream libraries like echarts-for-react, impacting a much broader set of applications and continuous integration (CI) environments. All compromised packages contain a byte-identical, obfuscated credential-stealing payload delivered via a preinstall hook (Bun). The malware targets high-value secrets including: - GitHub personal access tokens (PATs) and OpenID Connect (OIDC) tokens - npm / Amazon Web Service (AWS) credentials and Security Token Service (STS) sessions - Secure Shell (SSH) keys, kubeconfigs, and .env / .npmrc files - Software-as-a-service (SaaS) tokens (Slack, Stripe, Vault) Exfiltration occurs over HTTPS with Transport Layer Security (TLS) validation disabled. The payload also abuses stolen OIDC tokens to forge Supply-chain Levels for Software Artifacts (SLSA) provenance and propagate malicious releases, exhibiting worm-like behavior across repositories. Malicious files distributed through npm packages are detected by Microsoft Defender as Trojan:AIGen/NPMStealer , "Suspicious Node.js process behavior", or “Credential access attempt”, preventing credential theft and malicious post-install execution. Mitigation: - Audit dependencies for affected antv and related packages; pin or downgrade to known-good versions (pre-2025-05-18). - Revoke and rotate exposed credentials (GitHub, npm, cloud tokens, SSH keys). - Validate integrity of CI pipelines and recent build artifacts. - Network IOC: Stolen credentials are exfiltrated over HTTPS to t.m-kosche[.]com:443. Block at egress and review network logs for outbound connections.

🚨 We recently discovered that an unauthorized party obtained a token with access to the Grafana Labs GitHub environment, enabling the threat actor to download our codebase. (1/6)

People freaking out over my AI spend. What nobody sees: Part of what excites me so much about working on OpenClaw is that I'm trying to answer the question: How would we build software in the future if tokens don't matter? We constant run ~100 codex in the cloud, reviewing every PR, every issue. If a fix on main lands, @clawsweeper will eventually find that 6 month old issue and close it with an exact reference. We run codex on every commit to review for security issues (as it's far too easy to miss). We run codex to de-duplicate issues and find clusters and send reports for the most pressing issues. We have agents that can recreate complex setups, spin up ephemeral crabbox.sh machines, log into e.g. Telegram, make a video and post before/after fix on the PR. There's codex that watch new issues and - if it fits our documented vision well, automatically create a PR of it. (that then another codex reviews) We have codex running that scans comments for spam and blocks people. We have codex instances running that verify performance benchmarks and report regressions into Discord. We have agents that listen on our meetings and proactively start work, e.g. create PRs when we discuss new features while we discuss them. We build clawpatch.ai to split all our projects into functional units to review and find bugs and regresssions. We do the same split for security with Vercel's deepsec and Codex Security to find regressions and vulnerabilities. All that automation allows us to run this project extremely lean.

If you live in any of India's metros, are married with two kids, or have dependent parent(s), and your family income is less than ₹1 lakh post-tax, then don't let them fool you into believing that you are middle class. In Gurgaon, for instance, you can't rent a decent home for four, for less than ₹35,000 a month. That too if you are lucky. Two kids will cost you at least ₹15,000 a month on education - school and bus fees, textbooks, uniform, tuition, and online courses. Any comprehensive family medical insurance and your annual medical bills, will set you back by an average of at least ₹2,000-3,000 a month. And if your employer provides it, they will deduct it from your CTC. Electricity, gas, mobile phone, video streaming, will take away another ₹3,000-4,000. Now, add your car EMI, petrol bill, vehicle maintenance, and other expenses on public transport: Not less than another ₹15,000 a month. And, yes, if you can't afford a car, 43 years after the 'people's car' was introduced, then please don't call yourself middle-class. So, ₹70,000 goes away, right off the bat, to have a basic middle-class existence in a metro. You are left with ₹30,000 for everything else - food, clothes, soap, shampoo, gadgets, decorations, eating out, holidays, etc, and some savings in fixed deposits and SIPs. And, by the way, only 3% of Indian households would qualify to be part of this middle class. Another 1%, above them, are rich and superrich. The rest are actually in the lower income category, or are poor. Of course, there are unmarried people or couples with no kids, who might be earning more. But they would, at best, be another 0.5% of Indians. It is fashionable to deride this class, and say that they are privileged, in a country where so many people are poor. But, shouldn't it be the other way round? Shouldn't many more people have joined the middle class, 35 years after liberalisation was supposed to make us a prosperous nation? Instead, why are we okay with the middle-class seeing their incomes stagnate?

🚀 Going live tonight - AI Agents @ Scale by @mistryhardik05 From #Apr26MTP → now on YouTube 🎥 → Running AI in production → Controlling cost & traffic → Scaling AI apps ⏰ Premiering at 9 PM IST 👉 youtu.be/lDgxPgJ08ZI #GlobalAzure #mumtechup

We are pleased to announce that Fintech Department, RBI has released the “Standards to Enhance Customer Protection and User Experience within the Account Aggregator Framework”. lnkd.in/dPHZC8Fd The document is hosted by ReBIT on its website (api.rebit.org.in).

@augvcor @AILabs_mubarra 📐 SDD in the Trenches: Taming Copilot Agents 🗣️ @augvcor Spec‑Driven Development to bring discipline to AI‑assisted coding - especially in #OSS and community codebases. Incl. real world comparison #speckit, #OpenSpec, @kirodotdev

@augvcor ⚙️ From Developer to AI Architect: Beyond Autocomplete 🗣️ @AILabs_mubarra Agent Mode, CLI, and orchestrating AI - moving from writing code to delegating and designing with AI.

💙 What a day! #GitHubCopilotDevDays – #Mumbai (#Apr26MTP) was a full house at @Microsoft Mumbai 🇮🇳 AI‑native engineering, agentic workflows, and real‑world Copilot usage all in one place. Here’s a quick recap of the sessions 👇🧵 #GitHubCopilot #mumtechup

@zpratikpathak @Microsoft Love the energy 🙌 After a full‑house #Apr26MTP, we’re already "building" on the next one 👀 Expect deeper dives + more hands‑on sessions; details soon 🚀 Stay tuned! #mumtechup cc @augvcor

@hackmum @Microsoft When is the next one happening? I am thinking of applying as a speaker?

Rooting for @github. They’ve given me years of free infra. happy to give them some time to figure this out. You got this.

Doors open 👀 A little glimpse of what’s in store ✨ swag

@augvcor @code @VisualStudio @AILabs_mubarra @maniSbindra @mistryhardik05 @Azure 🛠️ GitHub Copilot Workshop - language preference? Reply with your ranked order (1 = highest): 1️⃣ Python | 2️⃣ TypeScript | 3️⃣ Java | 4️⃣ .NET Example: 1 C#, 2 Python, 3 Java, 4 TS #GitHubCopilotDevDays #Apr26MTP #mumtechup

🚀 Registrations are OPEN! Join us in #Mumbai for #GitHubCopilotDevDays × #GlobalAzure 2026 a full‑day, in‑person meetup on AI‑powered development & cloud‑native architecture. 📅 18 April 2026 📍 Microsoft Mumbai 👉 Register: luma.com/4hcgse19 #mumtechup #Apr26MTP