farzaan

What started as a small feature back in April, turned into a full-fledged app today. I've truly enjoyed building this product and sharing it with this amazing community. There's definitely more to come 🥂

Someone just hijacked the npm account of axios's lead maintainer, swapped his email to a burner ProtonMail, and published poisoned versions of a package that 100 million developers install every week. The attacker didn't touch the axios source code. They added one line to the dependency list: plain-crypto-js@4.2.1, a package that didn't exist 24 hours ago. That single line triggers a postinstall script the second npm processes the package. You don't import it. You don't call it. It fires on install. The staging was surgical. 18 hours before the attack, they published a clean version of plain-crypto-js to build publishing history on npm so automated scanners wouldn't flag a brand new account. Then at 23:59 UTC on March 30 they pushed the real payload. Both axios@1.14.1 and axios@0.30.4 went live within 39 minutes of each other. The payload is a three-platform RAT. macOS gets a binary disguised under Apple's cache naming conventions. Windows gets a hidden PowerShell script with execution policy bypassed. Linux gets a Python RAT dropped into /tmp. After deployment, the dropper deletes itself, strips the postinstall hook from package.json, and replaces it with a clean stub. A developer inspecting node_modules after infection finds nothing. Here's how they got in. Every legitimate axios release is published through GitHub Actions using npm's OIDC Trusted Publisher mechanism, cryptographically tied to a verified workflow. This release broke that pattern completely. Published manually via a stolen npm access token. No OIDC binding. No GitHub commit. No tag. The entire CI/CD security pipeline was irrelevant because the attacker never used it. Socket's automated detection flagged the malicious package in six minutes. Six minutes is fast. But npm install runs in seconds. Every CI/CD pipeline, every developer machine, every production deploy that pulled the latest axios in that window is potentially running a remote access trojan right now. The companies shipping code the fastest have the least visibility into what's underneath it.

XMLHttpRequest

@RealAnkush Another guess is a modern skills-based alternative to college. Project-based learning + guaranteed pathways to jobs. Sustainable model so it funds itself long term.

❓Any guesses what _can_ it be? Winner wins a MacBook Pro M5. Rules: - Have to reply here with your answer by March 4, 2026, 5pm IST - No cheating - Obviously, can't ask me

@RealAnkush Feels like you are building a serious job-first tech ecosystem. Not just teaching coding but making people work on real projects and directly hiring from there. That would actually create real employment at scale.

@tankots @WisprFlow Porsche

We will give you a Porsche GT 3 RS if you can type faster than @WisprFlow can dictate. Last week, we challenged 5 users to get Wispr to make a mistake. 3.5 Million people watched the challenge and wanted in. Now we're opening the challenge to everyone. Comment "Porsche" and you'll get a link to participate. Prizes apart from the Porsche: 1. Lifetime Wispr Flow Pro membership 2. 6 months of Flow Pro if you QRT with your score 3. Flow Desktop Mic 4. Exclusive Flow Merch

@primusibi It was too short. Barely 6hrs of playtime.

Remind me Why do People hate this game? Personally it’s a solid 8/10 from me

@FarzaTV 🔥 sounds interesting!

I'm going to teach a group of people how to build their first app with AI this week using Codex. I'll do a live tutorial, then we'll all cowork + build. if you don't have an idea to work on, dw I'll help with that too. If you wanna join the call, reply with your fav emoji :-)

@alessssndro16 @juliandceu @iREUS_SA Didn't GA die in Absolute Evil?

@juliandceu @iREUS_SA "I guess" It's not any official source. I said Superman / Green Arrow because 1. In DcKo it's shown Green Arrow with the others 2. Hawkman will fight Superman, and he killed Oliver Queen. GL / MM are just the ones who left, because Wally is not part of the team shown in DcKo

The Absolute Universe will have its first event in Q4 of this year!

@asishcodes using cursor in the big '26 ?

Cursor is now a money-making scam. Their $20 plan is pure shit.

@viditchess Have you deployed any vibe-coded application that you've built?

Have some time on my hands. Let’s do an AMA. Shoot your questions. :)

@Aswin_polymath @mehulmpt They say it can. I have tried multiple times but it always fails to make even the simplest ones. It hallucinates and thinks it has created a job. I later had to manually add the job in the file and then it started working.

@mehulmpt wait, it set's a cron job by itself?

yeah clawdbot is great

@gregisenberg Guilty, Is there any saas that organizes them for you?

people just bookmark stuff on X with zero real intention of every checking those said bookmarks

@Epic_Jimmy Peak

Using Blender for the first time

@iumarmirza @framer Will appreciate the advice!

I’ve been working as a freelancer for more than two years now, and over time the only tool or platform I’ve seen that can genuinely change your life is @framer. Recently I gave advice to a designer who was struggling to get accepted as a Framer expert. After listening to my advice she applied and got approved the next day. You might think becoming an official Framer expert is nothing more than an achievement, but no. It is the door to unlocking opportunities that can make you thousands of dollars. I made my first money with Framer after 52 days of starting, and guess what? I started getting enquiries only after I got my Framer expert badge and profile. It has been three months since I became a Framer expert, and I have worked with more than 10 clients and made a good amount of money. If you are into Framer and not applying for their expert program, you are missing out on a lot of opportunities. Comment "Advice" and I will send you that advice in your DMs. PS: Make sure you follow me so I can DM you :)

@jordihays @grok tldr?

Rage Baiting is for Losers Yesterday, YC announced Chad IDE aka “the brainrot code editor.” Chad is an AI code editor that allows you to gamble, watch TikTok, and use dating apps while working on coding tasks. Their launch rightfully got a lot of attention. On one hand it’s funny. On the other hand, what are we doing here and why does this belong on the official YC account? To understand Chad IDE, Cluely, Icon, Friend, and the new class of Gen Z startups, you have to understand the online environment these founders grew up in. If you grew up on the internet and studied how and why certain people would regularly go viral, you know that making people mad has and always will be a highly effective way to get attention. The feedback loop is simple: 1) make something (product or ad) that makes people angry; 2) people comment/ share/ dunk; 3) because feeds are optimized to show posts with high engagement the most, you get more reach. Rage baiting for commercial purposes was pioneered by course bros. People like Tai Lopez realized that making the masses mad was an effective way to drive course sales. They could flaunt Lamborghinis, make a bunch of people angry, and as long as a handful of people found their way into their course, it was a viable, repeatable strategy. Historically on X, rage baiting was a marketing strategy, not a product strategy. Accounts like @sweatystartup frequently post things to get an angry reaction and subsequent reach, but behind the scenes he's always been running a normal commercial real estate fund. In 2025, rage baiting has become a product strategy. Cluely started as an app for cheating on coding interviews. Chad IDE’s only known differentiation from the other hundred AI native IDEs is that you can gamble and swipe on dating apps in it. The rage bait is sitting at the product level now. It’s becoming clear that while rage bait might occasionally work as a marketing strategy, it really should not be employed as a product strategy. Running a successful VC-backed company requires you to build a coalition of people that want to see you win. Getting media, investors, talent, and customers on your side is not an easy task. Rage baiting (whether at the marketing level or product level) is the most effective way to get people (who could be potential investors, customers, or team members) to actively pray for your downfall. YC has long provided some of the most durable, high quality, generalizable advice for startups and I believe it has had a tremendously positive impact on the companies that go through YC and even those that don’t. Launch now, make something people want, do things that don’t scale, ignore your competitors, etc. As someone who believes that YC is one of the most important and influential institutions in tech, I believe it might be time to include this in their list of essential startup advice: “Rage baiting is for losers.”

@veedstudio Excited to try this product out

Minimax Hailuo 2.3 is LIVE on VEED first 💥 Best VFX + motion physics in AI video is here! • realistic micro-expressions • cinematic details • insane animation 🚨Free 500 Credits in DM for first 200 users, who: - Retweet - Comment (only for next 24 hours)

@LTXStudio Amazing

🚨 800 FREE CREDITS — 24 HOURS ONLY We just launched LTX-2, our most powerful video model yet. High-res. Fast. Cinematic. Native lip-sync. Follow + RT this post to get 800 credits sent to your DMs. Plus: All LTX-2 generations are 50% off.

@p1njc70r Do you get the same result if the prompt is injected at the end or in the middle of the doc?

Atlas is definitely vulnerable to Prompt Injection

As part of @theresidency's Delta II, @FarhanSeliya and I are thrilled to introduce CurioPod! We're building the next-gen learning ecosystem to reimagine screen time for your child’s early development. Parents, this one's for you, stay tuned!