lightcap.eth 🏴

Credentials continue to be the target of just about every attack in 2026.

Everyone working on more memory and more context. What we need is more *relevant* memory and context. Context pruning is going to be far more important than accumulation.

Timestamps every so often in the TUI/desktop app would be soooooo helpful. @ClaudeDevs please?

@theonejvo Everyone in the industry should read this. Fantastic write up.

And worse, git revert ≠ delete. It's a new commit on top. The secret is still in git's object store unless they took the care and time (most don't) to purge the store with a tool like BFG. I'd bet 98% of devs don't bother or don't know.

"The moment GitHub rotates them, the attacker's copy of the old keys becomes worthless." Not if you're Google. Then it's 23 minutes later.

@yenkel Education, multimodal journalism, comment filtering, etc.

@lightcap have a use case in mind?

everyone wants their product to work with AI agents. but no one wants their product to be abused. and let's be honest: AI means more + better "bad bots" we are building a product that can help you, by letting you verify there's a real human behind AI agents. we think it'll be really useful for: - dev products - e-ticketing - agent credit cards - social networks we are starting a private Beta of Human Principal with a few companies that want to integrate and give us feedback. interested? humanprincipal.ai

@yenkel Can't wait to try it.

@lightcap we keep coming up with people and use cases that are beyond what we originally thought of but to be fair, we've also designed it knowing it'd happen and it is pretty good to cover those without changes :)

@gakonst @paradigm @tempo Nice to see the level of care here around credential security. Well played.

Open Sourcing Centaur: Multiplayer, self-hosted, secure agents for Slack. Centaur has been transforming how @paradigm and @tempo invest, build and research. Now you can run it yourself on infrastructure you control. Instructions below.

@elinesterov @safedepio Or move to self-hosted gitlab at this point.

@safedepio Pin your gh actions to hash instead of versions

🚨 The "𝙼𝚎𝚐𝚊𝚕𝚘𝚍𝚘𝚗" Campaign is live... 𝟻,𝟽𝟷𝟾 malicious commits to 𝟻,𝟻𝟼𝟷 GitHub repositories in a six-hour window. Using throwaway accounts and forged author identities (build-bot, auto-ci, ci-bot, pipeline-bot), the attacker injected 𝙶𝚒𝚝𝙷𝚞𝚋 𝙰𝚌𝚝𝚒𝚘𝚗𝚜 workflows containing 𝚋𝚊𝚜𝚎𝟼𝟺-𝚎𝚗𝚌𝚘𝚍𝚎𝚍 bash payloads that exfiltrate: - CI secrets, - cloud credentials - SSH keys - OIDC tokens - source code secrets Check your repo / Technical details: safedep.io/megalodon-mass…

The security industry has always sold a lot of snake oil. But it's staggering how much more there is today with the rise of AI.

Good morning. Whose turn is it today to announce a massive breach?

@yenkel Fair enough.

@lightcap could be worse. could be in code

2026 will be remembered as the year when we realized that the convenience of long lived API keys was not worth the security risk

@RoundtableSpace New internal infra to host gitlab.

What are you building today?

@vercel @rauchg any chance self-hosted gitlab could be bumped up the roadmap now?

Honestly github probably isn't the right model for agentic source code control anyhow. Machines and humans don't need the same ergonomics. Probably not a bad thing we're being forced to think about alternatives now. I've used it since 2008 so it feels like the end of an era.

@bentossell No matter what, for the foreseeable future, risk is significantly elevated using github. Everyone is gonna have to decide for themselves what their tolerance is for sure though.

re github should we all just be deploying to our own servers instead? keep code local? only publish open source code?