Chams

I build AI agents. 🔧 dodo — coding agent in your terminal. Local-first, sandboxed, model-agnostic. 🤖 ctxant — runs in your real Chrome via Telegram. No re-auth, no shadow profile. Posting what I learn building them. chamsbouzaiene.function.io/dodo/ ctxant.com

@ctatedev the idea is good but know how are you gonna build the dataset to train the model to use it and which model are you planning to fine tune

Introducing Zero The programming language for agents. I wanted a systems language that was faster, smaller, and easier for agents to use and repair. Explicit capabilities. JSON diagnostics. Typed safe fixes. Made for agents on day zero.

@yegor256 They said the new algo will not show you people that rage bate but still @xai need to find a way to fix this

RESTful APIs may be dead soon. Instead, web services may expose a single POST entry point for a prompt. Internally, an AI agent may decide how to interpret it and what to do with the data and the database.

@yegor256 Are you saying this just to piss us off ? i wish they add a dislike button

@UsmanReads I will ping you when i find one but still no luck

@shemsddine Same hunt on my side. Most rooms turn out to be mostly reposts and very little code. If you land on one worth joining, would appreciate a ping back.

Looking for a no-bullshit Discord/server for people actually building & shipping AI agents + LLM work. Genuine devs only, folks who know what the words mean, share real code/architecture, debug in public, and aren't just reposting hype. Drop links if you got one. Building in the trenches daily, want real peers. #LLM #AIagents #BuildInPublic

@NVIDIAGeForce #007FirstLightRTX

Recruits, your first prize is here... A custom GeForce RTX 5080 Founders Edition + PC copy of the game. Comment #007FirstLightRTX to win 👇

Repo: github.com/ChamsBouzaiene… Article: bouzaiene.org/blog/vuln-scan…

I wanted to test something: Can modern AI coding agents rediscover a real critical vulnerability in complex C code with almost no guidance? So I gave Cursor Composer 2 and Codex/GPT-5.5: one vulnerable nginx source file generic security auditing prompts no CVE hints no fuzzers no static analyzers Both independently rediscovered CVE-2026-42945. Cursor found the bug extremely fast. Codex/GPT-5.5 went further: validated the finding generated a PoC compiled nginx with ASan triggered a real heap-buffer-overflow What surprised me most is that the vulnerability itself was not impossibly complex. It survived because nobody looked deeply enough at that exact interaction. LLMs are becoming surprisingly good at recursively investigating these kinds of subtle state mismatches. For transparency: part of this experiment was conducted through OpenAI’s Cyber program access, which required identity verification before participation. I published the full write-up + reproducible repo below. Really interesting to see where tools like @cursor_ai and GPT-5.5 are heading for recursive code auditing.

@orcdev i enjoy styled-components

@shemsddine how are you styling your divs?

anyone remember arguing css vs tailwind?

@xenobyte_ @feross u mean its a standard scan to enumerate the maintainers emails this i understand but all of this attacks at the same time seem to me that some groups are automating multiple tools on multiple big npm packages to find a way in that's what am thinking about

@shemsddine @feross This technique is well known and as old as I can remember, nothing ai about it

🚨 node-ipc is compromised again. Three new malicious versions just dropped: 9.1.6, 9.2.3, and 12.0.1. Socket’s AI scanner flagged them as malware within three minutes of publication. The attack vector: a dormant maintainer account (atiertant) was likely taken over via an expired email domain. The attacker registered the lapsed domain, triggered an npm password reset, and gained publish rights to a package with millions of historical downloads. The payload is a credential stealer embedded in the CommonJS entrypoint (node-ipc.cjs). It activates on require(“node-ipc”), not through a postinstall script. Here’s what it does: •Fingerprints the host (OS, arch, hostname, uname) •Harvests 113-127 credential file patterns depending on platform (AWS, GCP, Azure, SSH keys, Kubernetes configs, npm tokens, .env files, shell histories, macOS Keychain databases, and more) •Dumps the entire process.env, capturing every CI secret and cloud credential in memory •Builds a gzip archive in a temp directory •Exfiltrates everything over DNS TXT queries to bt[.]node[.]js, using a bootstrap resolver at sh[.]azurestaticprovider[.]net:443 (a deliberate lookalike of Microsoft’s Azure Static Web Apps domain) The DNS exfiltration is chunked. A 500 KB archive generates roughly 29,400 TXT queries. The body is XOR-encrypted with a SHA-256 keystream, base64-encoded, alphabet-substituted, and split into 31-character chunks before hex-encoding into DNS labels. Header, data, and footer queries use xh, xd, and xf prefixes respectively. The malware forks a detached child process (env var __ntw=1) so credential theft runs silently in the background. It also exposes a __ntRun export, meaning any downstream code that calls require(“node-ipc”).__ntRun() can trigger a second collection/exfiltration cycle. ESM-only consumers using the import path are not affected by the reviewed package metadata. CommonJS consumers are. This is the same package involved in the 2022 protestware incident. It has a history. If you use node-ipc: •Do not install 9.1.6, 9.2.3, or 12.0.1 •Audit your lockfiles for these versions •If you loaded the CommonJS entrypoint, treat all environment variables, SSH keys, cloud credentials, npm tokens, and local secrets as compromised. Rotate immediately. •Hunt for DNS TXT queries to bt[.]node[.]js and sh[.]azurestaticprovider[.]net in your network logs •Check for temp files matching /nt-/.tar.gz Credit to Ian Ahl (@TekDefense) for first publicly identifying the expired-domain account takeover vector. Developing story. Full technical breakdown and IOCs on the Socket blog: socket.dev/blog/node-ipc-…

@ishowcybersec That makes so much sense! I never thought of it like that. Was that intentional?

Linux Terminal for beginners

@Akasheth_ does angular still exist ?

As a dev, what’s your go-to fronted framework? - React - Next - Angular - vue

@walkojas let's go

My goal on X is to have 10,000 organic connections. Looking to connect with: 1. AI/Tech minded people 2. AI/Tech curious people 3. AI Agent builders 4. AI Agents 5. Builders/Founders 6. High Agency people If this sounds like you, say hi below 👎

@FrancescoCiull4 Merging 2,188 files and 1M+ lines of Rust into main is either an engineering triumph or an incident report waiting to happen. The edge cases that survive the rewrite are always the most interesting ones. Watching this closely. but still this sets the stage for other to wake up

Bun's main branch is now Rust. Now, imagine Bun having the slightest bug tomorrow.

@SimonHoiberg This reframe is underrated. Most indie devs aim for 'viral' when they should aim for 'indispensable to a specific 1000 people'. even the first 100 is a milestone

It's cool when you realize you only need 1000-2000 paying users to have a very serious SaaS and the internet has an almost inexhaustible number of people you can target.

one of the most audacious moves in recent open-source history: ~1,009,257 lines added across 2,188 files in essentially one massive commit with claude code 👺 Bun just merged a Rust rewrite of its main branch. 1M+ lines changed. This is either the bravest engineering decision of 2026 or the setup for the most spectacular bug report of 2026. Either way — respect. The part nobody mentions: the real test isn't the rewrite, it's the first time a production app hits an edge case the Rust port missed. That's when you find out if the new foundation holds. Watching closely.

@DeepLearningAI The more interesting question is what happens to agent performance at 600k+ tokens. Context doesn't just fill up — it degrades. Retrieval at token 700k is not the same as at token 10k. Anyone benchmarking this properly?

Quick challenge! Don't use AI tools for this one 👀 How many Harry Potter books can you fit with a 750k-token context window?

2026 developers don't read docs anymore. They emotionally negotiate with AI until the code works.