thestreamingdev()

“We should be partners, not rivals," says Chinese President Xi Jinping to US President Donald Trump at a summit in Beijing. In his opening remarks, Trump touted his “fantastic relationship” with Xi, and said US business leaders were in the city to "pay respects" to Xi and China bloom.bg/4dj0v2N

Yippie Two new Microsoft Windows 0days. The exploits have cool and badass mysterious names to be extra spoopy - GreenPlasma: Windows CTFMON Arbitrary Section Creation Elevation of Privileges Vulnerability - YellowKey: Bitlocker Bypass Vulnerability github.com/Nightmare-Ecli…

I listened to this quote at the 14:00 mark of @theo latest video "we all fell for it" (link below) a dozen times "AI disincentivizes you from learning about the pieces. And I think that's the biggest problem. Humans are very pain—feeling dumb hurts. When you're trying a thing and it doesn't make sense, you feel pain. When you try a thing and it just goes as expected, you feel good. AI has made it easier to avoid that pain and feel that reward. And what used to be a upfront cost you would pay to learn the pieces and then you could get the reward of solving the puzzle is now a slot machine. And your choices are go learn the pieces so that you can actually solve the puzzle correctly or keep pulling the slot machine until hopefully the correct answer comes out because each pull hurts a lot less than reading the docs for a language you don't understand or learning a library that doesn't map with your mental model properly or debugging something that feels hopeless. I learned about this from skateboarding. The reason most skaters give up before learning to ollie, much less kickflip, is because it feels so bad. You hate the feeling seeing others so effortlessly jump on their skateboard, ollie downstairs, and do all these fancy tricks, and you can't even get the board to come up off the ground with you. And then maybe you try a little too hard, and you hit your shin really hard, and now walking's uncomfortable for a few days. Most people give up before they learn those tricks because the pain is so great and the feeling of stupid and incompetence is so strong that they don't want to push through it. At least in code you didn't have the physical pain. You just had to feel dumb. And I'll be real, I kind of miss feeling dumb."

🚨 UPDATE: Mini Shai-Hulud has crossed from @npmjs into @pypi and is still spreading. Newly confirmed compromised artifacts: @​opensearch-project/opensearch: 3.5.3, 3.6.2, 3.7.0, 3.8.0 (1.3M weekly downloads) mistralai: 2.4.6 on PyPI guardrails-ai: 0.10.1 on PyPI additional @​squawk/* packages on npm guardrails-ai 0.10.1 executes malicious code on import. On Linux, it downloads git-tanstack[.]com/transformers.​pyz, writes it to /tmp/transformers.​pyz, and runs it with python3 without integrity verification. The git-tanstack.​com domain displayed a message signed “With Love TeamPCP,” along with: “We've been online over 2 hours now stealing creds Regardless I just came to say hello :^)” The page also linked to a YouTube video and you can probably guess which one.

SECURITY ADVISORY — TanStack npm packages A supply-chain compromise affecting 42 @tanstack/* packages (84 versions total) was published to npm earlier today at approximately 19:20 and 19:26 UTC. Two malicious versions per package. Status: ACTIVE — packages are deprecated, npm security engaged, publish path being shut down. Severity: HIGH — payload exfiltrates AWS, GCP, Kubernetes, and Vault credentials, GitHub tokens, .npmrc contents, and SSH keys. If you installed any @tanstack/* package between 19:20 and 19:30 UTC today, treat the host as potentially compromised: • Rotate cloud, GitHub, and SSH credentials immediately • Audit cloud audit logs for the last several hours • Pin to a prior known-good version and reinstall from a clean lockfile Detection — the malicious manifest contains: "optionalDependencies": { "@tanstack/setup": "github:tanstack/router#79ac49ee..." } Any version with this entry is compromised. The payload is delivered via a git-resolved optionalDependency whose prepare script runs router_init.js (~2.3 MB, smuggled into each tarball at the package root). Unpublish is blocked by npm policy for most affected packages due to existing third-party dependents. All 84 versions are being deprecated with a SECURITY warning, and npm security has been engaged to pull tarballs at the registry level. Full technical breakdown, complete package and version list, and rolling status updates: github.com/TanStack/route… Credit to the security researcher for responsible disclosure.