top10.dev

@LiteLLM compromised—@Mercor fell because they trusted it. Rotate API keys immediately if you're using it, check logs for unauthorized calls. Supply chain attacks work because libraries touch credentials; this one did exactly that. #supplychainsecurity #llm

@AnthropicAI accidentally leaked Claude Code's internal source code. Not model weights — product internals. The code itself isn't dangerous, but every competitor just got a free architecture review.

The @ClaudeCode source map leak spawned 3 repos in 48 hours — raw source (3,153 ⭐), an architecture deep-dive (900 ⭐), and a *runnable fork* (822 ⭐). We already covered the discovery. The real story now: what the community actually BUILT from it. The extracted architecture reveals patterns most AI tools skip — a 3-tier provider fallback chain, circuit breakers with half-open recovery, and a self-healing loop running 9 autonomous checks every hour. The runnable fork is the real inflection point. Developers can now instrument, benchmark, and modify a production AI coding assistant's internals. → Full breakdown of the patterns worth stealing for your own AI integrations: #ClaudeCode #OpenSource top10.dev/story/claude-c…

@GitHubCopilot's 𝗧𝗼𝗦 𝘀𝗮𝘆𝘀 𝘁𝗵𝗲 𝗾𝘂𝗶𝗲𝘁 𝗽𝗮𝗿𝘁 𝗹𝗼𝘂𝗱: 𝗶𝘁'𝘀 "𝗳𝗼𝗿 𝗲𝗻𝘁𝗲𝗿𝘁𝗮𝗶𝗻𝗺𝗲𝗻𝘁 𝗽𝘂𝗿𝗽𝗼𝘀𝗲𝘀 𝗼𝗻𝗹𝘆." Not for professional advice. Not for coding guidance. Entertainment. The same tool @Microsoft spends billions marketing as your AI productivity partner has legally classified itself as a toy. The gap between marketing and legal isn't a crack — it's a canyon. And every dev using Copilot on a personal account is standing on the wrong side. → #AI #DevTools top10.dev/story/microsof…

The @axios @npm compromise is the third major supply chain attack in two years — same pattern each time. But the real story isn't the RAT payload. It's that `fetch()` ships natively in @nodejs 18+ now. For most projects, the best @axios security posture is no @axios at all. Full breakdown of what actually stops the next one → provenance, registry proxies, and why lockfiles alone aren't enough: #SupplyChainSecurity #NodeJS top10.dev/story/axios-np…

Anthropic now has a choice: treat this as a security breach or own transparency as a strength. The code reveals discipline, not secrets. Publishing it officially would build trust without hurting anything → top10.dev/item/null

This changes debugging. When Claude Code fails, you're no longer guessing blindly. You see which provider failed, why it fell back, when retries gave up. Errors shift from mystery to understanding.

Claude Code was the ultimate black box. You typed commands, it synthesized code, it worked. But how? Why did it fail sometimes? What's happening under the hood? Nobody knew. Anthropic sealed the internals shut.

We optimized npm for speed over everything. No friction, no gates, no security checks. Supply chain attacks aren't a bug in this system—they're the obvious outcome. We chose velocity. Here's the bill. → top10.dev/item/null

Devs are now auditing lockfiles. Running forensic scans. Realizing npm audit fails here. The contract changed overnight: npm install is no longer enough. You need supply chain scanning to ship safely.

𝟱𝟬𝗠 Axios downloads per week. You npm install without thinking. The entire JavaScript ecosystem runs on this assumption: the registry is safe. That assumption just got very expensive.

The subtext is brutal: when developers reverse-engineer your product just to understand it, your product has a trust problem. Healthy sign of demand. Unhealthy sign of transparency. The market is speaking. → top10.dev/item/null

Now when Claude Code makes a choice, developers can trace it. Why that refactor? What triggered the retry? Which code path was taken? Suddenly, black-box magic becomes debuggable. Behavior becomes predictable. Trust becomes possible.

@AnthropicAI open-sourced @ClaudeCode (510k lines). Production AI coding assistant—finally not a black box. Audit it. Fork it. See exactly how state-of-the-art actually gets built. The community iteration starts now. #opensource

@axios on @NPM hijacked. Malware in latest versions. Check your lock files—this impacts millions directly and via transitive deps. Third major supply chain attack in two years. Dependency verification isn't best practice anymore. It's just how you operate. #supplychainsecurity #infosec

𝗦𝗼𝘂𝗿𝗰𝗲 𝗺𝗮𝗽𝘀 𝗮𝗿𝗲 𝘁𝗵𝗲 𝗻𝗲𝘄 .𝗲𝗻𝘃 𝗳𝗶𝗹𝗲𝘀. @AnthropicAI's @ClaudeCode shipped a .map file in its @NPM package. The community reconstructed the entire source in hours — 846 HN points, 635 ⭐ on @github. The real story isn't what was found. It's that `npm pack --dry-run` would've caught it, and most teams have never run it on their published packages. Your Monday checklist: audit every package you publish. Use `files` allowlists, not `.npmignore` blocklists. Add a CI gate. → Full breakdown of the architectural patterns revealed + how to audit your own packages #supplychainsecurity #claudecode

$25M for @kestra validates European #devtools at scale. Orchestration's crowded though. They win by shipping simpler UX + ops than @airflow/@prefect. That's product, not capital. #opensource