Friday, May 15
Friday, May 15
The npm Worm That Punishes You for Fighting Back
Happy Friday: over 170 npm packages are actively compromised in the Shai-Hulud campaign, collectively pulling 200 million downloads per week. Three malicious node-ipc versions dropped yesterday. The payloads steal credentials silently from dev machines and CI/CD pipelines. And the genuinely nasty part: the worm monitors for token revocation and wipes your machine when you try to remediate. The attacker built a booby trap into your incident response playbook. TanStack's compromise happened in a six-minute window, with 2FA enabled, passing every provenance check the industry has built.
The npm Worm That Punishes You for Fighting Back
Happy Friday: over 170 npm packages are actively compromised in the Shai-Hulud campaign, collectively pulling 200 million downloads per week. Three malicious node-ipc versions dropped yesterday. The payloads steal credentials silently from dev machines and CI/CD pipelines. And the genuinely nasty part: the worm monitors for token revocation and wipes your machine when you try to remediate. The attacker built a booby trap into your incident response playbook. TanStack's compromise happened in a six-minute window, with 2FA enabled, passing every provenance check the industry has built.
AI Moves New Models Agents and Legal Drama
The original "Attention Is All You Need" paper was published in June 2017 with eight authors. Six eventually left Google. The architecture they described still powers nearly every major AI system running today, which makes it arguably the most influential and least appreciated piece of computer science in a generation.
- A year ago, running a 70B model locally was ambitious. The numbers people are hitting on consumer hardware would have seemed absurd twelve months back.
- The phrase "AI agent" meant something very specific in computer science for decades. In 2026, it means whatever the company launching one needs it to mean.
- Every major workspace and app platform is racing to become an agent orchestration layer. The workspace wars just acquired a new dimension.
Nine years into the transformer era, the ground may be shifting underneath it.
The original "Attention Is All You Need" paper was published in June 2017 with eight authors. Six eventually left Google. The architecture they described still powers nearly every major AI system running today, which makes it arguably the most influential and least appreciated piece of computer science in a generation.
- A year ago, running a 70B model locally was ambitious. The numbers people are hitting on consumer hardware would have seemed absurd twelve months back.
- The phrase "AI agent" meant something very specific in computer science for decades. In 2026, it means whatever the company launching one needs it to mean.
- Every major workspace and app platform is racing to become an agent orchestration layer. The workspace wars just acquired a new dimension.
Nine years into the transformer era, the ground may be shifting underneath it.
Security Scares Big Tech Reshuffles and Community Vibes
Record quarterly revenue of $15.8 billion. Four thousand jobs gone anyway. The money's flowing to AI infrastructure: $5.3B in orders from hyperscalers this fiscal year, projected $9B by year end. Stock jumped 17%. LinkedIn reportedly planning similar cuts.
Microsoft started removing Copilot features from Windows apps after users pushed back hard against AI crammed into every corner of the OS. Turns out people don't want unsolicited AI suggestions in their calculator. A rare corporate retreat.
Threat actors encoded prompt injections in Morse code to slip past detection filters, then aimed them at AI agents managing cryptocurrency wallets. Drained roughly $200K before anyone noticed. Creative enough to be almost admirable. The implications for agent security are less charming.
PraisonAI's legacy Flask server hard-codes AUTH_ENABLED = False. Anyone who can reach it triggers agent workflows without a token. CVSS 7.3. The "ship fast, skip security basics" era of AI tooling continues without interruption.
The UK replaced a Palantir system used for its Homes for Ukraine refugee matching with one built by its own team. More flexible, higher security standards, millions saved. A former government tech advisor called it "an important step toward sovereign technology."
Security researcher physically removed the data modem and GPS from a 2024 RAV4 Hybrid to kill telemetry. Everything still works. Warranty intact thanks to Magnuson-Moss Act. The catch nobody expected: CarPlay and Android Auto still capture vehicle data anyway.
Day one of Pwn2Own Berlin 2026: researchers collected $523,000 after exploiting 24 unique zero-day vulnerabilities. Just day one. The annual reminder that everything you rely on has holes someone already knows about.
Someone built a web project that wraps Wikipedia in a full Windows XP desktop interface. Draggable windows, start menu, taskbar, the whole thing. Completely unnecessary and completely wonderful. Go waste ten minutes.
Favorite Featured Stories
Your browser introduces itself to every server it contacts. The introduction contains six identity claims. One is accura...
MCP and A2A are becoming the communication layer for autonomous software. MCP assumes the thing on the other end is a to...
Before an AI agent processes a single webpage, anti-bot systems have already judged it. The evaluation is about identity...
A peer-reviewed study of 3,500 workers found that AI collaboration improved output quality while cutting intrinsic motiv...
Your browser introduces itself to every server it contacts. The introduction contains six identity claims. One is accura...
MCP and A2A are becoming the communication layer for autonomous software. MCP assumes the thing on the other end is a to...
Before an AI agent processes a single webpage, anti-bot systems have already judged it. The evaluation is about identity...
A peer-reviewed study of 3,500 workers found that AI collaboration improved output quality while cutting intrinsic motiv...