's native Nitro v3 integration is now in beta. Steps run inside the same bundled runtime as the rest of your app, instead of a separate bundle. Nitro's and other server-side APIs work directly inside functions.Workflow SDKuseStorage()"use step"The Nitro dev server also serves the workflow web UI at . Open it in your browser to inspect, monitor, and debug workflow runs./_workflowWorkflow routes are now bundled by Nitro as part of the app build. Dependencies are traced, and unused code is tree-sha

<p><strong><a href="https://tools.simonwillison.net/openai-webrtc">OpenAI WebRTC Audio Session, now with document context</a></strong></p>I built the first version of this tool <a href="https://simonwillison.net/2024/Dec/17/openai-webrtc/">in December 2024</a> to try out the then-new OpenAI WebRTC API for interacting with their realtime audio models.</p><p>Last month OpenAI <a href="https://openai.com/index/advancing-voice-intellige...

Better orchestration, fewer handoffs, faster progress, without a single new knob.The post How we made GitHub Copilot CLI more selective about delegation appeared first on The GitHub Blog.

A practitioner breakdown of LLM token theft: what it is, how the abuse works, the signals that catch it, and why traditional tools miss it.

<blockquote cite="https://www.mcsweeneys.net/articles/ai-economics-for-dummies"><p>Jenny owns a crematorium. John’s propane company gives her a $20 billion investment in return for 5 percent of her operation. Jenny throws $10 billion into the incinerator, then pays John $10 billion to buy propane to burn that money to ashes. John reports that his AI investments have generated $10 billion in revenue this quarter and that he owns 5 percent of a $100 billion business. A reporter from &...

Using our 3, 2, 1 state system, we can make popovers animate on "the way in" and "the way out" just like we did with dialogs in Part 1.

技術情報のキャッチアップは、業務が忙しくなると最初に削られます。意志の問題ではなく、情報収集が時間を細かく、けれど継続的に消費する活動だからだと思っています。newmoでは立派な仕組みを作るより、忙しい週でも続く軽いものとしてエンジニアミートアップを行なっています。 Engineering Meetup とは newmoには「Engineering Meetup」という場があります。週に一度、エンジニアリングに興味のあるメンバーが話題を持ち寄る1時間のランダムトークです。毎週金曜の夕方に、所属や雇用形態を問わず誰でも参加できます。テーマはWebでもモバイルでもクラウドでも自動運転でも、最近読ん…

We have officially moved past the era of humanoid robots as mere public relations stunts. As they become increasingly lifelike, society may soon face profound social, psychological, and ethical challenges. What happens when the boundary between humans and machines becomes almost impossible to distinguish?

HighlightsFive core rules now highlight smaller ranges of code to avoid shadowing other problems in editors.Rules max-lines-per-function, max-nested-callbacks, and max-statements now highlight only the function header instead of the entire function.Rules max-depth and no-with now highlight only the first keyword.Several errors in the calculations have been corrected in the max-depth and max-nested-callbacks rules. These bug fixes can result in reporting more linting errors in existing code.Featu

Amasty Order Attributes, a popular checkout extension for Magento 2 and Adobe Commerce, contains an unauthenticated arbitrary file upload vulnerability. An attacker can upload a file of any type an...

A practical checklist for platform teams securing agents, MCP servers, and coding assistants before the next credential leak

Kimi K2.7 Code from Moonshot AI is now available on .AI GatewayK2.7 Code is a coding model built for long-horizon programming tasks, generalizing across scenarios including frontend development, DevOps, and performance optimization. The model has a native multimodal architecture that supports text and vision input, and always runs in thinking mode.To use K2.7 Code, set model to in the :moonshotai/kimi-k2.7-codeAI SDKPass an image alongside a prompt to use the model's multimodal input:AI Gateway

introduces , a single API for running established agent harnesses, including Claude Code, Codex, and Pi. AI SDK has always let you switch models without rewriting your agent. Now you can switch the harness the same way.AI SDK 7HarnessAgentWrite the agent once. Use the best harness available.Today. In 3 months. A year from now.Harnesses manage the components above a model call, including skills, sandboxes, sessions, permission flows, compaction, runtime configuration, and sub-agents. The AI SDK n

<p>After two days of experience with <a href="https://simonwillison.net/2026/Jun/9/claude-fable-5/">Claude Fable 5</a> I think the best way to describe it is <strong>relentlessly proactive</strong>. It knows a whole lot of tricks and it will deploy pretty much any of them to get to its goal.</p><p>I'll illustrate this with an example. I was hacking on <a href="https://agent.datasette.io/">Datasette Agent</a> today when I noticed a glitch: a ...

Web未経験MLエンジニアが社内プロダクト開発でAIコーディングにどハマりするまで はじめに こんに ...

In May, we experienced nine incidents that resulted in degraded performance across GitHub services.The post GitHub availability report: May 2026 appeared first on The GitHub Blog.

Socket’s first CISO brings deep experience securing high-growth SaaS companies as open source supply chain threats accelerate.

Miasma and Hades worms are spreading across npm and PyPI, running on import and project open. See how Dev Machine Guard's Suspicious Files detects them.

Alerts are more trustworthy and actionable when noise is reduced. See how we improved the verification step with context-aware LLM reasoning.The post Making secret scanning more trustworthy: Reducing false positives at scale appeared first on The GitHub Blog.

<p><strong>Release:</strong> <a href="https://github.com/simonw/datasette/releases/tag/1.0a33">datasette 1.0a33</a></p> <p>This alpha is a significant step on the road to a stable 1.0, finally extending the <code>?_extra=</code> pattern I introduced <a href="https://docs.datasette.io/en/1.0a3/changelog.html#a3-2023-08-09">in Datasette 1.0a3</a> to cover queries and rows in addition to tables. That pattern is also <a href="http...

npm v12 makes install scripts opt-in by default, closing the install-time execution path behind a year of npm supply chain worms from Nx to Red Hat.Category: News

Aikido now supports Docker Hardened Images with built-in VEX integration, helping teams reduce CVE noise and focus on container vulnerabilities that actually need attention.Category: Product & Company Updates

<p><strong>Release:</strong> <a href="https://github.com/simonw/asyncinject/releases/tag/0.7">asyncinject 0.7</a></p> <p>I built this utility library to support an <code>asyncio</code> dependency injection pattern a few years ago. I was using it with Datasette and Claude Fable 5 spotted some bugs in the dependency which it then fixed for me. It's a very proactive model!</p> <p>Tags: <a href="https://simonwillison.net/tags/asyn...

Okara on Vercel4 billion tokens processed daily across a multi-provider AI stack on VercelAI CMOs actively managing growth for 120,000+ businessesEight sub-agents handling SEO, GEO, social, content, Reddit, and Hacker NewsNew AI models available to users the same day they shipOkara is an AI CMO that directs a team of specialized sub-agents to drive marketing, so founders don't have to. Give Okara your website URL, and the AI CMO builds a marketing strategy, develops a brand voice, and activates

<p><strong><a href="https://www.wired.com/story/anthropic-responds-to-backlash-on-claudes-secret-sabotage-on-ai-research/">Anthropic Walks Back Policy That Could Have ‘Sabotaged’ AI Researchers Using Claude</a></strong></p>Big scoop for Maxwell Zeff at Wired:</p><blockquote><p>“We’re changing Fable 5’s safeguards for frontier LLM development to make them visible.” Anthropic said in a statement to WIRED. “We made the wrong tradeoff and we apo...

Every val gets its own blobs

WASI 0.3 is official, and async is now native to WebAssembly Components. The WASI Subgroup voted to ratify WASI 0.3.0, rebasing WASI onto the WebAssembly Component Model’s async primitives. The 0.3.0 specification is now stable, and runtime and toolchain support is landing now.

Upgrade guide for Fumadocs OpenAPI v11.

pnpm used to expand $ placeholders everywhere it found them — including in the .npmrc and pnpm-workspace.yaml files that live inside the repository you just cloned. That turned out to be a way for a malicious repository to steal the secrets in your environment. As of v10.34.2 and v11.5.3, pnpm stops expanding environment variables in repository-controlled registry and credential settings.

The is now available in Grok Build.Vercel pluginGrok can now draw on Vercel knowledge as you work. Real-time activity, including file edits and terminal commands, dynamically injects the relevant knowledge into context, so answers stay aligned with current platform APIs and recommended patterns.Install it in either of two ways:Learn more about the Vercel plugin in the .documentationRead moreAdd to your prompt and Grok will recommend installing it in chatvercelOpen the Grok Build marketplace with

Azure is now a provider for DeepSeek V4 Pro and V4 Flash on .AI GatewayRequests to either model can route through Azure alongside the existing providers for another failover path. No code changes are required: default routing considers Azure automatically, and if a provider fails the gateway falls back through the remaining list.If you want requests to try Azure first, use in the gateway provider options to prefer Azure while keeping the other providers as fallback for or in the :orderdeepseek/d

<p><strong>Release:</strong> <a href="https://github.com/datasette/datasette-agent/releases/tag/0.2a0">datasette-agent 0.2a0</a></p> <p>Highlights from the release notes:</p><blockquote><ul><li>Tools can now ask the user questions mid-execution. Tools that declare a <code>context</code> parameter receive a <code>ToolContext</code> object, and <code>await context.ask_user(...)</code> can ask a y...

<p><strong><a href="https://blog.google/innovation-and-ai/technology/developers-tools/diffusion-gemma-faster-text-generation/">DiffusionGemma</a></strong></p>Last May Google briefly released an experimental Gemini Diffusion model. I <a href="https://simonwillison.net/2025/May/21/gemini-diffusion/">tried the preview at the time</a> and recorded it running at 857 tokens/second. It was an exciting model, but Google made no further announcements about...

Developers are coding everywhere. AI agents, Slack bots, and MCP servers have made the developer device the biggest security blindspot.Category: News

Replit is integrating Socket Firewall into its AI-powered development experience to help protect builders from malicious open source packages.

Install and configure LSP servers for GitHub Copilot CLI, replacing brute-force grep/decompile with real code intelligence. The post Give GitHub Copilot CLI real code intelligence with language servers appeared first on The GitHub Blog.

Each pseudo element plays a distinct role in how the view transition animates. The browser does most of the heavy lifting though, which makes it a little hard to see what’s actually happening under the hood.

<blockquote cite="https://twitter.com/jeremyphoward/status/2064595816875217362"><p>Easy solution to slow down recursive AI self improvement:</p><ul><li>The lab with the top-ranked model must agree THEY must not use it for working on frontier AI</li><li>But everyone else should have access to it.</li></ul><p>By definition, this means the frontier doesn't advance.</p><p>It also has the critical benefit of avoiding a dangerous...

記事は ics.media へアクセスしてご覧ください。

ENISA's 2026 SBOM adoption report covers 334 organizations and surfaces a consistent gap between generating SBOMs and actually using them. Here is what stood out.Category: News

Application Services for Private Origins is available now in closed beta. Route public hostnames to private IP origins over your existing IPsec, GRE, CNI, or Cloudflare Mesh paths. No public IPs or extra connector software required.

The compromised onering Rust crate v1.4.1 on crates.io shipped a malicious build.rs that exfiltrates the diff of your latest commit to a hosted Sentry endpoint every time you build.Category: Vulnerabilities & Threats

Findings from an exploratory user research study highlighting the unique insights and practical UX recommendations shared by participants with cognitive disabilities.

Aikido Security discovered a critical unauthenticated authentication bypass in phpBB affecting tens of millions of users. A single HTTP request is all it takes to take over any account — a vulnerability that's been sitting in the codebase since 2014.Category: Vulnerabilities & Threats

This week, we launched the Field Guide to Grid Lanes at gridlanes.webkit.org.

Many organizations are already deploying agentic workflows. Some are still experimental, while others are running in production. Once an AI agent can take action on behalf of a business, the question is no longer whether it’s useful, but what happens when something goes wrong. It’s tempting to focus on blame: the AI vendor, the manager, […]

はじめに はじめまして。東京電機大学大学院修士1年の佐藤聖璃です。 2026年4月の1ヶ月間、株式会 ...

はじめに：生成AIの登場とQAに投げかけられた問い生成AIが登場した際、多くの職種に対して似たような疑問が投げかけられました。「この仕事はAIに代替されるのか？」「反復的な業務は自動化されるのではない...

<p><strong><a href="https://jonready.com/blog/posts/claude-fable5-is-allowed-to-sabotage-your-app-if-youre-a-competitor.html">If Claude Fable stops helping you, you'll never know</a></strong></p>Jonathon Ready highlights one of the more eyebrow-raising details from the <a href="https://www-cdn.anthropic.com/d00db56fa754a1b115b6dd7cb2e3c342ee809620.pdf">319 page system card</a> for Fable 5 and Mythos 5. Here's a longer excerpt, highlights ...

Aaron T. Grogg has a nice page chock full of examples of UI, which used to be the sort of thing that we’d use JavaScript for, but can now be done in HTML & CSS. No hate: I have nothing against JS, but it has better things to do The examples are very modern, like […]

Potluck joined the team. Claude became our biggest source of new users

A practical guide to encrypted storage, OAuth connection management, and session-scoped access for autonomous agents

How to scope what an AI agent can do on a user's behalf, and why the answer is never the user's full permission set.

A practical security audit for backend engineers building or inheriting agentic systems, covering identity, token design, delegation, and the patterns that fail in production

Threshold billing now sends Pro teams a partial invoice mid-cycle once on-demand usage reaches a threshold, instead of holding all charges until the end of the billing period. Partial invoices and the end-of-cycle invoice add up to your total usage, so the same usage is never billed twice.Learn more about .partial invoicesRead more

<p>I didn't have early access to today's <a href="https://www.anthropic.com/news/claude-fable-5-mythos-5">Claude Fable 5</a> release, but I've spent the past ~5.5 hours putting it through its paces. My initial impressions are that this is something of a <em>beast</em>. It's slow, expensive and has been quite happily churning through everything I've thrown at it so far. As is frequently the case with current frontier models the challenge is finding tasks that it can...

こんにちは。サイバーエージェントの佐藤です。 先日開催された CA DATA NIGH ...

はじめに LegalOn Technologiesでは、2027年卒からソフトウェアエンジニア（SWE）の新卒採用を本格的にスタートします。 以前公開した「初めての新卒SWEインターンはどう始まったか。プロジェクトメンバーで振り返る」では、新卒採用本格スタートに向けた長期インターンシップの、設計から選考、受入れまでの裏側をお届けしました。今回はその続編として、実際にインターン生を受け入れた各チームのメンターに話を聞きました。 どんなタスクを任せたのか、どんな成長を期待したのか、そしてメンター自身がどんな学びを得たのか。初めてのSWEインターンを現場視点で振り返ります。 今回話を聞いたのは以下の…

<p><strong>Release:</strong> <a href="https://github.com/simonw/llm/releases/tag/0.32a3">llm 0.32a3</a></p> <p>Almost entirely written by the new Claude Fable 5, see <a href="https://simonwillison.net/2026/Jun/9/claude-fable-5/#adding-features-to-datasette-agent-and-llm-using-claude-code">my write-up for more details</a>.</p> <p>Tags: <a href="https://simonwillison.net/tags/projects">projects</a>, <a href="https://...

<p><strong>TIL:</strong> <a href="https://til.simonwillison.net/llms/agentsview-custom-model-price">Setting a custom price for a model in AgentsView</a></p> <p>I've been really enjoying <a href="https://agentsview.io/">AgentsView</a> by Wes McKinney as a tool for exploring my token usage across different coding agents running on my laptop.</p><p>Claude Fable 5 came out today and wasn't yet included in the pricing database AgentsV...

npm confirmed a tooling bug incorrectly marked several one-character packages as security holders and said it was working on a rollback.

StepSecurity's new Threat Center API returns the compromised packages for any supply chain incident, so you can automate response and confirm exposure fast.

An attacker hijacked a co-founder's GitHub account for gpt-pilot, a 33K-star AI coding tool, and force-pushed a credential-stealing Shai-Hulud payload to the main branch. The ruff Python linter caught formatting and lint violations in the malicious code and blocked the CI build -- twice. The attacker gave up.

On June 8, 2026, multiple Graph ML PyPI packages in the bioinformatics ecosystem were compromised in the Hades campaign, deploying cross-platform memory scrapers, AI prompt injections to misdirect scanners, and a token-revocation wiper.

On June 5, 2026, the Miasma worm campaign reached Microsoft's Azure GitHub organizations. GitHub disabled 73 repositories across four Microsoft GitHub organizations after a malicious commit was pushed to the Azure/durabletask repository using a previously compromised contributor account. The attack planted configuration files that execute a credential-harvesting payload when a developer opens the repository in Claude Code, Gemini CLI, Cursor, or VS Code.

Three malicious versions of Microsoft's official durabletask Python SDK were published to PyPI on May 19, 2026. The compromised package silently downloads and executes a 28 KB payload that steals credentials from AWS, Azure, GCP, Kubernetes, password managers, and over 90 developer tool configurations, then spreads laterally through cloud infrastructure. The payload skips systems with a Russian locale, a hallmark of Eastern European cybercrime operations. The attack has been linked to the TeamPC

<blockquote cite="https://twitter.com/karpathy/status/2064409694761054332"><p>I feel a lot of things changing as working software increasingly comes out on a tap. The Jevon's paradox kicks in and I feel my own demand for software growing substantially. You can ask for anything - explainers, visualizers, dashboards, bespoke single-use apps (e.g. a full wandb that is hyper-specific just for your project), you can 10X your test suite, auto-optimize code, run giant research projects wit...

MapKit JS allows you to bring the power and simplicity of Apple Maps to your website or web app.

Custom agents let GitHub Copilot CLI understand your stack and team workflows, turning one-off terminal prompts into repeatable, reviewable processes.The post From one-off prompts to workflows: How to use custom agents in GitHub Copilot CLI appeared first on The GitHub Blog.

Deep dive into binding.gyp, the often overlooked npm build file that can execute malicious code at install time through shell expansions, sandbox escapes, and compiler hijacking.Category: Vulnerabilities & Threats

CA DATA NIGHTは、サイバーエージェントが主催するデータサイエンスに特化した技術者向けの勉 ...

Build structured tools for your website, so agents can complete tasks accurately.

Claude Fable 5 from Anthropic is now available on . A Mythos-class model, Fable 5 is a notable step up over prior Claude models on long-running, ambiguous, multi-step tasks, executing end-to-end on work that previously required frequent human check-ins.AI GatewayThe model sustains productive output across multi-day runs and dependably dispatches parallel sub-agents, and lower effort settings often match what prior Claude models produced at their highest effort. Code review, bug-finding, and repo

In our post about Project Glasswing, we made the argument that the architecture around a vulnerability matters more than the speed of the patch. Here we walk through what that architecture looks like, the threats it defends against, and how we run it ourselves as Cloudflare's customer zero.

newmoではフロントエンドとバックエンドの通信をGraphQLで行っています。GraphQLのスキーマは、フロントエンドとバックエンドが合意した唯一の正しい定義、いわば「正となる単一の情報源(Single Source of Truth)」です。このスキーマを正として、開発と自動テストの両方をここから組み立てたい。その基盤として@newmo/graphql-fake-serverを自作してOSSとして公開しています。 このライブラリは、スキーマを正としたまま、2つの使い方を1つのサーバで両立します。1つはスキーマに@example* directiveを書くだけで値が返るDeclarativ…

A designer and an engineer shipped a production MVP in four weeks on Rails + Inertia. In this post, we share our agentic coding stack, the skills we built, and why it clicked.

Today, we're announcing the new Nuxt Agent: Nuxi. We want to make your Nuxt experience less generic and more personalized, with the care that characterizes the Nuxt community.

Node-RED 5.0 is now available to install. If upgrading, please read the upgrade instructions.

What you're actually signing up for when a customer's IdP doesn't speak SCIM.

Everything you need to know to implement and validate JWTs securely in .NET: from token creation and JWKS verification to ASP.NET Core middleware integration, with code examples and best practices throughout.

Prompt injection ends when the session closes. Memory poisoning persists across sessions, activates weeks later, and is nearly invisible to detect.

AI costs are getting harder to forecast. As teams lean more on coding agents and other token-heavy workflows, a key can burn cost faster than anyone notices:Set a spend cap on any key, and rejects further requests on that key once the limit is exceeded, until the budget resets or you raise it. The cap applies to all AI Gateway providers and models running through the key, making it easier to consolidate and govern AI costs.AI GatewayOn the , click , enable the option, enter a limit in dollars, a

You can now use the Vercel CLI to search domains. Using the command, you can supply a domain name and retrieve availability and price results for all TLDs that Vercel supports. vercel domains searchYou can also filter by TLD, apply sorting, and filter out unavailable domains.Upgrade your Vercel CLI to version to get started.54.10.1Read more

<p>Given how badly burned anyone who took Apple's <a href="https://simonwillison.net/2024/Jun/10/apple-intelligence/">2024 WWDC Apple Intelligence announcements</a> at face value was, I'm holding to a strict "I'll believe it when I see it" policy for everything <a href="https://www.apple.com/newsroom/2026/06/apple-unveils-next-generation-of-apple-intelligence-siri-ai-and-more/">they announced today</a>. </p><p>The new Siri AI features do at least look f...

こんにちは！AI事業本部/協業リテールメディアにてPdMをしております三浦です。 先日、CyberA ...

Safari Technology Preview Release 245 is now available for download for macOS Tahoe and macOS Sequoia.

Welcome to WWDC26.

Safari 27 beta is here.

Newer packages in this compromise use native extensions and .pth loaders to execute JavaScript stealers in developer environments.

Find the answers to some of the most common GitHub-related questions.The post GitHub for Beginners: Answers to some common questions appeared first on The GitHub Blog.

NGINX Ingress Controller 5.5 brings full support for mTLS in Ingress objects! This blog post gives a more in-depth overview of our GitHub deployment examples and shows how to configure both our new ingress and egress mTLS Policy CRDs in NGINX Ingress Controller using annotations. Ingress mTLS Ingress mTLS configures how NGINX verifies client certificates […]

Here's a brand new approach to creating staggered animations in CSS using a single progress value, allowing for smooth linkage to various inputs like scrolling. By utilizing a mathematical formula, it enhances control over animated elements without isolating their timelines, making animations more versatile and scrubbable.

Cloudflare customers can now use Cloudforce One threat intelligence directly within the WAF to block high-risk traffic. By using new cf.intel fields, security teams can automate protection against specific threat actors and targeted industries in real time.

My Take on AI as of June 2026. Most people say AI kills the creativity and the fun in building. I want to offer the other side: managing agents feels a lot like the tech lead job I already loved.

Every month, routes tens of trillions of tokens between production applications and AI labs, giving us visibility into what AI usage actually looks like, separate from leaderboards and benchmarks. We publish the data monthly in the AI Gateway production index. AI GatewayLast month, headlines about blown token budgets dominated tech news: its annual Claude Code budget shortly after Q1 and Amazon to curb unproductive tokenmaxxing. While runaway cost is a real problem, this month’s report shows tha

大規模なネイティブアプリの開発では、新しい技術を知っているだけでは足りません。難しいのは、それを歴史ある現場へどう適用するかです。ユーザー影響の大きいプロダクトでは、素早く価値を届ける「アジリティ（速...

WASI P3 is almost here, bringing native async support to the WebAssembly System Interface (WASI) and Component Model. In this post, we’re looking to the next big milestone: a stable, formally specified Component Model 1.0. At February’s Bytecode Alliance Plumbers Summit, Luke Wagner and Alex Crichton gave a preview of what the path to a stable 1.0 actually looks like. At Wasm I/O 2026 in Barcelona in March, Luke expanded on that vision. So let’s take a look at where the Component Model is headin

<p><strong>Release:</strong> <a href="https://github.com/datasette/datasette-agent-edit/releases/tag/0.1a0">datasette-agent-edit 0.1a0</a></p> <p>I'm planning several plugins for <a href="https://agent.datasette.io/">Datasette Agent</a> which can make edits to existing pieces of text - things like collaborative Markdown editing, updating large SQL queries, and editing SVG files.</p><p>Agentic editing of text is a little tricky to...

カミナシエンジニアの osuzu です。 「状態管理にどのライブラリを使うか」への違和感 Reactの状態管理の話になると、だいたいライブラリの比較から始まります。少し前なら Redux か Zustand か Jotai か、最近だと TanStack Query と React Hook Form を組み合わせれば残りはわずか、みたいな話が多い印象です。 ただ、読んでいてどこか議論がかみ合わない感じがずっとありました。 理由はたぶんシンプルで、その問いは手前にすべきモデリングを飛ばしているからだと考えてます。 ライブラリ起点・コンポーネント起点はなぜこじれるのか フロントの状態管理でやりが…

AI もすなるコードレビューといふものを、人間もしてみむとてするなり。 — AI 紀貫之 AI がコードを書くようにはなっても基本的には人間がレビューする生活を続けているので, いま何を考えてどうしているかをスナップショットとして書いておきます. 仕事 メンタルモデルとして AI コーディングエージェントを単なる道具としてみなしていた時代は, 人間(A): タスクに着手, コーディングを AI に指示, 検収 AI: 人間(A)の代わりにコードを書く 人間(B): 人間(A)が書いたコードとしてレビューする というような構造だったんですが, これは人間(A)の検収と人間(B)のレビューが実質的…

Socket found 37 malicious PyPI wheels that abuse Python startup hooks to launch a Bun-powered credential stealer tied to Mini Shai-Hulud/Miasma.

AI SAST is emerging as a new SAST category, but the meaning is unclear. We clarify the difference between AI-native SAST and AI-assisted SAST, as well as how AI SAST sits in the stack between traditional SAST and AI pentesting.Category: DevSec Tools & Comparisons

<p><strong>Release:</strong> <a href="https://github.com/simonw/micropython-wasm/releases/tag/0.1a2">micropython-wasm 0.1a2</a></p> <p>I added a CLI to <code>micropython-wasm</code> (<a href="https://github.com/simonw/micropython-wasm/issues/7">issue #7</a>), inspired by the first draft of <a href="https://simonwillison.net/2026/Jun/6/micropython-in-a-sandbox/">the blog entry</a> when I realized it would be a great wa...

<p>I've been experimenting with different approaches to running code in a sandbox for several years now, but my latest attempt feels like it might finally have all of the characteristics I've been looking for. I've released it as an alpha package called <a href="https://github.com/simonw/micropython-wasm">micropython-wasm</a>, and I'm using it for a code execution sandbox plugin for <a href="https://github.com/datasette/datasette-agent">Datasette Agent</a> called &...

Vitest の `isolate: false` オプションを有効にすることで、テストの実行時間を大幅に短縮できましたが、その際に大規模なコードの修正が必要でした。Claude Code の `/goal` コマンドを活用することで、最終的なゴールを達成するために必要なステップを自律的に判断して実行させることができます。この記事ではその経験について紹介します。