A brand-squatted TanStack npm package used postinstall scripts to steal .env files and exfiltrate developer secrets to an attacker-controlled endpoint.

<p>I just released <a href="https://llm.datasette.io/en/latest/changelog.html#a0-2026-04-28">LLM 0.32a0</a>, an alpha release of my <a href="https://llm.datasette.io/">LLM</a> Python library and CLI tool for accessing LLMs, with some consequential changes that I've been working towards for quite a while.</p><p>Previous versions of LLM modeled the world in terms of prompts and responses. Send the model a text prompt, get back a text response.</p>&l...

StepSecurity has detected a new npm supply chain attack campaign using preinstall hooks to download the Bun JavaScript runtime and execute an 11 MB obfuscated payload. At least two SAP-ecosystem packages are confirmed compromised so far.

WorkOS is now a supported provider in Stripe Projects. Add enterprise-grade auth to any project from the CLI with a single command — no signup, no payment wall.

While AI for codegen is manageable, integrating AI into team workflows presents more challenges, such as maintaining quality long term and managing technical debt.

The contrast() filter function increases or decreases the contrast of an element.contrast() originally handwritten and published with love on CSS-Tricks. You should really get the newsletter as well.

The contrast-color() function takes a <color> and returns either black or white, whichever is the most contrasting color for that value.contrast-color() originally handwritten and published with love on CSS-Tricks. You should really get the newsletter as well.

Compromised SAP CAP npm packages download and execute unverified binaries, creating urgent supply chain risk for affected developers and CI/CD environments.

Our own AI agent on nuxt.com, grounded in the official docs and the Nuxt ecosystem. We built it internally using the AI SDK, our MCP server, and Nuxt UI components.

What schema extensions are, how Docker and Notion use them, and how to design your own.

The reasons why IAM controls built for service accounts and API clients don't transfer to AI agents.

Five platforms for teams who've outgrown Firebase Auth's B2B gaps and Google Cloud lock-in.

You can now sign up for or upgrade to a Vercel Pro plan directly from Stripe Projects using (SPTs). Agents and developers can manage plan changes programmatically from the Stripe CLI, without leaving their workflow.shared payment tokens This builds on our by enabling end-to-end provisioning and billing in one place. Instead of switching between dashboards, you can now handle infrastructure setup and plan management directly from the terminal.Stripe Projects launch in developer preview If you’re

Rocky AI analysis is now in your Checkly CLI and behind a public API. Pull root cause analysis straight from `checkly checks get` to get your agents context to fix failed checks faster

Declarative Shadow DOM (DSD) makes server-side rendering of Web Components possible, which can meaningfully improve page load times and Core Web Vitals.

<blockquote cite="https://github.com/openai/codex/blob/66b0781502be5de3b1909525c987643b9e5e407d/codex-rs/models-manager/models.json#L55"><p><code>Never talk about goblins, gremlins, raccoons, trolls, ogres, pigeons, or other animals or creatures unless it is absolutely and unambiguously relevant to the user's query.</code></p></blockquote><p class="cite">— <a href="https://github.com/openai/codex/blob/66b0781502be5de3b1909525c987643b9e5e407...

You can now run lint and typecheck on every Vercel deployment, in parallel with the build. Native Deployment Checks are available to every team and join your existing alongside GitHub and Marketplace integrations.Deployment ChecksOnce added from your project's , Vercel runs the matching script from your on each deployment, and skips the check if no matching script exists. You can mark a check as required to hold the deployment from production until it passes, and choose which environments each c

Discover how to format and edit your comments and posts using Markdown.The post GitHub for Beginners: Getting started with Markdown appeared first on The GitHub Blog.

Kubernetes applications are designed to change constantly. Pods scale out, roll forward, restart, and disappear, so the traffic layer has to keep pace with a backend set that is never truly static. That is the backdrop for both NGINX Ingress Controller (NIC) and NGINX Gateway Fabric (NGF). In both cases, Kubernetes is the source of […]

How we validated, fixed, and investigated a critical vulnerability in under two hours, and confirmed no exploitation.The post Securing the git push pipeline: Responding to a critical remote code execution vulnerability appeared first on The GitHub Blog.

Let's acknowledge that gap in AI-generated code between code that works and code that is production-ready. It's you.

<blockquote cite="https://twitter.com/mattyglesias/status/2049105745132585161"><p>Five months in, I think I've decided that I don't want to vibecode — I want professionally managed software companies to use AI coding assistance to make more/better/cheaper software products that they sell to me for money.</p></blockquote><p class="cite">— <a href="https://twitter.com/mattyglesias/status/2049105745132585161">Matthew Yglesias</a></p> <p&...

The first quarter of 2026 saw a surge in Internet disruptions, from nationwide shutdowns in Uganda and Iran to unprecedented drone strikes on cloud infrastructure. We explore the data behind these events using Cloudflare Radar.

Socket has acquired Secure Annex to expand extension security across browsers, IDEs, and AI tools.

The new Animation Timeline API allows us to create dynamic scroll animations without any JavaScript! It’s honestly a very lovely API, and in this blog post, we’ll explore some of the super cool things we can do with it.

`contrast-color()` 関数は、指定した色に対して `white` もしくは `black` のどちらがより高いコントラスト比を持つかを自動的に判断し、適切な色を返す関数です。動的に色が変わる場合やユーザーがカスタムテーマを使用する場合など、常にコントラスト比を確保するのが難しい状況で役立ちます。

Here’s what we’ve done—and what we’re still doing—to improve our availability and reliability.The post An update on GitHub availability appeared first on The GitHub Blog.

We're expanding the roles in extensions Developer Dashboard to include admin, editor, item manager, and viewer.

Announcing the OSSCAR Index: a quarterly ranking of the fastest-growing open source organizations. The site, the data, and the scoring code are all open source.

<p><strong><a href="https://ichard26.github.io/blog/2026/04/whats-new-in-pip-26.1/">What's new in pip 26.1 - lockfiles and dependency cooldowns!</a></strong></p>Richard Si describes an excellent set of upgrades to Python's default <code>pip</code> tool for installing dependencies.</p><p>This version drops support for Python 3.9 - fair enough, since it's been EOL <a href="https://devguide.python.org/versions/">since Octob...

On April 16th, 39 teams took the stage at our San Francisco headquarters to pitch investors at Demo Day. During the prior six weeks, founders worked shoulder-to-shoulder with the Vercel team, our partners, and industry leaders to shape their ideas into the next generation of AI applications. from around the world joined the 2026 cohort, building agents, developer tools, consumer apps, and vertical AI for finance, security, healthcare, and robotics. TeamsEach week, the cohort joined two sessions:

<p><strong><a href="https://talkie-lm.com/introducing-talkie">Introducing talkie: a 13B vintage language model from 1930</a></strong></p>New project from <a href="https://nlevine.org">Nick Levine</a>, <a href="http://www.cs.toronto.edu/~duvenaud/">David Duvenaud</a>, and <a href="https://en.wikipedia.org/wiki/Alec_Radford">Alec Radford</a> (of GPT, GPT-2, Whisper fame).</p><p><a href="https://huggingface.co/t...

はじめに はじめまして。金沢工業大学 情報工学科 2 年の高岡己太朗です。 大学では Android ...

We tried hand rolling social listening before moving to Octolens

pnpm 11 is here! This release tightens the security defaults introduced throughout the v10 cycle, drops the npm CLI fallback for publishing in favor of a native implementation, replaces the JSON-per-package store index with a single SQLite database, and isolates global installs so they no longer interfere with each other.

Authenticate users in your Rust command-line tool with a secure OAuth 2.0 Device Code flow using WorkOS. This tutorial shows how to implement login via the terminal, step by step.

How a new IETF draft extends OAuth so AI agents can act for users with explicit consent and a clean audit trail.

<p><strong><a href="https://github.com/microsoft/VibeVoice">microsoft/VibeVoice</a></strong></p>VibeVoice is Microsoft's Whisper-style audio model for speech-to-text, MIT licensed and with speaker diarization built into the model.</p><p>Microsoft released it on January 21st, 2026 but I hadn't tried it until today. Here's a one-liner to run it on a Mac with <code>uv</code>, <a href="https://github.com/Blaizzy/mlx-audio">mlx-audio&...

A nice essay from Cam Pedersen. Clay breaks. A lot. My first few attempts collapsed on the wheel. One piece cracked in the kiln. I dropped another walking to my car. But nobody cries about it, you just start over. The clay doesn’t care. It’s just material waiting for the next idea. You’re gonna have […]

<p>For many years, Microsoft and OpenAI's relationship has included a weird clause saying that, should AGI be achieved, Microsoft's commercial IP rights to OpenAI's technology would be null and void. That clause appeared to end today. I decided to try and track its expression over time on <a href="https://openai.com/">openai.com</a>.</p><p>OpenAI, July 22nd 2019 in <a href="https://openai.com/index/microsoft-invests-in-and-partners-with-openai/">Microsoft inv...

<p><strong><a href="https://workspaceupdates.googleblog.com/2026/04/speech-translation-in-google-meet-is-now-rolling-out-to-mobile-devices.html">Speech translation in Google Meet is now rolling out to mobile devices</a></strong></p>I just encountered this feature via a "try this out now" prompt in a Google Meet meeting. It kind-of worked!</p><p>This is Google's implementation of the ultimate sci-fi translation app, where two people can talk to eac...

Starting June 1, your Copilot usage will consume GitHub AI Credits.The post GitHub Copilot is moving to usage-based billing appeared first on The GitHub Blog.

My shim might give the powers that be another reason to say native support isn't necessary, or if lots of people use my :nth-letter hack in the wild, the browser gods might recognize the need to implement it for real.Let’s Use the Nonexistent ::nth-letter Selector Now originally handwritten and published with love on CSS-Tricks. You should really get the newsletter as well.

AI tools are eliminating the need to “bug” colleagues for help, but the informal interactions they replace are the very scaffolding that builds team trust, belonging, and innovation. Casey Hudetz and Eric Olive explore the research and potential impacts behind that risk and offer practical strategies for maintaining human connection while leveraging AI’s strengths.

本記事では、その実践に向けて、まず実データを分析して見えてきた商談対話の構造的な特徴と、そこから得た ...

Starting April 29th, the maximum retention policy for Hobby plans will be capped at 30 days. Deployments outside your retention window will be automatically removed. This excludes your 10 most recent production deployments and any aliased deployments, which continue to be preserved regardless of retention settings.Pro and Enterprise plans are not affected.Learn more about .Deployment RetentionRead more

はじめに はじめまして！明治大学商学部3年の伊藤汰海です。2026年3月の1ヶ月間、タップルのiOS ...

With support for full-text search, joins, and geospatial queries, Firestore is ready to meet all of your app's querying needs.

How to modernize a legacy Python application without stopping the world? Here's a list of tools and practices that can help.

Everything that landed in Nx across 22.4 through 22.7: task sandboxing, a 7x reduction in daemon memory, worktree-aware caching, agentic mode improvements, and more.

Everything you need to know to implement and validate JWTs securely in Ruby: from creating JWTs, to signing and verifying them with JWKS, handling custom claims, and best practices you should be following.

How OAuth breaks down when AI agents spawn other agents, and what IETF drafts are doing about it.

ABEMAの広告配信システムのバックエンド開発を担当している黒崎 ( @kuro_m88 )です。 ...

2026年4月、「カミナシ 教育」開発チームのオフサイト。 エンジニア・プロダクトマネージャ（PM）・プロダクトデザイナー（PD）が3人ずつのチームに分かれ、「カミナシ 教育」のAI機能をいじりながら、ある特殊なケースを探していました。 機能のバグでしょうか？いえ、もっと厄介なものです。「出力結果はおかしいのに、評価指標は問題なしと判定してしまうケース」——AI機能を評価する仕組みそのものの盲点です。 これが私たちのチームで実施したAI評価改善ワークショップの一場面です。 AI評価改善ワークショップの様子 こんにちは、カミナシでAIエンジニアをしている井上です。カミナシではプロダクトのAI機能…

記事は ics.media へアクセスしてご覧ください。

Google が提唱する A2UI（Agent-to-UI）プロトコルは、AI エージェントが安全に UI を生成してクライアントに送信し、クライアントがそれを描画するための標準的な方法を提供します。A2UI は、AI エージェントがテキストの応答を返す代わりに宣言的なコンポーネント定義を返すことにより、クライアントはネイティブなウィジェットを使用して安全に UI をレンダリングできます。

A malicious version of elementary-data (0.23.3) was published to PyPI and is, at the time of writing, still listed as the latest release. The same release run also pushed a multi-arch container image to GitHub Container Registry at ghcr.io/elementary-data/elementary, tagged both 0.23.3 and latest.

<p>@scottjla <a href="https://twitter.com/scottjla/status/2047535371664457863">on Twitter</a> in reply to my <a href="https://simonwillison.net/tags/pelican-riding-a-bicycle/">pelican riding a bicycle</a> benchmark:</p><blockquote><p>I feel like we need to stack these tests now</p><p><img alt="AI generated image. A pelican is riding a bicycle along a dirt track, chased by a police car. The pelican looks panicked, likely because ther...

<blockquote cite="https://twitter.com/romainhuet/status/2047955381578838357"><p>Since GPT-5.4, we’ve unified Codex and the main model into a single system, so there’s no separate coding line anymore.</p><p>GPT-5.5 takes this further, with strong gains in agentic coding, computer use, and any task on a computer.</p></blockquote><p class="cite">— <a href="https://twitter.com/romainhuet/status/2047955381578838357">Romain Huet</a>, con...

<p><strong><a href="https://developers.openai.com/api/docs/guides/prompt-guidance?model=gpt-5.5">GPT-5.5 prompting guide</a></strong></p>Now that GPT-5.5 is <a href="https://developers.openai.com/api/docs/models/gpt-5.5">available in the API</a>, OpenAI have released a wealth of useful tips on how best to prompt the new model.</p><p>Here's a neat trick they recommend for applications that might spend considerable time thinking before r...

Socket is tracking cloned Open VSX extensions tied to GlassWorm, with several updated from benign-looking sleepers into malware delivery vehicles.

<p><strong>Release:</strong> <a href="https://github.com/simonw/llm/releases/tag/0.31">llm 0.31</a></p> <blockquote><ul><li>New GPT-5.5 OpenAI model: <code>llm -m gpt-5.5</code>. <a href="https://github.com/simonw/llm/issues/1418">#1418</a></li><li>New option to set the <a href="https://developers.openai.com/cookbook/examples/gpt-5/gpt-5_new_params_and_tools#1-verbosity-parameter">text verbosity leve...

AI に UI を生成させる Generative UI の手法が注目されています。しかし、AI の出力が予測不可能であるため、意図しない UI が生成されてしまうリスクもあります。json-render はあらかじめ定義したコンポーネントやアクションのカタログに基づいて AI に JSON を生成させることで、AI が誤った構造の UI を生成するリスクを減らし、アプリケーションの一部として自然に統合された UI を提供するフレームワークです。

<p><strong><a href="https://www.theverge.com/podcast/917029/software-brain-ai-backlash-databases-automation">The people do not yearn for automation</a></strong></p>This written and video essay by Nilay Patel explores why AI is unpopular with the general public even as usage numbers for ChatGPT continue to skyrocket.</p><p>It’s a superb piece of commentary, and something I expect I’ll be thinking about for a long time to come.</p><p>Nil...

Hand-writing/maintaining a sizes attribute is just not going to happen. This is the way.

Fresh 2.3 ships true zero-JS pages, View Transitions, CSP nonce support, IP filtering, and Temporal API support in islands.

Reachability analysis for PHP is now available in experimental, helping teams identify which vulnerabilities are actually exploitable.

Delivering a dynamic hexagonal world map in just 10kbThe is really impressive stuff from the speed experts at Calibre.The importance of people who careTech is full of people who care deeply about their area of chosen specialism, and we’re all struggling in a world where doing lots of stuff really fast has become the most important thing.Keep caring and wait it out.I don't want a screenshot of your Claude conversationAbove everything else, it's disrespectful behaviour. We're glad Dave has written

@bitwarden/[email protected] — the official command-line interface for the Bitwarden password manager — was found compromised on npm. A malicious preinstall hook silently bootstraps the Bun JavaScript runtime and launches a 9.7 MB obfuscated credential stealer that targets developer secrets, GitHub Actions environments, and — explicitly — AI coding tool configurations including ~/.claude.json and MCP server configs. All stolen data is encrypted with AES-256-GCM and exfiltrated to audit.checkmarx.cx,

はじめに STORES 決済の iOS アプリ開発を担当している栗山(@kotetu)です。 try! Swift Tokyo 2026 が終了して 1 週間以上が経過しましたが、 3 日間お疲れ様でした！フル参加した自分にとっては今回も非常に濃い時間を過ごすことができました。 本日は、「STORES メンバーから見た try! Swift Tokyo 2026」というテーマで try! Swift Tokyo 2026 を振り返りました。 try! Swift Tokyo について try! Swift Tokyo は、Swift を利用する開発者向けの国際的なカンファレンスです。 Swif…

Your manifest can now support multiple languages.

Discover some of the interesting features that have landed in stable and beta web browsers during April 2026.

GPT-5.5 is now available on .Vercel AI GatewayThere are 2 variants: GPT-5.5 and GPT-5.5 Pro. Both models are tuned for long-running agentic work across coding, computer use, knowledge work, and scientific research, and are more token-efficient than the previous generation.GPT-5.5 is stronger at agentic coding and long-horizon work where the model needs to hold context across a large system and carry changes through the surrounding codebase. Paired with computer-use skills, it can operate real so

<p>Chinese AI lab DeepSeek's last model release was V3.2 (and V3.2 Speciale) <a href="https://simonwillison.net/2025/Dec/1/deepseek-v32/">last December</a>. They just dropped the first of their hotly anticipated V4 series in the shape of two preview models, <a href="https://huggingface.co/deepseek-ai/DeepSeek-V4-Pro">DeepSeek-V4-Pro</a> and <a href="https://huggingface.co/deepseek-ai/DeepSeek-V4-Flash">DeepSeek-V4-Flash</a>.</p><p>Both model...

<p><strong>Tool:</strong> <a href="https://tools.simonwillison.net/milliseconds">Millisecond Converter</a></p> <p><a href="https://llm.datasette.io/">LLM</a> reports prompt durations in milliseconds and I got fed up of having to think about how to convert those to seconds and minutes.</p> <p>Tags: <a href="https://simonwillison.net/tags/tools">tools</a></p>

<p><a href="https://simonw.substack.com/p/gpt-55-chatgpt-images-20-qwen36-27b">This week's edition</a> of my email newsletter (aka <a href="https://simonwillison.net/2023/Apr/4/substack-observable/">content from this blog</a> delivered to your inbox) features 4 pelicans riding bicycles, 1 possum on an e-scooter, up to 5 raccoons with ham radios hiding in crowds, 5 blog posts, 8 links, 3 quotes and a new chapter of my Agentic Engineering Patterns guide.</p> &l...

<p><strong><a href="https://github.com/russellromney/honker">russellromney/honker</a></strong></p>"Postgres NOTIFY/LISTEN semantics" for SQLite, implemented as a Rust SQLite extension and various language bindings to help make use of it.</p><p>The design of this looks very solid. It lets you write Python code for queues that looks like this:</p><pre><span class="pl-k">import</span> <span class="pl-s1">honker</span&...

<p><strong><a href="https://www.anthropic.com/engineering/april-23-postmortem">An update on recent Claude Code quality reports</a></strong></p>It turns out the high volume of complaints that Claude Code was providing worse quality results over the past two months was grounded in real problems.</p><p>The models themselves were not to blame, but three separate issues in the Claude Code harness caused complex but material problems which directly affe...

<p><strong><a href="https://atproto.com/blog/serving-the-for-you-feed">Serving the For You feed</a></strong></p>One of Bluesky's most interesting features is that anyone can run their own <a href="bluesky custom feed">custom "feed" implementation</a> and make it available to other users - effectively enabling custom algorithms that can use any mechanism they like to recommend posts.</p><p>spacecowboy runs the <a href="https://bsky.a...

The workflow, best practices, and pitfalls we learned after months of daily Claude Code use at marmelab.

Agent identity is no longer experimental. NIST's February 2026 announcement made it enterprise-critical.

A practical comparison across features, pricing, reliability, and what enterprise buyers actually grade you on.

An analysis of 25 government websites to discover which website has the fastest Largest Contentful Paint (LCP) and upholds modern web standards.

Liquid Glass 対応 — タップルでの意思決定と実装 この記事で学べること ✅ デザイン・ ...

<p>LlamaIndex have a most excellent open source project called <a href="https://github.com/run-llama/liteparse">LiteParse</a>, which provides a Node.js CLI tool for extracting text from PDFs. I got a version of LiteParse working entirely in the browser, using most of the same libraries that LiteParse uses to run in Node.js.</p><h4 id="spatial-text-parsing">Spatial text parsing</h4><p>Refreshingly, LiteParse doesn't use AI models to do what it does: it's...

Export Socket alert data to your own cloud storage in JSON, CSV, or Parquet, with flexible snapshot or incremental delivery.

Safari Technology Preview Release 242 is now available for download for macOS Tahoe and macOS Sequoia.

<p><a href="https://openai.com/index/introducing-gpt-5-5/">GPT-5.5 is out</a>. It's available in OpenAI Codex and is rolling out to paid ChatGPT subscribers. I've had some preview access and found it to be a fast, effective and highly capable model. As is usually the case these days, it's hard to put into words what's good about it - I ask it to build things and it builds exactly what I ask for!</p><p>There's one notable omission from today's release - the API:<...

<p><strong>Release:</strong> <a href="https://github.com/simonw/llm-openai-via-codex/releases/tag/0.1a0">llm-openai-via-codex 0.1a0</a></p> <p>Hijacks your Codex CLI credentials to make API calls with LLM, as described <a href="https://simonwillison.net/2026/Apr/23/gpt-5-5/#llm-openai-via-codex">in my post about GPT-5.5</a>.</p> <p>Tags: <a href="https://simonwillison.net/tags/openai">openai</a>, <a href="https://s...

xinference

If you have any shared styles across multiple shadow DOMs (imagine 20 custom button components), a Constructable Stylesheets is just way more efficient.

<blockquote cite="https://maggieappleton.com/gathering-structures"><p>[...] if you ever needed another reason to <a href="https://www.swyx.io/learn-in-public">learn in public</a> by <a href="https://maggieappleton.com/garden-history">digital gardening</a> or podcasting or streaming or whathaveyou, add on that people will assume you’re more competent than you are. This will get you invites to very cool exclusive events filled with high-achieving, interesting p...

Putting CSS’s more recent scrolling animation capabilities to the test to recreate a complex animation of the Apple Vision Pro headset from Apple's website.Recreating Apple’s Vision Pro Animation in CSS originally handwritten and published with love on CSS-Tricks. You should really get the newsletter as well.

Bitwarden CLI 2026.4.0 was compromised in the Checkmarx supply chain campaign after attackers abused a GitHub Action in Bitwarden’s CI/CD pipeline.

I’ve been waiting for fourteen years to write this article. Fourteen years to tell you about one relatively new addition to the way images work on the web. For you, just a handful of characters will mean improvements to the fundamental ergonomics of working with images. For users, it will mean invisible, seamless, and potentially massive improvements to front-end performance, forever stitched into the fabric of the web. For me, it means the time has finally come to confess to my sinister machina

DeepSeek V4 is now available on .Vercel AI GatewayThere are 2 model variants: DeepSeek V4 Pro and DeepSeek V4 Flash. A 1M token context window is the default across both models. DeepSeek V4 Pro focuses on agentic coding, formal mathematical reasoning, and long-horizon workflows. It handles feature development, bug fixing, and refactoring across stacks, with tool use that works across harnesses like MCP workflows and agent frameworks. It also writes clear, well-structured long-form documents.Deep

はじめにこんにちは。LINEヤフーで社内プライベートクラウドの開発・運用を担当している中村です。2026年3月23日から26日にかけて、オランダのアムステルダムにて KubeCon + CloudNa...

Hardcoded timeouts with no config options are a silent tax on developers outside the wealthy west. A rant about npx skills, Docker Gordon, and the arrogance of assuming everyone has a fast connection.

For security teams, credential sprawl is like dust; you don't notice it until it has accumulated.Over time, access spreads across SaaS apps, developer tools, automation workflows, and now AI agents. People sign up for tools to get work done and connect accounts using OAuth because it is fast and familiar. Credentials get reused across scripts, stored in environment variables, or passed between systems that were never meant to share a common control layer.The problem only becomes visible when you

What it really takes to sell to the U.S. government, from the teams who have been through it.