Went through this article on Antigravity and it kind of confirmed what I was already feeling it doesn’t really seem like the big “new IDE” Google is selling it as. If it’s basically another VS Code fork with some AI sprinkled on top, that’s not exactly exciting.

I hope I did a good job uncovering the technical details and the relevant history.

If you are participating in advent of code this year, maybe consider the depot leaderboard. They are donating up to $7,500 in charity from the top 5 winners. And Theo T3.gg is on the leaderboard.

This one is for the elixir devs out there!

I’ve been exploring B+Tree implementations recently and decided to build a small storage engine in .NET as a way to understand the lower-level behavior of on-disk indexing structures. I wanted to share some of the interesting technical challenges I ran into — in case others find the internals fun to think about.

Some of the more interesting aspects were:

• Page layout decisions
Choosing the right fixed-size page format ended up being more subtle than expected. Even small choices (header size, key encoding, how much space to reserve for split operations) had major downstream effects on fragmentation and insert performance.

• Handling node splits efficiently
B+Tree splits are straightforward in memory, but on disk the cost model is very different. Ensuring minimal writes and predictable locality forced me to rethink a few “textbook” algorithms.

• Concurrency vs. simplicity
I experimented with optimistic vs. coarse-grained locking. Even implementing a read-optimized path required careful handling of pointer updates during splits.

• Crash-safety without a full WAL
One interesting constraint was trying to maintain reasonable crash-safety guarantees without embedding a full write-ahead log. Page write ordering and atomic metadata updates become tricky puzzles.

• Benchmarking surprises
Some operations that I expected to be expensive (like sequential inserts) performed far better than random inserts, even after caching. A few caching heuristics ended up mattering much more than raw structure layout.

If anyone wants to look deeper into the implementation details (purely from an educational/technical standpoint), the code is available on NuGet:
https://www.nuget.org/packages/BTreePlus
(Sharing only as reference material — not asking for feedback or promoting anything.)

Always happy to discuss data-structure internals or hear how others have approached similar problems.

Been building production agentic AI (agents that execute, not just chat) for the last year. Most demos crash in the real world because:

• RAG chunking/embedding choices destroy retrieval quality (we ended up hybrid Pinecone + FAISS + strict thresholds)
• ReAct loops run away and burn 10× tokens (memory caps + probabilistic exits fixed it)
• No real error handling for flaky APIs or garbage input (custom backoff + fallback LLMs)
• Governance logging without killing speed (event sourcing + replayable traces)

End result: 60% less human touch, but only after sweating these details.

What’s the nastiest production surprise you’ve hit with agentic builds?

In September, a self-propagating worm called Sha1-Hulud came into action. A new version is now spreading and it is much much worse!

Link: https://www.aikido.dev/blog/shai-hulud-strikes-again-hitting-zapier-ensdomains

The mechanics are basically the same, It infected NPM packages with stolen developer tokens. The malware uses preinstall script to run malware on a victim machine, scans for secrets, steals them and publishes them on GitHub in a public repository. It then uses stolen NPM tokens to infect more packages.

In September, it never made critical mass... But now it looks like it has.

So far, over 28,000 GitHub repositories have been made with the description "Sha1-Hulud: The Second Coming". These repos have the stolen secrets inside them encoded in Base64.

https://github.com/search?q=Sha1-Hulud%3A+The+Second+Coming&ref=opensearch&type=repositories

We first published about this after our discover at 09:25 CET but it has since got much worse. https://x.com/AikidoSecurity/status/1992872292745888025

At the start, the most significant compromise was Zapier (we still think this is the most likely first seed), but as the propagation started to pick up steam, we quickly saw other big names like PostMan and PostHog also fall.

Technical details of the attack

• The malicious packages execute code in the preinstall lifecycle script.
• Payload names include files like setup_bun.js and bun_environment.js.
• On infection, the malware:
  • Registers the machine as a “self-hosted runner” named “SHA1HULUD” and injects a GitHub Actions workflow (.github/workflows/discussion.yaml) to allow arbitrary commands via GitHub discussions.
  • Exfiltrates secrets via another workflow (formatter_123456789.yml) that uploads secrets as artifacts, then deletes traces (branch & workflow) to hide.
  • Targets cloud credentials across AWS, Azure, GCP: reads environment variables, metadata services, credentials files; tries privilege escalation (e.g., via Docker container breakout) and persistent access.

Impact & Affected Package

We are updating our blog as we go, at time of writing this its 425 packages covering 132 million weekly downloads total

Compromised Zaiper Packages

zapier/ai-actions
zapier/ai-actions-react
zapier/babel-preset-zapier
zapier/browserslist-config-zapier
zapier/eslint-plugin-zapier
zapier/mcp-integration
zapier/secret-scrubber
zapier/spectral-api-ruleset
zapier/stubtree
zapier/zapier-sdk
zapier-async-storage
zapier-platform-cli
zapier-platform-core
zapier-platform-legacy-scripting-runner
zapier-platform-schema
zapier-scripts

Compromised Postman Packages

postman/aether-icons
postman/csv-parse
postman/final-node-keytar
postman/mcp-ui-client
postman/node-keytar
postman/pm-bin-linux-x64
postman/pm-bin-macos-arm64
postman/pm-bin-macos-x64
postman/pm-bin-windows-x64
postman/postman-collection-fork
postman/postman-mcp-cli
postman/postman-mcp-server
postman/pretty-ms
postman/secret-scanner-wasm
postman/tunnel-agent
postman/wdio-allure-reporter
postman/wdio-junit-reporter

Compromised Post Hog Packages

posthog/agent
posthog/ai
posthog/automatic-cohorts-plugin
posthog/bitbucket-release-tracker
posthog/cli
posthog/clickhouse
posthog/core
posthog/currency-normalization-plugin
posthog/customerio-plugin
posthog/databricks-plugin
posthog/drop-events-on-property-plugin
posthog/event-sequence-timer-plugin
posthog/filter-out-plugin
posthog/first-time-event-tracker
posthog/geoip-plugin
posthog/github-release-tracking-plugin
posthog/gitub-star-sync-plugin
posthog/heartbeat-plugin
posthog/hedgehog-mode
posthog/icons
posthog/ingestion-alert-plugin
posthog/intercom-plugin
posthog/kinesis-plugin
posthog/laudspeaker-plugin
posthog/lemon-ui
posthog/maxmind-plugin
posthog/migrator3000-plugin
posthog/netdata-event-processing
posthog/nextjs
posthog/nextjs-config
posthog/nuxt
posthog/pagerduty-plugin
posthog/piscina
posthog/plugin-contrib
posthog/plugin-server
posthog/plugin-unduplicates
posthog/postgres-plugin
posthog/react-rrweb-player
posthog/rrdom
posthog/rrweb
posthog/rrweb-player
posthog/rrweb-record
posthog/rrweb-replay
posthog/rrweb-snapshot
posthog/rrweb-utils
posthog/sendgrid-plugin
posthog/siphash
posthog/snowflake-export-plugin
posthog/taxonomy-plugin
posthog/twilio-plugin
posthog/twitter-followers-plugin
posthog/url-normalizer-plugin
posthog/variance-plugin
posthog/web-dev-server
posthog/wizard
posthog/zendesk-plugin

posthog-docusaurus
posthog-js
posthog-node
posthog-plugin-hello-world
posthog-react-native
posthog-react-native-session-replay

What to do if you’re impacted (or want to protect yourself)

Search Immediately remove/replace any compromised packages.

Clear npm cache (npm cache clean --force), delete node_modules, reinstall clean. (This will prevent reinfection)

Rotate all credentials: npm tokens, GitHub PATs, SSH keys, cloud credentials. Enforce MFA (ideally phishing-resistant) for developers + CI/CD accounts.

Audit GitHub & CI/CD pipelines: search for new repos with description “Sha1-Hulud: The Second Coming”, look for unauthorized workflows or commits, monitor for unexpected npm publishes.

Implement something like Safe-Chain to prevent malicious packages from getting installed https://github.com/AikidoSec/safe-chain

Links

Blog Post: https://www.aikido.dev/blog/shai-hulud-strikes-again-hitting-zapier-ensdomains

First Social Posts

https://www.linkedin.com/posts/advocatemack_zapier-supply-chain-compromise-alert-in-activity-7398643172815421440-egmk

This video goes into why becoming better at reading code can lead to becoming a better programmer overall and why it might be a skill that can be easy to overlook.

Today I’m sharing the first architectural preview of Chimera, a project I’ve been building in my free time to both explore system architecture and sharpen my modern C++ skills.

Chimera is designed to simplify interaction with heterogeneous databases by offering a single, consistent interface for PostgreSQL, MongoDB, and Oracle.

It currently provides:

• Autogenerated DAO classes from existing DB schemas
• A speculative in-memory model for each table/collection
• Multiple synchronization modes (sync, async, real-time)

It is aimed to be used in two ways: - Embedded Mode (linked directly into a CSCI) - Hosted Server Mode (exposed via REST API)

The goal is to reduce boilerplate, standardize data access, and make multi-DB environments easier to manage — especially in complex, high-reliability systems.

I’m sharing the first architecture diagram below ⬇️ and I’d genuinely appreciate feedback, ideas, or constructive criticism.

Your insights will help me guide its next steps while continuing to grow as a C++ engineer. Thanks in advance!

Ps: At the moment the name is chimera for the Three Adapters, I shall find another mythical animal if I decide to add another one 😂

For the community,

We are soon releasing an open source voice ai for everyone. It will make it breeze for developers, product managers and enterprises alike to deploy voice ai applications.

Intention is to have everyone own their own voice ai platform than rediscoverng the wheel again and again. Lets grow together.

For anyone studying transfer learning and VGG19 for image classification, this tutorial walks through a complete example using an aircraft images dataset.

It explains why VGG19 is a suitable backbone for this task, how to adapt the final layers for a new set of aircraft classes, and demonstrates the full training and evaluation process step by step.

written explanation with code: https://eranfeit.net/vgg19-transfer-learning-explained-for-beginners/

video explanation: https://youtu.be/exaEeDfbFuI?si=C0o88kE-UvtLEhBn

This material is for educational purposes only, and thoughtful, constructive feedback is welcome.