🚨 Andrej Karpathy just explained the scariest thing happening in software right now..
someone poisoned a Python package that gets 97 million downloads a month.. and a simple pip install was enough to steal everything on your machine..
SSH keys.. AWS credentials.. crypto wallets.. database passwords.. git credentials.. shell history.. SSL private keys.. everything..
and here's the part that should terrify every developer alive..
the attack was only discovered because the attacker wrote sloppy code.. the malware used so much RAM that it crashed someone's computer.. if the attacker had been better at coding.. nobody would have noticed for weeks..
one developer.. using Cursor with an MCP plugin.. had litellm pulled in as a dependency they didn't even know about.. their machine crashed.. and that crash saved thousands of companies from getting their entire infrastructure stolen..
Karpathy's take is the real wake up call.. every time you install any package you're trusting every single dependency in its tree.. and any one of them could be poisoned..
vibe coding saved us this time.. the attacker vibe coded the attack and it was too sloppy to work quietly.. next time they won't make that mistake.
Fed up with dev tools cluttered with ads, trackers, and 90s UIs? We were too.
We built our own Swiss Army knife at @ocmalabs: 27 essential utilities. Fast, clean, and 100% browser-local.
Your data never leaves your machine.
https://t.co/AbrXAnRo1Q
Nothing like a 3 AM database migration to make you question your life choices.
Had to stream a 2GB MySQL DB over SSH directly into a Docker container because dumping to disk was taking forever.
https://t.co/TPatT5ScSR
#mysql#devops#migration
"Serverless" is a dream for MVPs but a nightmare for margins once you scale.
You celebrate the traffic spike, then panic at the AWS/Vercel bill. You’re literally being penalized for succeeding.
https://t.co/udSRm9pspI
I’d rather melt my RAM than give away my data to the cloud.
AI Agents are the future, but if they access your CRM or terminal, they cannot live on a server in the cloud.
Why I run OpenClaw locally (and the sound of my fans):
https://t.co/FEkQgkQsXe
#AI#Privacy#Ionastec
Page builders like Elementor are killing your SEO.
Bloated code and slow loading times are a nightmare for Core Web Vitals. Stop prioritizing "easy to drag" over "fast to load".
Why the Page Builder era is ending:
https://t.co/ImT9ljXloL
#SEO#WebPerf#Ionastec
My WP plugin got rejected 3 times, and it was the best learning experience.
From security issues to naming collisions. Here are the mistakes I made and why strict reviews matter:
https://t.co/t2qLf2sSXk
#BuildInPublic#WebDev#OcmaLabs
WordPress served us well, but the web has evolved.
In 2026, monolithic setups are often a bottleneck. It’s time for Islands Architecture and Zero JS by default.
Why we are moving to Astro: https://t.co/PEQCCMYGRW
#Astro#WebPerf#SoftwareArchitecture#CoreWebVitals
The man's face is exactly how I feel when I see a 'Vibe Coded' app with 400 ignored security warnings and zero tests. Good luck maintaining those vibes in 6 months! 😂
@addyosmani True. But the gap between 'passing the lab test' and 'passing the real-world field data' is still huge for many. Frameworks help, but good architecture is still the bottleneck.