@thsottiaux - Worktree management is terrible. We don't see the worktrees in the session list panel, and we can't even create new sessions for existing worktrees.
- Remote control is getting better, but there is still work to do
- loading / switching sessions is very slow
@thsottiaux Some Codex CLI sessions get lost. It happens everyday and this is really annoying. When I restart my terminal or my machine and I try to resume previous sessions in worktrees, there is nothing to resume.
SECURITY ADVISORY — TanStack npm packages
A supply-chain compromise affecting 42 @tanstack/* packages (84 versions total) was published to npm earlier today at approximately 19:20 and 19:26 UTC. Two malicious versions per package.
Status: ACTIVE — packages are deprecated, npm security engaged, publish path being shut down.
Severity: HIGH — payload exfiltrates AWS, GCP, Kubernetes, and Vault credentials, GitHub tokens, .npmrc contents, and SSH keys.
If you installed any @tanstack/* package between 19:20 and 19:30 UTC today, treat the host as potentially compromised:
• Rotate cloud, GitHub, and SSH credentials immediately
• Audit cloud audit logs for the last several hours
• Pin to a prior known-good version and reinstall from a clean lockfile
Detection — the malicious manifest contains:
"optionalDependencies": {
"@tanstack/setup": "github:tanstack/router#79ac49ee..."
}
Any version with this entry is compromised. The payload is delivered via a git-resolved optionalDependency whose prepare script runs router_init.js (~2.3 MB, smuggled into each tarball at the package root).
Unpublish is blocked by npm policy for most affected packages due to existing third-party dependents. All 84 versions are being deprecated with a SECURITY warning, and npm security has been engaged to pull tarballs at the registry level.
Full technical breakdown, complete package and version list, and rolling status updates:
https://t.co/Zy8qG7PA9f
Credit to the security researcher for responsible disclosure.
We’ve identified a security incident that involved unauthorized access to certain internal Vercel systems, impacting a limited subset of customers. Please see our security bulletin:
https://t.co/0S939n3qHC
@MilksandMatcha I'm building an AI agent orchestrator named OpenDucktor (https://t.co/q6Q5eDqgtA). For now it supports only Opencode, but the next one is Codex.
A Codex Pro subscription would be super helpful ☺️
Our Codex dashboards are showing increased rate of users hitting rate limits and since we don't fully understand why I have made the cautious decision of resetting the usage limits for all plans. Enjoy.
I also wanted to celebrate us finding a pocket of fraudulent accounts that we banned and have helped us regain some compute. The fight against abuse never stops, but it's important to mark the moment and make it a little shared victory.
The @angular team released their own official Agent skills.
You can install them with this command:
npx skills add https://t.co/aAWKdP5GU2
#angular#agentskills#ai
@thsottiaux I wish Codex had slash commands, I hate having to turn them into skills to invoke them.
Also, having to use /skills, then select list skills, and finally select a skill is a pain when I want to invoke one. Would be great to be able to directly use skills as slash commands.
This codex issue is now fully resolved and stable for the last couple of hours.
You have come to expect it, but yes, that means we will be reseting rate limits in a bit. Enjoy.
Ghostty 1.3 is now out! Scrollback search, native scrollbars, click-to-move cursor, rich clipboard copy, AppleScript, split drag/drop, Unicode 17 and international text improvements, massive performance improvements, and hundreds more changes. https://t.co/IMk3i6528t