@karanaggarwal86@Apple Based on my experience the opening of the box is usually to verify if the piece is damaged and the login is to usually ensure you are aware of login process so that you don’t lose your phone, since an unactivated phone is as good as a free phone.
🚨A HACKER GROUP JUST STOLE 4,000 OF GITHUB'S OWN PRIVATE REPOSITORIES.. PUT THEM UP FOR SALE FOR $50,000.. AND THE WAY THEY GOT IN IS THE SCARIEST PART..
They didn't hack GitHub's servers.. They poisoned a VS Code extension.. One GitHub employee installed it.. And the attackers walked through the front door using the employee's own credentials..
The group calls themselves TeamPCP.. They name their malware after the sandworms from Dune.. And they've been running the most sophisticated supply chain attack campaign in cybersecurity history..
Here's how the whole thing unfolded..
In March.. They poisoned Trivy.. One of the most trusted security scanners in the world.. Used by over 10,000 development workflows globally..
They injected credential-stealing malware into Trivy's official GitHub Action.. The malware ran silently BEFORE the security scan.. So every log showed "scan completed successfully" while the malware was stealing AWS keys, SSH credentials, database passwords, and Kubernetes tokens in the background..
It took Aqua Security 5 days to fully remove them..
Using the stolen credentials.. They breached Cisco Systems.. Cloned over 300 private repositories.. Including source code for unreleased AI products.. And repositories belonging to Cisco's customers.. Major banks.. Government agencies.. BPO firms..
In April.. They hit Checkmarx.. Another security vendor.. Poisoned 5 official Docker images in 83 minutes.. The scanner worked perfectly.. It just silently sent all your secrets to the attackers..
That automatically cascaded into Bitwarden.. The password manager.. Their CI/CD system pulled the poisoned Docker image.. And the attackers injected malware into Bitwarden's official CLI package published on npm..
One compromised security scanner poisoned a password manager.. Automatically.. No human involved..
In May.. They hit TanStack.. Libraries downloaded millions of times per week.. 84 malicious package versions across 42 packages..
And here's the terrifying part..
The malware scraped the raw memory of GitHub's build servers.. Extracted authentication tokens.. Used those tokens to bypass two-factor authentication.. And then published the infected packages with completely valid cryptographic signatures..
Every security verification tool on earth said the packages were legitimate.. Because they were signed by the real pipeline.. Using real keys.. The attackers just happened to be inside the pipeline when it signed..
They defeated the entire trust model of modern software supply chains..
The same week they hit the Nx Console VS Code extension.. 2.2 million installations.. The malware specifically targeted Claude Code configurations.. Hunting for AI assistant credentials..
That's a first.. Supply chain malware designed to steal your AI's access keys..
Then on May 19.. They revealed the GitHub breach.. 4,000 internal repositories.. Listed for sale at $50,000.. With a warning.. "If nobody buys it.. We leak everything for free"..
Their malware is self-propagating.. Once it infects one package.. It automatically finds every other package that developer maintains.. Steals the publish tokens.. And infects all of them.. Then those packages infect the next developer.. And the next..
It jumps between npm and PyPI automatically..
The group doesn't even do the extortion themselves.. They sell stolen credentials to ransomware gangs.. One gang used TeamPCP's data to threaten Cisco with leaking FBI and NASA personnel records..
And the scariest part of all..
They didn't break any encryption.. They didn't find any zero-days.. They exploited the fact that the entire software industry blindly trusts its own build tools..
Every security scanner.. Every Docker image.. Every VS Code extension.. Every GitHub Action.. Is a potential weapon if someone poisons it upstream..
And right now.. Nobody can tell the difference between a legitimate build and a compromised one..
Because the compromised ones have valid signatures too.
This is crazy. The hacker installed a dead-man's switch that will wipe your computer if you revoke the GitHub token they stole from you. Revoking the token is what triggers the wipe.
MIT engineers have developed “mini livers” that could be injected into the body and take over the functions of the failing liver. This would help patients who are on a waitlist for a liver transplant or those who aren’t healthy enough to tolerate surgery.
https://t.co/B6odCTawl0
A Rust dev just killed Headless Chrome.
It's called Obscura. The open-source headless browser purpose-built for AI agents and scrapers at scale.
Chrome vs Obscura:
- Memory: 200MB+ → 30MB
- Binary: 300MB+ → 70MB
- Page load: 500ms → 85ms
- Startup: 2s → Instant
- Anti-detect: None → Built-in
Single binary. No Node, no Chrome, no dependencies.
Stealth mode is brutal:
→ Per-session fingerprint randomization (GPU, canvas, audio, battery)
→ 3,520 tracker domains blocked by default
→ navigator.webdriver masked to match real Chrome
→ Native function masking so detectors can't sniff it out
Drop-in replacement for Puppeteer and Playwright over CDP. Zero code changes.
If you run agents or serious scraping at scale, this repo prints money.
100% Opensource.
What if we could run Postgres as a single file, and take advantage of the best SQLite has to offer?
Today I am announcing pg-micro, a crazy experiment I've been undertaking to make this happen.
pg-micro is different than other approaches because it is fully local, and expected to be fast: there is no concurrency limitation and no statement translation.
Here's how it works: we use the actual postgres parser to parse the statement, but compile that to the Turso AST. The Turso AST is then compiled do bytecode, and from there everything executes natively, as it'd do in SQLite. This makes it a perfect target to run in any environment.
There is traditionally a mismatch between Postgres and SQLite in terms of functionality. But @tursodatabase has been hard at work to close this gap: things like MVCC and a rich, strict type system are present in Turso. There are PRs for things like lateral joins, etc. This means that the gap can be closed until it theoretically reaches zero.
What you could do with it? Just imagine for example a primitive like Durable Objects by @Cloudflare, but with a postgres interface? Or imagine you could use the same pattern of local databases for agents that SQLite gives you, totally ephemeral and free, but with a Postgres interface? Or even that you could execute remote postgres in platforms like @vercel but with the unmatched density of the Turso Cloud?
Expect lots not to work at this point. But as usual, this is done in the full spirit of OSS, so PRs welcome!
To get started: npx pg-micro
I replaced FastAPI's entire HTTP core with Zig.
Same decorator API. Same Pydantic models. 7× faster.
47,832 req/s vs FastAPI's 6,800. 2.09ms p50 latency.
Introducing. TurboAPI.
Here's the story..
Created an agent skill called “Visual Explainer” + set of complementary slash commands aimed to reduce my cognitive debt so the agent can explain complex things as rich HTML pages. The skill includes reference templates and a CSS pattern library so output stays consistently well-designed. Much easier for me to digest than squinting at walls of terminal text.
https://t.co/TsbtZwCtxg
New in Claude Code: Remote Control.
Kick off a task in your terminal and pick it up from your phone while you take a walk or join a meeting.
Claude keeps running on your machine, and you can control the session from the Claude app or https://t.co/er6Blrr63e
How to get hoardings removed as per law:
1. Do not complain to @GHMCOnline as GHMC Act is not deterrent and officials do not enforce it fully.
2. Instead, call to local police station and ask them the official email id of police station.
3. Write the brief facts of the complaint like place, type of risk etc. Mention that you want to get it removed under section 152 BNSS and 168 BNSS.
4. While sending email, at last line write that "Please acknowledge the receipt of this email (electronic record) u/s 12(1) of IT Act"
5. It becomes a official record.
If action is not taken, then you can file an RTI for Action Taken Report of your complaint sent via email under life/liberty case (Right to Safety & Security) and authority has to respond within 48 hours.
New Research from Amazon.
Great paper showing how to build effective lightweight multi-agent systems.
This new research introduces Insight Agents, a multi-agent system built on a plan-and-execute paradigm that lets Amazon sellers talk to their business data through natural conversation.
The architecture uses a hierarchical manager-worker structure. A manager agent handles out-of-domain detection using a lightweight autoencoder and routes queries via a fine-tuned BERT classifier (33M parameters). Two specialized worker agents handle the actual work: a data presenter for descriptive analytics and an insight generator for diagnostic analysis.
The design is deliberately pragmatic where an autoencoder-based OOD detector achieves 0.969 precision in under 0.01 seconds, compared to 0.616 precision and 1.67 seconds for LLM-based few-shot detection. The BERT router hits 0.83 accuracy in 0.31 seconds versus 0.60 accuracy and 2.14 seconds for an LLM classifier.
Instead of text-to-SQL, the system uses an API-based data model that decomposes queries into granular steps matched to internal data APIs. This divide-and-conquer approach avoids the syntax errors and hallucinations common in SQL generation while maintaining high retrieval accuracy.
End-to-end, the system achieves 89.5% question-level accuracy based on human evaluation across relevance (0.977), correctness (0.958), and completeness (0.993), with P90 latency under 15 seconds.
This shows how combining lightweight specialized models for routing with LLMs for reasoning and generation delivers a production-grade agent system that prioritizes accuracy and latency over architectural complexity.
Paper: https://t.co/eQ7DCvkffX
Learn to build effective AI agents in our academy: https://t.co/JBU5beIoD0
I rolled my own Stripe-style IDs in Rails with a simple concern.
It created prefixed IDs like app_WR48CQHH, clean URLs without the prefix, and a scope that accepts either format.
I also ignore certain characters to avoid ambiguous ones like 0/O and 1/l.