Bryan Housel

🚨 CRITICAL: Active supply chain attack on axios -- one of npm's most depended-on packages. The latest [email protected] now pulls in [email protected], a package that did not exist before today. This is a live compromise. This is textbook supply chain installer malware. axios has 100M+ weekly downloads. Every npm install pulling the latest version is potentially compromised right now. Socket AI analysis confirms this is malware. plain-crypto-js is an obfuscated dropper/loader that: • Deobfuscates embedded payloads and operational strings at runtime • Dynamically loads fs, os, and execSync to evade static analysis • Executes decoded shell commands • Stages and copies payload files into OS temp and Windows ProgramData directories • Deletes and renames artifacts post-execution to destroy forensic evidence If you use axios, pin your version immediately and audit your lockfiles. Do not upgrade.

I asked my daughter about this, she uses I-Ready for school. She showed me that there are some cutscenes that you can’t skip, but when it starts speaking, you can click the speaker icon to skip the narration. She doesn’t like it but she has learned how to speed run through the lessons.

Prof. Donald Knuth opened his new paper with "Shock! Shock!" Claude Opus 4.6 had just solved an open problem he'd been working on for weeks — a graph decomposition conjecture from The Art of Computer Programming. He named the paper "Claude's Cycles." 31 explorations. ~1 hour. Knuth read the output, wrote the formal proof, and closed with: "It seems I'll have to revise my opinions about generative AI one of these days." The man who wrote the bible of computer science just said that. In a paper named after an AI. Paper: https://t.co/juSOmK9vOt

The buried lede in this post is the October-to-December timeline. In October 2025, Karpathy publicly said AI agents “just don’t work.” Eight weeks later he’s 80% agent-coded and calling it the biggest workflow change in two decades. That’s the fastest opinion reversal from one of the most credible voices in AI, and it maps to something measurable. Stack Overflow’s 2025 developer survey tells the other side of this story. Only 16% of developers reported “great” productivity gains from AI tools. 45% said debugging AI code takes longer than writing it themselves. Meanwhile, the Claude Code team is shipping 20-27 PRs per day, 100% AI-written. That’s a bimodal distribution forming in real time. A small group is getting 10x leverage. The majority is getting modest autocomplete improvements and spending extra time fixing hallucinated code. Same tools, completely different outcomes. Karpathy names the variable: “ascending the layers of abstraction to set up long-running orchestrator Claws with all of the right tools, memory and instructions.” That’s a skill that looks nothing like traditional programming. You’re managing agents the way a senior engineer manages junior devs. Scoping work, reviewing output, catching failure modes, maintaining system-level context. The 10x engineer ratio he’s worried about is already here. 25% of YC’s Winter 2025 batch shipped codebases that were 95% AI-generated, and every founder was fully technical. They weren’t replacing skill with AI. They were compounding skill through AI. The gap between someone who can decompose a weekend project into agent-executable chunks and someone still typing code line by line is widening by the month. What makes this post different from the usual AI hype: Karpathy is explicitly naming the failure modes. Needs high-level direction. Needs taste. Needs judgment. Works better for well-specified tasks. This is an honest field report from someone who mass-reversed his own position 90 days ago, and that combination of enthusiasm and specificity is what makes the signal real.