BottomTopper

Weekly Chart (long form) Over time I try to look at only the things that provide clear signal so I have that shown here at the moment: 6/1/26 Low: $20.89 (so far) 1. Bollinger Band $20.71 2. Cash per Share $20.57 3. Divergence for Many Indicators Triggered 4. Stoch RSI Bottomed 5. PMO is fun too but isn't shown We'll see how things go from here.

Rule changes for the SpaceX $SPCX IPO: Index providers waived the profitability requirement and cut the seasoning window from 90 days to 5. This forces over $30 trillion in passive 401k and retirement money to buy SpaceX at IPO valuations. Bloomberg Intelligence estimates S&P 500 funds must absorb 19% of SpaceX's float within 6 months. Russell 1000 and Nasdaq 100 funds will absorb 24%. The rules built to protect passive investors: 1. S&P 500 has required 12 months of trading and 4 quarters of GAAP profitability since 2002. Both waived. 2. Nasdaq cut its inclusion window from 90 trading days to 15. 3. FTSE Russell cut its to 5. All three benchmarks are now structured to buy SpaceX at IPO pricing.

I think AI coding hype follows roughly four stages: 1. Amazement You try it and can’t believe how much code it generates from a few prompts. 2. Expansion You start more and more projects because shipping suddenly feels cheap and fast. This is also the phase where people start convincing everyone around them: - coworkers - management - friends in other companies because nobody wants to “fall behind” in 6–12 months. That creates a massive snowball/FOMO effect. 3. The grind phase You realize the generated code has architectural issues, sloppy mistakes, weird abstractions, duplicated logic, broken edge cases, etc. So you start: - re-prompting - switching models - increasing reasoning effort - reviewing fixes - generating fixes for previous fixes And suddenly you spend your days reviewing AI-generated pull requests instead of building software. 4. Realization You realize AI coding increases output much faster than it increases certainty. The code still needs: - review - testing - ownership - architectural understanding - long-term maintenance Usually by expensive senior engineers. And the interesting thing is: this whole cycle can take many months or even more than a year because people become socially and professionally invested in the narrative themselves. Once teams, managers, and entire companies have been convinced that this is the future, it becomes psychologically and politically very hard to later say: “Actually, the ROI is much lower than we expected.”

The situation in Spain where LaLiga can force ISPs to ban any IP range they want without a court order is ridiculous and so aggressively anti-internet that it's causing real harm to Spain's citizens. Docker is one thing, but the other comments in this HN post are way worse (anti-theft alarms, apps for helping people suffering from dementia). It's horrible that clouds that serve multiple sites from the same IPs are being strong-armed into either taking down anything LaLiga wants without a court order or suffering mass ip blocks.

Th vast majority of CISOs do not work at Google-sized companies, and will not have to worry about 0days There’s a disconnect between the Mythos discourse, and what actually happens at most orgs: Still can’t identify assets and IPs, biggest threat is still phishing, lack of defined ID mgmt and access controls, shadow IT, misconfig’d S3 buckets… If you work at one of those companies (applies to most people) you have a LOT of work to do before AI 0days is even on the top 50 things to think about. This is why advice from Google and large company leaders isn’t relevant to most folks out there. Massive scale and attack surface difference. Sure it’s still interesting and fun to speculate at that level, but it’s just not real for most people.

Software horror: litellm PyPI supply chain attack. Simple `pip install litellm` was enough to exfiltrate SSH keys, AWS/GCP/Azure creds, Kubernetes configs, git credentials, env vars (all your API keys), shell history, crypto wallets, SSL private keys, CI/CD secrets, database passwords. LiteLLM itself has 97 million downloads per month which is already terrible, but much worse, the contagion spreads to any project that depends on litellm. For example, if you did `pip install dspy` (which depended on litellm>=1.64.0), you'd also be pwnd. Same for any other large project that depended on litellm. Afaict the poisoned version was up for only less than ~1 hour. The attack had a bug which led to its discovery - Callum McMahon was using an MCP plugin inside Cursor that pulled in litellm as a transitive dependency. When litellm 1.82.8 installed, their machine ran out of RAM and crashed. So if the attacker didn't vibe code this attack it could have been undetected for many days or weeks. Supply chain attacks like this are basically the scariest thing imaginable in modern software. Every time you install any depedency you could be pulling in a poisoned package anywhere deep inside its entire depedency tree. This is especially risky with large projects that might have lots and lots of dependencies. The credentials that do get stolen in each attack can then be used to take over more accounts and compromise more packages. Classical software engineering would have you believe that dependencies are good (we're building pyramids from bricks), but imo this has to be re-evaluated, and it's why I've been so growingly averse to them, preferring to use LLMs to "yoink" functionality when it's simple enough and possible.

🚨Major Unconfirmed Breach🚨A threat actor is claiming to sell a major breach of OVHcloud, one of Europe's largest web hosting and cloud service providers, on a dark web forum. The actor alleges they gained access to one of OVH's parent accounts and servers, enabling them to extract a significant volume of data. The claimed breach includes 1.6 million OVH Fresh customer records and 5.9 million active websites hosted with OVH, encompassing website code, website databases, and server configurations. A sample of a user record from the 1.6 million customers was provided as proof. The seller has not set a minimum price, instead asking buyers to provide an initial offer. They also advertise a 30% commission for client referrals through an intermediary.