Microsoft is investigating mistralai PyPI package v2.4.6 compromise. Attackers injected code in mistralai/client/__init__.py that executes on import, downloads hxxps://83[.]142[.]209[.]194/transformers.pyz to /tmp/transformers.pyz, and launches a second-stage payload on Linux. The file name transformers.pyz appears deliberately chosen to mimic the widely used Hugging Face Transformers library and blend into ML/dev environments.
The main payload is a credential stealer, but it also includes country-aware logic; it avoids Russian-language environments and contains a geo fenced destructive branch that has 1-in-6 chance of executing rm -rf / when the system appears to be in Israel or Iran.
To mitigate this threat: isolate affected Linux hosts, block 83[.]142[.]209[.]194, hunt for /tmp/transformers.pyz, pgmonitor[.]py, and pgsql-monitor.service, and rotate exposed credentials.
Being the foundation for millions of developers means our bar must be higher for availability, reliability, and security. I’m sorry it’s been a rocky stretch at GitHub. We know we need to do better.
Today we published an update on two recent incidents: one on April 23 involving merge queue behavior, and one on April 27 affecting pull requests, issues, projects, and search-backed experiences.
We’re taking this seriously. We’re listening, and you have my commitment that we’ll communicate more frequently about the work underway to improve reliability and scale GitHub for what comes next.
https://t.co/lJNGGISyVw
Starting June 1st, GitHub Copilot will move to a usage-based billing model as GitHub Copilot supports more agentic and advanced workflows.
In early May, you'll see a preview bill experience, giving visibility into projected costs before the transition.
👉 Read more about the upcoming change: https://t.co/4IC9VNHwhk
BREAKING: OpenAI's Chief Financial Officer Sarah Friar has expressed worry that the company might not be able to pay for future computing contracts if the revenue doesn't grow fast enough, per Bloomberg.
Over the past month, some of you reported Claude Code's quality had slipped. We investigated, and published a post-mortem on the three issues we found.
All are fixed in v2.1.116+ and we’ve reset usage limits for all subscribers.
Are the *costs* of AI agents also rising exponentially?
We all know the graph from METR showing exponential growth in the length of tasks AI can perform. But the costs to perform these tasks are growing quickly too.
Indeed, it looks like they are growing even faster:
🧵
.@DavidSacks: Anthropic is good at two things—product releases, and scaring people.
“They have a proven pattern of using fear as a way to market their new products.”
He had Grok create a list of every time they’ve used scare tactics on the public.
“At the same time they roll out a new model, they also roll out some study showing the worst possible implication of where the technology could lead.”
This is all of software today.
It's ugly, but once again it is rooted in a very programmed (literally, algorithmically programmed) belief that the markets have about software in the age of AI.
Once again, if the market believes Claude will destroy every software company, then the amount of compute we need should be 1000x what it is today. $NVDA, $AMD, $AVGO, and other chip names should not be trading at the multiples they are at.
If the market doesn't actually believe AI will completely ruin software, then the discounts on the software are probably too extreme. Not to say that they need to return to the highs from years ago because there obviously has been a shift, but to ruthlessly take down all of software seems to be aggressive.
I wouldn't be long $IGV but I would try to identify the best software names that are being unnecessarily treated as legacy IT with no future. Obviously, I don't think $PLTR deserves this type of treatment given how it has differentiated itself from every other software company. I also don't think $CRWD or $PANW deserve to get wrecked when AI will only create a deeper need for cybersecurity.
I also don't think $ORCL, which has $300B in RPO from OpenAI, just did 30K layoffs, and down more than 50% from the highs deserves to be getting hit this hard, especially when other neoclouds (one could argue that Oracle is the ultimate neocloud) are being seen positively from the market. But because Oracle has a software part to the business...it gets sold off.
It's a stock pickers market in software but you just have to be able to try to find the names that aren't destroyed because of AI but rather only will accelerate earnings growth because of AI.
Yup, platform activity is surging. There were 1 billion commits in 2025. Now, it's 275 million per week, on pace for 14 billion this year if growth remains linear (spoiler: it won't.)
GitHub Actions has grown from 500M minutes/week in 2023 to 1B minutes/week in 2025, and now 2.1B minutes so far this week.
So we're pushing incredibly hard on more CPUs, scaling services, and strengthening GitHub’s core features.
And as a fine purveyor of hand-crafted shit code for many years, I'm not gonna weigh in on that. 🤣
While social media is polarising, evidence suggests AI may nudge people towards the centre.
This holds true of all studied models. Grok is more right-leaning than other models, but also has depolarising effects.
By @jburnmurdoch.
BREAKING 🚨: JP Morgan
$JPM forced to mark downs loans and has decided to reduce lending to private credit groups 🤯 Blue Owl, Blackstone, BlackRock, now JP Morgan 👀
Blue Owl, BlackStone, BlackRock & now Cliffwater.
Contagion spreading. The private credit market is effectively closed. Much of the incremental credit growth the last few years came from this sector.
BREAKING: The US announces that tonight's strikes on Iran were a joint attack between the US and Israel, per WSJ.
Details include:
1. Explosions are being reported in Iran's capital, Tehran
2. Israeli media says several “assassination” strikes were carried out
3. Key government facilities are being targeting in Iran
4. At least two waves of attacks are currently being reported
5. Targets reportedly include intelligence headquarters and the presidential palace
The US and Israel now appear to be at war with Iran for the second time in 8 months.
This story is actually insane:
• dude drops $2000 on a DJI robot vacuum like a lunatic
• refuses to use the normal app like a peasant
• Sammy Azdoufal fires up Claude to crack the API so he can drive it with an xbox controller
• Claude delivers the goods
• pulls an auth token from their servers, connects successfully
• except the system thinks he controls 7000 vacuums
• checks again
• yep, seven thousand
• DJI built authentication with zero device ownership verification
• any valid token works for any unit on the planet
• Sammy now has eyes inside homes across 24 countries
• live vacuum camera feeds everywhere
• full floor plans from the mapping data
• some guy in germany eating cereal at 3am, unaware his roomba is snitching
• one API call away from being the most informed burglar in history
• all he wanted was to steer his vacuum with a joystick
• does the right thing and reports it
• DJI fixes it in two days
• back to normal life with his stupidly expensive floor cleaner
• IoT companies stay undefeated at shipping garbage security
controversial take: i think AI will widen the gap between people who actually want to understand how things work vs people who love the idea of a lazy one shot “i built this with one prompt” workflow
in a world where AI abstracts away complexities, the people who know/learn the complex hard parts will be able to achieve so much more while others get trapped into just producing the slop that no one wants