Software engineer blockchain @Kaleido_io 🌱 Technical Advisory Council @lfdecentralized Maintainer and Community lead of Hyperledger FireFly Views are my own
I spent a lot of time working on blockchains, and recently picked out a book about looking at Money a different by @davidmcw .. funny that the first chapter is a “A Stone Age Blockchain”
Amazing day in ldn for a read
Software horror: litellm PyPI supply chain attack.
Simple `pip install litellm` was enough to exfiltrate SSH keys, AWS/GCP/Azure creds, Kubernetes configs, git credentials, env vars (all your API keys), shell history, crypto wallets, SSL private keys, CI/CD secrets, database passwords.
LiteLLM itself has 97 million downloads per month which is already terrible, but much worse, the contagion spreads to any project that depends on litellm. For example, if you did `pip install dspy` (which depended on litellm>=1.64.0), you'd also be pwnd. Same for any other large project that depended on litellm.
Afaict the poisoned version was up for only less than ~1 hour. The attack had a bug which led to its discovery - Callum McMahon was using an MCP plugin inside Cursor that pulled in litellm as a transitive dependency. When litellm 1.82.8 installed, their machine ran out of RAM and crashed. So if the attacker didn't vibe code this attack it could have been undetected for many days or weeks.
Supply chain attacks like this are basically the scariest thing imaginable in modern software. Every time you install any depedency you could be pulling in a poisoned package anywhere deep inside its entire depedency tree. This is especially risky with large projects that might have lots and lots of dependencies. The credentials that do get stolen in each attack can then be used to take over more accounts and compromise more packages.
Classical software engineering would have you believe that dependencies are good (we're building pyramids from bricks), but imo this has to be re-evaluated, and it's why I've been so growingly averse to them, preferring to use LLMs to "yoink" functionality when it's simple enough and possible.
this is actually insane
> be tech guy in australia
> adopt cancer riddled rescue dog, months to live
> not_going_to_give_you_up.mp4
> pay $3,000 to sequence her tumor DNA
> feed it to ChatGPT and AlphaFold
> zero background in biology
> identify mutated proteins, match them to drug targets
> design a custom mRNA cancer vaccine from scratch
> genomics professor is “gobsmacked” that some puppy lover did this on his own
> need ethics approval to administer it
> red tape takes longer than designing the vaccine
> 3 months, finally approved
> drive 10 hours to get rosie her first injection
> tumor halves
> coat gets glossy again
> dog is alive and happy
> professor: “if we can do this for a dog, why aren’t we rolling this out to humans?”
one man with a chatbot, and $3,000 just outperformed the entire pharmaceutical discovery pipeline.
we are going to cure so many diseases.
I dont think people realize how good things are going to get
It is hard to communicate how much programming has changed due to AI in the last 2 months: not gradually and over time in the "progress as usual" way, but specifically this last December. There are a number of asterisks but imo coding agents basically didn’t work before December and basically work since - the models have significantly higher quality, long-term coherence and tenacity and they can power through large and long tasks, well past enough that it is extremely disruptive to the default programming workflow.
Just to give an example, over the weekend I was building a local video analysis dashboard for the cameras of my home so I wrote: “Here is the local IP and username/password of my DGX Spark. Log in, set up ssh keys, set up vLLM, download and bench Qwen3-VL, set up a server endpoint to inference videos, a basic web ui dashboard, test everything, set it up with systemd, record memory notes for yourself and write up a markdown report for me”. The agent went off for ~30 minutes, ran into multiple issues, researched solutions online, resolved them one by one, wrote the code, tested it, debugged it, set up the services, and came back with the report and it was just done. I didn’t touch anything. All of this could easily have been a weekend project just 3 months ago but today it’s something you kick off and forget about for 30 minutes.
As a result, programming is becoming unrecognizable. You’re not typing computer code into an editor like the way things were since computers were invented, that era is over. You're spinning up AI agents, giving them tasks *in English* and managing and reviewing their work in parallel. The biggest prize is in figuring out how you can keep ascending the layers of abstraction to set up long-running orchestrator Claws with all of the right tools, memory and instructions that productively manage multiple parallel Code instances for you. The leverage achievable via top tier "agentic engineering" feels very high right now.
It’s not perfect, it needs high-level direction, judgement, taste, oversight, iteration and hints and ideas. It works a lot better in some scenarios than others (e.g. especially for tasks that are well-specified and where you can verify/test functionality). The key is to build intuition to decompose the task just right to hand off the parts that work and help out around the edges. But imo, this is nowhere near "business as usual" time in software.
Optimistic summary of how AI will change knowledge workers. Super interested in verifiability of these agents, sure you can point agents at your companies tribal knowledge, let it gather notes from meetings, build its own memory but when it’s done something how do you verify it?
Great post on EVM storage slots and how it relates to compilers. Author calls it reverse engineering, I would call it breaking down how compilers efficiently use the available storage slots. Enjoy peeling the layers of any stack and this one most forget to
https://t.co/Q0N9wsnpkz
Back in Argentina tomorrow a month after DevConnect, this time around to enjoy time with family. Looking forward to seeing how much of the conference effect is still at play: shops still taking stablecoins, crypto ads on the streets. Any events happening from the local community?
As I told @MariaBartiromo last week, U.S. financial markets are poised to move on-chain. Under my leadership, @SECGov is prioritizing innovation and embracing new technologies to enable this on-chain future, while continuing to protect investors.
Great thread reminding everyone on how a well renowned expert in the Web3 field can get hacked by a vulnerability in a contract he had approved use years ago
Last night around 5pm I sat down to do some work.
I opened my Rabby wallet to try out Espresso's new cross-chain mint product, Presto, that Rarible had just put live on mainnet.
When I opened my wallet, I immediately saw that $30k was missing...
This is so true, best riddle I’ve seen today - had fun looking at the thread.
As well as requirement gathering, the thing to remember is each solution has trade off so you need to account for that
You just gotta love how many people jump with solutions without clarifying requirements.
This is a common mistake I see while interviewing people at Bloomberg.
People propose solutions without trying to clarify constraints, or input data patterns, or edge cases.
Miss Devconnect already? Same 🥹
Here’s the Ethereum World's Fair recap video 🎞️ One week, 14k+ people, 500+ events, and thousands of different experiences.
Full blog with numbers + highlights below.
“Selfie KYC is dead.”
Tap your e-passport to your phone.
Do a liveness check, and let your secure enclave feed it into a zero-knowledge proof.
"Doing it the zero knowledge way is the secure way of doing it for sure.” - @Zac_Aztec
@Quantumplation@SebastienGllmt It’s pretty cool indeed, was my intro into coroutines and really happy to see the project under the LFDT! Going to keep a close eye on this one for sure