🇭🇰🇺🇦 Circus music intensifies 🤡

Some will already know this, but William Gibson collaborated with the Japanese workwear brand Buzz Rickson about 20 years ago to create a line of military-inspired garments. As far as I know, the line has stayed totally the same — same material, same details, same cuts — even as fashion trends have moved from full to slim and back to full again. How great is it that you could have saved up and splurged on a really nice garment 20 years ago, and if you went to the same store today, it would be totally the same? There's no pressure to "update" your wardrobe. No feeling like you might miss out on the latest drop. If you lose the jacket, you can go to the store and get the same one, even two decades later. There's something special about having that kind of confidence in your aesthetic. Also, not pressuring people to constantly buy buy buy. They purchase one nice thing and wear it for years. Should they decide the garment is not for them, guess what? They can sell it on the second-hand market for about 50% of what they paid because retailers are still selling the same thing. That fashion model is very inspiring to me. Plus, the stuff looks great. The videos below are from the wonderful London-based shop Son of Stag. You can also find at Self Edge, my favorite retailer for denim. They have locations in the United States and Mexico. Both stores specialize in this kind of clothing. You can find both shops on Instagram at the handles sonofastag and selfedge.

Software horror: litellm PyPI supply chain attack. Simple `pip install litellm` was enough to exfiltrate SSH keys, AWS/GCP/Azure creds, Kubernetes configs, git credentials, env vars (all your API keys), shell history, crypto wallets, SSL private keys, CI/CD secrets, database passwords. LiteLLM itself has 97 million downloads per month which is already terrible, but much worse, the contagion spreads to any project that depends on litellm. For example, if you did `pip install dspy` (which depended on litellm>=1.64.0), you'd also be pwnd. Same for any other large project that depended on litellm. Afaict the poisoned version was up for only less than ~1 hour. The attack had a bug which led to its discovery - Callum McMahon was using an MCP plugin inside Cursor that pulled in litellm as a transitive dependency. When litellm 1.82.8 installed, their machine ran out of RAM and crashed. So if the attacker didn't vibe code this attack it could have been undetected for many days or weeks. Supply chain attacks like this are basically the scariest thing imaginable in modern software. Every time you install any depedency you could be pulling in a poisoned package anywhere deep inside its entire depedency tree. This is especially risky with large projects that might have lots and lots of dependencies. The credentials that do get stolen in each attack can then be used to take over more accounts and compromise more packages. Classical software engineering would have you believe that dependencies are good (we're building pyramids from bricks), but imo this has to be re-evaluated, and it's why I've been so growingly averse to them, preferring to use LLMs to "yoink" functionality when it's simple enough and possible.