Mark Carter

‼️🚨 BREAKING: A new npm supply-chain attack uses a dead-man's switch. The payload plants a watcher on your machine that nukes your home directory the second you revoke the GitHub token it stole from you. The compromise happened today, across 42 official tanstack npm packages, 84 malicious versions in total. tanstack/react-router alone pulls more than 12 million weekly downloads. The attacker forked TanStack's repository and pushed a single hidden commit. From there, they tricked TanStack's own release system into signing the malicious packages as if they were the real thing. To npm, and to anyone checking the cryptographic proof of origin (SLSA provenance), the poisoned versions looked 100% legitimate. Maintainer Tanner Linsley confirmed the whole team had 2FA enabled. It didn't matter. This is the first documented npm worm in history that ships with a valid, signed certificate of authenticity, the same one defenders rely on to know a package wasn't tampered with.

One of the biggest limitation of Gemini interface right now is the inability to integrate MCP servers. I can do it in Gemini CLI, but for 80% of the people in my company they really want a chat client. So my highest priority ask would be integrating MCP servers allowing me to add any MCP server into the Gemini client

Google delivers what Apple promises. The importance of latency-free live streaming in outstanding quality can hardly be overstated. It breaks down barriers, brings people together, creates social connections, and also facilitates easier economic cooperation and collaboration, exchange, and so much more. If the video truly reflects this quality, Google has achieved what humanity has dreamed of for ages: global communication in real time. Kudos to Google, you deliver every single day. P.S.: Apple promised exactly this kind of live translation, but only Google is delivering it.