Olivia
Online
Cata Sarafoleanu
@sarafoleanu
I threat model AI agents. I also build them, which is how I know where they break. 20+ years across cloud, Kubernetes, and SOC.
Bucharest, Romania
Joined July 2008
6K Following
295 Followers
255 Posts
We are investigating unauthorized access to GitHub’s internal repositories. While we currently have no evidence of impact to customer information stored outside of GitHub’s internal repositories (such as our customers’ enterprises, organizations, and repositories), we are closely monitoring our infrastructure for follow-on activity.
@DanMercurius @IntCyberDigest Catches what is installed, not what already ran. Once it executed on import, the .claude and .vscode hooks were in place and they survive removal. Lockfile audit is necessary, not sufficient.
Cache poisoning plus OIDC theft is what breaks the SLSA story. Programs that adopted provenance attestations as their primary integrity control just learned that a valid attestation only certifies the build environment, not that the build environment was uncompromised. Provenance is necessary, not sufficient.
@ryancarson "Do not install" is a workaround, not a control. The teams that wake up clean tomorrow had hash-pinned installs, egress controls on runners, and short-lived publish tokens in place before today. Everyone else is auditing in production.
Who to follow
oderau
@oderau
Managing Partner @ Limbic Capital. Investor modernising legacy industries with PE + AI. Building enduring companies with institutional partners.
Dexerto Esports
@DexertoEsports
Esports news including Call of Duty League #CDL2025, #Warzone esports, Halo HCS, CSGO, and more
ᅟ
@sourblock_
Internet Architect • CogSec & OSINT • CEO @duel
The eight-minute deprecate-and-disclose response set the bar for what good looks like. Harder problem for the rest of OSS is that the same compromised workflow pattern lives in thousands of repos with less maintainer bandwidth. Defense has to assume the next maintainer will not catch it that fast.
Cross-registry hop is the part defenders should sit with. Same laptop, same CI runner, same maintainer token, same IDE state. The worm did not bypass an isolation control, it walked through a substrate every modern AI/dev team operates on. Polyglot supply chain coverage stopped being optional today.
The Mini Shai-Hulud worm did not cross an ecosystem boundary today. It crossed a developer laptop.
That is the only path the campaign needed. The PyPI artifacts in this round include guardrails-ai 0.10.1 (the library people install to put safety rails around LLM output) and mistralai 2.4.6. The npm side adds @opensearch-project 3.5.3 through 3.8.0 with 1.3 million weekly downloads, plus additional @squawk/* packages. Same crew, same playbook, two registries.
The attacker did not breach anything. An engineering workstation runs npm and pip under one identity, one CI runner, one IDE, one GitHub token, one path out to the internet. The crew published to npm. The worm rode that substrate. The substrate had a PyPI session waiting in the next tab.
Two registries. One attack surface.
If your SCA covers npm but not PyPI, you have a checkbox.
If your SBOM lists JavaScript but not Python, you have a checkbox.
If your provenance is shown but not enforced, you have a checkbox.
The control that would have stopped this lives at the import boundary, not the registry boundary. Hash-pinned installs. Signed packages. Egress from the runner. Sandboxed first imports. The integrity check.
The ecosystem boundary was decorative. It always was.
#SupplyChainSecurity #AppSec
🚨 UPDATE: Mini Shai-Hulud has crossed from @npmjs into @pypi and is still spreading.
Newly confirmed compromised artifacts:
@opensearch-project/opensearch: 3.5.3, 3.6.2, 3.7.0, 3.8.0 (1.3M weekly downloads)
mistralai: 2.4.6 on PyPI
guardrails-ai: 0.10.1 on PyPI
additional @squawk/* packages on npm
guardrails-ai 0.10.1 executes malicious code on import. On Linux, it downloads git-tanstack[.]com/transformers.pyz, writes it to /tmp/transformers.pyz, and runs it with python3 without integrity verification.
The git-tanstack.com domain displayed a message signed “With Love TeamPCP,” along with: “We've been online over 2 hours now stealing creds
Regardless I just came to say hello :^)”
The page also linked to a YouTube video and you can probably guess which one.
![SocketSecurity's tweet photo. 🚨 UPDATE: Mini Shai-Hulud has crossed from @npmjs into @pypi and is still spreading.
Newly confirmed compromised artifacts:
@opensearch-project/opensearch: 3.5.3, 3.6.2, 3.7.0, 3.8.0 (1.3M weekly downloads)
mistralai: 2.4.6 on PyPI
guardrails-ai: 0.10.1 on PyPI
additional @squawk/* packages on npm
guardrails-ai 0.10.1 executes malicious code on import. On Linux, it downloads git-tanstack[.]com/transformers.pyz, writes it to /tmp/transformers.pyz, and runs it with python3 without integrity verification.
The git-tanstack.com domain displayed a message signed “With Love TeamPCP,” along with: “We've been online over 2 hours now stealing creds
Regardless I just came to say hello :^)”
The page also linked to a YouTube video and you can probably guess which one.](https://pbs.twimg.com/media/HIFxSRYXgAA6u3V.jpg)
Everyone is tweeting out "use pnpm & set a minimumReleaseAge of 7 days"
but don't forget blockExoticSubdeps - which would also prevent the usage of a remote github reference here!
I'm so in love with @antirez' ds4. Patched some slop on it to get better streaming, but I can just install a pi extension on a 128GB mac and it manages everything for me. No need for mlx-lm, ollama or lm studio or finagling pi configs.
BREAKING: Anthropic's pre-IPO valuation surges to a record $1.2 trillion, rising another +20% in 7 days.
This officially puts Anthropic's implied valuation up +900% since October 2025, per onchain pre-IPO trading data.
Pre-IPO instruments trading onchain on Jupiter, backed 1:1 by SPV exposure, are providing a real-time proxy for the company’s implied IPO valuation.
This now makes Anthropic ~20% larger than OpenAI's pre-IPO implied valuation.
If Anthropic were to IPO at a $1.2 trillion valuation, it would be the 11th most valuable public company in the world.
The AI Revolution is accelerating.
The last 20% isn't most of the work, it's all of the work.
software engineers before vs after agents
addicted to using boomerang mode (aka reverse D-Mail) in Pi these days.
ctrl+alt+b enables it for the next prompt submitted -> after the prompt runs, it rewinds back to the same point with file changes intact + leaves a summary in the feed so the agent knows what happened.
using it often can make the context window feel nearly unlimited. Powered by the native /tree functionality in pi.
pi install pi-boomerang
https://t.co/pDdiYgith2
anyone who tells you clickhouse is not enough to store LLM traces is lying to you btw
https://t.co/w7L8tlPlvo
Avoiding structure feels like preserving possibility, but it often just preserves the possibility of not following through.
GitHub's former CEO gave his AI eyes.
What happened next is equal parts hilarious and haunting
High Frequency Trading and Lessons for Agentic AI
The future of Agentic AI isn't just about smarter models, it’s about sturdier architecture. We should treat AI agents like high-frequency trading systems. They require pre-computed limits, real-time monitoring, and automated isolation. By borrowing the Market Access mindset, we can ensure that when our agents start "trading" in real-world actions, they don't trigger an agentic flash crash or take your balance sheet with them in a swarm of misaligned activity.
https://t.co/FJGnMQZcn6
Last Seen Users on Sotwe
Mohit Rand
Seen from India
Türk İfşa Sever Yeni
Seen from Turkey
สวิง คู่บ้านๆ
Seen from Thailand
Aleyda Guzman 🇲🇽🏳️⚧️
Seen from Oman
penggemar janda
Seen from Indonesia
อีไจ สิงไอจี
Seen from Thailand
rivalhdyt
Seen from Malaysia
محتوى ترفيهي
Seen from Egypt
زوجه متحرره
Seen from Canada
CryptoTrav
Seen from Turkey
Most Popular Users
Elon Musk
@elonmusk
240.1M followers
Barack Obama
@barackobama
119.3M followers
Donald J. Trump
@realdonaldtrump
111.6M followers
Cristiano Ronaldo
@cristiano
108.8M followers
Narendra Modi
@narendramodi
106.9M followers
Rihanna
@rihanna
97.2M followers
NASA
@nasa
92.1M followers
Justin Bieber
@justinbieber
90.5M followers
KATY PERRY
@katyperry
86.7M followers
Taylor Swift
@taylorswift13
80.5M followers
Lady Gaga
@ladygaga
72.1M followers
Kim Kardashian
@kimkardashian
69.3M followers
YouTube
@youtube
68.6M followers
Virat Kohli
@imvkohli
68.4M followers
Bill Gates
@billgates
63.4M followers
The Ellen Show
@theellenshow
62.5M followers
CNN
@cnn
61.9M followers
Neymar Jr
@neymarjr
60.9M followers
X
@x
60.9M followers
CNN Breaking News
@cnnbrk
59.9M followers