StackWild 🐟

Fork your dependencies, trim them to only your use case, never update unless it breaks for your users. I’ve been vocal about this for 10+ years. I’ve always said that updating is way riskier than latent bugs (which can be tracked and CVEs monitored). If you are updating a dependency, it’s on you to analyze every single commit in the full transitive set of dependencies. If you dont see anything compelling, dont update! I remember at HashiCorp once in awhile an engineer would try to update a dep or replace a DIY lib with an external one and id always ask “show me the commit we need.” Dont update for the sake of it. Feeling pretty swell about this mentality with all the supply chain attacks happening.

‼️🚨 BREAKING: A new npm supply-chain attack uses a dead-man's switch. The payload plants a watcher on your machine that nukes your home directory the second you revoke the GitHub token it stole from you. The compromise happened today, across 42 official tanstack npm packages, 84 malicious versions in total. tanstack/react-router alone pulls more than 12 million weekly downloads. The attacker forked TanStack's repository and pushed a single hidden commit. From there, they tricked TanStack's own release system into signing the malicious packages as if they were the real thing. To npm, and to anyone checking the cryptographic proof of origin (SLSA provenance), the poisoned versions looked 100% legitimate. Maintainer Tanner Linsley confirmed the whole team had 2FA enabled. It didn't matter. This is the first documented npm worm in history that ships with a valid, signed certificate of authenticity, the same one defenders rely on to know a package wasn't tampered with.

There are 4 types of people saying "AI will replace Software Engineering" in 6 months 1. they own a company that benefits from replacing engineers (ceo, stockholders etc). they need to justify the amount invested into them 2. Company that made big cuts and they want to attribute it to whatever and AI is good excuse 3. People who never worked as as/with Software Engineering and have no clue the work is not just typing 4. Burned out engineers who don't want to do that job anymore

AI is NOT replacing cybersecurity jobs. Full stop. I'm so tired of people parroting "AI will replace reverse engineers" and "malware analysis is solved". No. It is not. I have analyzed hundreds of malware samples using AI. Here's what actually happens: -> It gives you made-up decryption keys with full confidence -> It tries to decrypt data that is literally random garbage -> It misidentifies malware families -> It misses critical functions And have you ever tried retrohunting with the YARA rules AI writes across thousands of samples? Go ahead. Watch the false positives roll in. That alone should tell you everything you need to know. Every single output needs human validation and rigorous review. AI is a tool, a powerful one. But someone still has to build the MCPs, validate the output, understand the context, catch the hallucinations, and make the actual calls during incident response. The people saying this stuff loudest have clearly never watched AI confidently hand them completely wrong decrypted data and make them believe it's real. Stop scaring newcomers out of the field and misleading people with this nonsense. Cybersecurity still needs humans.

I hate that Microsoft might be vibecoding Windows, but it's inevitable microsoft laid off everyone who knows how c++ works so now they just prompt gpt 5 to fix the codebase. 30% of windows is written by ai. that is why your printer drivers were deleted to make room for 4gb of copilot telemetry they rewrote office in typescript. file explorer and the notification center are now just bloated electron instances that take 3 seconds to render a right click menu the taskbar and start menu were rebuilt from scratch in react just to shove ads and "recommended" bloatware in your face. it uses more ram than world of warcraft did in 2004 copilot is being forced into notepad and paint. they are forcing you to test it in your basic tools windows search isn't looking for your files. it's a bing wrapper designed to sell you a microsoft 365 subscription while you're desperately trying to find a local pdf the widgets section is another bloat that nobody asked for. edge webview was designed to keep your cpu usage high enough that you're forced to switch to linux over all of that, the task manager barely works in the latest updates nobody at microsoft knows what "win32" means anymore. they replaced their support forums with an ai that just tells you to "try restarting" if your kernel panics