Sutirth Chakravarty

We were the media partners for Hyrox Bengaluru. Spent 2 days filming it with a 30-member crew. Calling it “validation” misses the point entirely. Here’s what we actually saw: - We captured a marriage proposal on the race floor. - Athletes finishing together with tears - First-timers who trained 6 months for this one day. - Couples racing together. - Colleagues showing up in matching kits. - Coaches running alongside clients they’d trained for half a year. - People with disabilities finishing the race while the whole venue stopped to cheer them on. ₹9K isn’t for the race alone. It’s for the experience. For decades, sport in India meant sitting on a couch watching cricket. Someone else playing, someone else winning. At Hyrox, you’re the one on the floor. The 9,000 people paying ₹9K to participate tells you exactly how starved this country was for it. If fitness becomes the new status signal, that’s a massive win for society. We’ve spent decades flexing cars, watches, handbags. If the new flex is - I trained 6 months to finish a Hyrox. I feel that’s the healthiest status game this country has ever played.

🚨 CRITICAL: Active supply chain attack on axios -- one of npm's most depended-on packages. The latest [email protected] now pulls in [email protected], a package that did not exist before today. This is a live compromise. This is textbook supply chain installer malware. axios has 100M+ weekly downloads. Every npm install pulling the latest version is potentially compromised right now. Socket AI analysis confirms this is malware. plain-crypto-js is an obfuscated dropper/loader that: • Deobfuscates embedded payloads and operational strings at runtime • Dynamically loads fs, os, and execSync to evade static analysis • Executes decoded shell commands • Stages and copies payload files into OS temp and Windows ProgramData directories • Deletes and renames artifacts post-execution to destroy forensic evidence If you use axios, pin your version immediately and audit your lockfiles. Do not upgrade.

Software horror: litellm PyPI supply chain attack. Simple `pip install litellm` was enough to exfiltrate SSH keys, AWS/GCP/Azure creds, Kubernetes configs, git credentials, env vars (all your API keys), shell history, crypto wallets, SSL private keys, CI/CD secrets, database passwords. LiteLLM itself has 97 million downloads per month which is already terrible, but much worse, the contagion spreads to any project that depends on litellm. For example, if you did `pip install dspy` (which depended on litellm>=1.64.0), you'd also be pwnd. Same for any other large project that depended on litellm. Afaict the poisoned version was up for only less than ~1 hour. The attack had a bug which led to its discovery - Callum McMahon was using an MCP plugin inside Cursor that pulled in litellm as a transitive dependency. When litellm 1.82.8 installed, their machine ran out of RAM and crashed. So if the attacker didn't vibe code this attack it could have been undetected for many days or weeks. Supply chain attacks like this are basically the scariest thing imaginable in modern software. Every time you install any depedency you could be pulling in a poisoned package anywhere deep inside its entire depedency tree. This is especially risky with large projects that might have lots and lots of dependencies. The credentials that do get stolen in each attack can then be used to take over more accounts and compromise more packages. Classical software engineering would have you believe that dependencies are good (we're building pyramids from bricks), but imo this has to be re-evaluated, and it's why I've been so growingly averse to them, preferring to use LLMs to "yoink" functionality when it's simple enough and possible.

indian wedding buffet is a scam. i always leave regretting something. so i built BuffetGPT 😠 an ai agent that scans entire buffet and gives you a game plan. it uses computer vision to detect every dish, then optimizes what to eat, what to skip, and how much based on actual stomach volume physics. its' pretty early, tested alpha at a friend's wedding. decent results. tbh, this is what my cs degree was for.

Anthropic had 16 AI agents build a C compiler from scratch. 100k lines, compiles the Linux kernel, $20k, 2 weeks. To put that in perspective GCC took thousands of engineers over 37 years to build. (Granted from 1987 - however) One researcher and 16 AI agents just built a compiler that passes 99% of GCC's own torture test suite, compiles FFmpeg, Redis, PostgreSQL, QEMU and runs Doom. They say they "(mostly) walked away." But that "mostly" is doing heavy lifting. No human wrote code but the researcher constantly redesigned tests, built CI pipelines when agents broke each other's work, and created workarounds when all 16 agents got stuck on the same bug. The human role didn't disappear. It shifted from writing code to engineering the environment that lets AI write code. I don’t know how you could make the point AI is hitting a wall.

It's a weird time. I am filled with wonder and also a profound sadness. I spent a lot of time over the weekend writing code with Claude. And it was very clear that we will never ever write code by hand again. It doesn't make any sense to do so. Something I was very good at is now free and abundant. I am happy...but disoriented. At the same time, something I spent my early career building (social networks) was being created by lobster-agents. It's all a bit silly...but if you zoom out, it's kind of indistinguishable from humans on the larger internet. So both the form and function of my early career are now produced by AI. I am happy but also sad and confused. If anything, this whole period is showing me what it is like to be human again.