Gustavo Bordoni

Security things from the last few days: - CopyFail (linux pwn'd) - CopyFail 2/Dirty Frag - 13 advisories in Next.js - Over 70 CVEs addressed in MacOS 26.5 - ~50 CVEs addressed in iOS 26.5 - YellowKey (Windows Bitlocker pwn'd entirely) - GreenPlasma (Windows privilege escalation) - CVE-2026-21510 and CVE-2026-21513 confirmed to be used by Russia for Windows RCE - CVE-2026-32202 separately confirmed to be used by Russia for sensitive document access - Mini-Shai Hulud (over 300 JS and Python packages compromised via GitHub Action cache poisoning) - Google confirms they have identified AI-powered exploitation of zero days in an unidentified "open-source, web-based system administration too" - Canvas (popular LMS used in most schools) pwn'd entirely - PAN-OS (palo alto networks) pwn'd with a 9.3 severity CVE-2026-0300 Are you scared yet?

USE THE PROMPT BELOW IN CODEX/CC TO PROTECT YOUR SYSTEM AND CODEBASE FROM NPM SUPPLY CHAIN ATTACKS (LIKE TANSTACK TODAY): """ set up npm supply-chain protection on this machine. do all four steps. 1. edit ~/.npmrc. keep every existing line (auth tokens etc), append: min-release-age=7 minimum-release-age=10080 save-exact=true 2. edit ~/.bunfig.toml (create if missing). keep existing content, append: [install] minimumReleaseAge = 604800 3. in this project, open package.json and pin every dependency: strip ^ and ~ from every version under dependencies, devDependencies, and peerDependencies. exact versions only. 4. commit the lockfile (bun.lock / package-lock.json / pnpm-lock.yaml) so the resolved tree is locked in git. then report: files changed, deps pinned, anything unexpected. """ the cooldown makes every package manager refuse any version published in the last 7 days. attack chains usually only last a couple hours, but this protects you long term and for any future attacks... which at this rate will keep happening

4 of the most confusing terms in AI, defined: Model: a blob of parameters, written during training. Does next-token prediction and nothing else. Stateless. Harness: everything around the model that turns it into an agent: tools, system prompt, context window management, etc. Environment: the world the agent acts on. Anything outside the harness that the agent perceives and acts on via tools. Agent: a model, harnessed, in an environment. --- Opus is a model. Claude Code and Claude Web are different agents, because their harnesses differ - even though the models are the same. The file system is an environment. MCP servers add tools to the environment.

Nearly 23K stars for a collection of markdown files I wrote I guess they must be pretty good I want to invest more time in this repo. So, folks who starred it, what can I do to make these skills more obvious to you? - A docs site for the skills? - Send them to plugin marketplaces? Help me help you https://t.co/64UuxC8V0T