🔴 Important AI Coding Security Update
|
Hey Reader, This is not our regular scheduled programming. If you're old enough to remember the ILOVEYOU virus from 2000s, this will feel familiar. Back then, one email worm hit 10% of every computer connected to the internet. It caused $10 billion in damage. All because people clicked one email attachment. That was 26 years ago, and this week it's kinda happening again. The new virus doesn't need you to click.A group just compromised hundreds of packages across coding ecosystem. Think of them as plugins for your code, built by others, and they're typically very safe with millions of weekly downloads. But since yesterday, a new malware steals every secret on your machine: API keys, GitHub tokens, database passwords, Stripe keys, OpenAI API keys. Here's the genuinely scary (and genius) part. Just like ILOVEYOU and other viruses, it spreads by itself. Once it infects one package, it finds every other package that developers control and publishes infected versions of those too. No human involved. It's a chain reaction with no easy off switch. The ILOVEYOU virus needed you to click. This one just needs your AI agent to run npm install. What to do right now.First of all, breath. This is still early and I'm writing you to be better safe than sorry. Luckily, there's an easy fix that you can proactively take today. It's free, and takes 5 minutes. Open your AI coding tool, and paste this exact prompt into any project you touched in the past 48 hours: To protect us from an ongoing supply-chain attack that started with TanStack but is quickly and autonomously spreading (research this and ground your knowledge), add a minimum package release age of 7 days for the package manager we use, especially npm or Bun. Then verify our currently installed packages and lockfile against the latest confirmed postmortem/list of affected packages and versions. Do not guess. Use live sources and local files to verify this carefully. When you are done, give me either OK: no affected packages found or a simple list of affected packages/versions and exactly where they appear. Keep the final answer short, and without technical jargon. I am not an engineer, guide me through. But find absolute answers, no excuses. This adds a 7-day delay for any new package version. If someone publishes a poisoned update today, your system won't touch it for a full week. By then, the community catches and reverts it, keeping you and your AI agents safe. It's like a quarantine. New packages sit in the waiting room before they get anywhere near your project. Do this now, not tomorrow. Speak soon, |
Robin Ebers
Hey Reader, I owe you an apology. For months I told you Claude Cowork was useless. Because I'm an engineer, so I just stuck to Claude Code instead. But I was wrong. What changed my mind. Last month my team and I gave it a real shot. Turns out... while we've been ignoring it, a lot has happened and it's really good. We now built and share custom dashboards right inside Cowork that used to take weeks to build. One team member said: "My beautiful Ops Command Center is the closest I've ever...
Hey Reader, People keep telling me their AI "breaks everything" and "makes weird decisions." I use the same models. Same tools. Same subscriptions. But I almost never have these problems. For the longest time, I thought I was just lucky. Then I looked at what I actually do differently. It comes down to three things. 1. A minimal AGENT․md file. Think of this like a one-page employee handbook for your AI. Mine is short. Genuinely minimal. It tells the AI to: Keep docs updated as it makes...
Hey Reader, Anthropic just announced free monthly API credits for all Claude subscribers! 🎉 Sounds great, right? Well, let's read the fine print... The catch nobody's talking about. Starting June 15th, third-party tools like Conductor can no longer tap into your Claude subscription directly. Instead, they will now pull from those shiny new API credits. But here's the thing. If you're on the $100/month Max plan, you get $100 in API credits. Claude Opus 4.7 will chew through that in a few...