Developer workstations have become treasure chests of credentials—API keys, database passwords, cloud tokens, SSH keys—essentially the keys to the kingdom. This episode examines why developers have become the softest target in the security landscape, with surveys showing 86% of developers don't prioritize security when writing code, and nearly one-third are unfamiliar with secure coding practices. The consequences are stark: in 2023 alone, 8 million public GitHub commits exposed at least one secret.

We dramatize the operations of two recent worms that have exploited this vulnerability. ShaiHulud, discovered in September 2025, was the first known self-replicating worm in the npm ecosystem to harvest developer credentials and automatically infect hundreds of packages. PhantomRaven followed in August-October 2025, flooding npm with 126 malicious packages that collected over 86,000 downloads by impersonating legitimate projects and exploiting AI-generated package names "hallucinations."

The episode concludes with actionable security steps every developer must take: purging secrets from local files, implementing strong authentication, keeping tools up to date, securing CI/CD pipelines, and embracing a security-first mindset. We also explore practical tools, such as 1Password's CLI integration, that can inject secrets at runtime without storing them on disk.

In tech news, we cover a critical VMware vulnerability (CVE-2025-41244) being actively exploited to compromise U.S. government systems, requiring patches by November 20th. We explore timing wheels, the elegant O(1) algorithm that enables systems like Kafka and Linux to handle millions of timers efficiently. And in our weird bucket, we share the tale of an engineer who modded their bricked smart vacuum with Python scripts after the manufacturer killed it for blocking data collection—a perfect encapsulation of our dystopian relationship with IoT devices.

• ShaiHulud npm supply-chain attack - Palo Alto Networks
• Defending against ShaiHulud - AWS Security Blog
• PhantomRaven malware analysis - Koi Security
• 126 npm packages stealing developer tokens - The Hacker News
• 1Password CLI secret references
• GitGuardian State of Secrets Sprawl 2024
• LastPass breach via unpatched Plex - The Hacker News

• VMware Zero-Day Vulnerability Actively Exploited
• How Timing Wheels Solved the 10-Million-Timer Problem
• Vacuum Bricked After User Blocks Data Collection
• Mozilla Ends Japanese Community Support
• Apple and Goldman Sachs Ending Credit Card Partnership
• Microsoft Invests $4.5 Billion in UK Data Centers
• FTC Fines Amazon $30 Million for Alexa Privacy Violations

Git fundamentally transformed software development, enabling the open-source explosion we've witnessed over the past two decades. But as we approach Git's 20th birthday, it's worth examining where this beloved tool shows its age. Today's main segment digs into three key areas of discontent: Git's well-documented struggles with massive monorepos (forcing Facebook to switch to Mercurial and Microsoft to develop GVFS), the paradox of a decentralized tool creating unprecedented centralization around GitHub, and the current state of alternatives like Subversion and Mercurial.

The monorepo challenge is particularly revealing—when Facebook's engineers approached Git maintainers about scaling issues in 2012, they were told their repository was "too huge" and to split it up. This dismissive response led Facebook to migrate their entire codebase to Mercurial, while Microsoft took a different approach, engineering solutions like GVFS to make Git handle the 300GB Windows repository. These extreme cases expose Git's architectural assumptions and remind us that even dominant tools have their limits.

In today's news, we cover a critical React Native CLI vulnerability (CVE-2025-11953) that scores 9.8/10 on severity—exposing developer machines to remote command execution through the Metro development server. The vulnerability affects versions 4.8.0 through 20.0.0-alpha.2, with millions of weekly downloads at risk.

We also explore a fascinating paradigm shift: WebAssembly support has been added to the Linux kernel, enabling an entire operating system to run in virtual, portable environments. This isn't about web browsers—it's about running Linux itself on WebAssembly, complete with BusyBox in a browser. The technical achievement required working around WebAssembly's lack of MMU and interrupt mechanisms, showcasing remarkable engineering creativity.

Finally, our weird science story features a genetic mutation in the LRP5 gene that gives some people bones up to 8 times denser than normal—making them virtually unbreakable but unable to swim. This real-life superpower has pharmaceutical companies racing to understand the mutation for osteoporosis treatments, while affected individuals must avoid deep water at all costs.

• The Fork-It-and-Forget Decade - Tim O'Brien on Medium
• Why Facebook Doesn't Use Git - Graphite.dev Blog
• Announcing GVFS (Git Virtual File System) - Microsoft Azure DevOps Blog
• On Centralized Development Forges - Ariadne's Space Blog
• Apache Subversion 1.14.5 Released
• Mercurial 7.0 Released

• Critical React Native CLI Vulnerability Exposes Millions of Developer Machines
• WebAssembly Support Added to Linux Kernel
• Genetic Mutation Makes People's Bones 8x Denser
• Microsoft Discovers SesameOp Backdoor Using OpenAI API
• Shift Technology AI Models Stolen in Insider Breach
• YouTube Announces Voluntary Exit Program for US Staff
• Norway Wealth Fund Votes Against Musk's $1T Pay Package

Modern aviation has a counterintuitive rule: keep the autopilot engaged during turbulence. After analyzing millions of flights, Airbus found that pilots who disconnect autopilot often make things worse through overcorrection and startle response. The machine, monitoring 88+ parameters simultaneously, handles the chaos better than human instinct. This aviation philosophy offers crucial lessons as programmers grapple with their own copilots—AI coding assistants that require us to shift from doing everything ourselves to managing intelligent systems.

The episode explores how FlightAware transforms thousands of data points per second into their famous "Misery Map," showing real-time airport delays across the US. This fascinating company has built a technical marvel, fusing FAA feeds, airline data, and 30,000 crowdsourced ground stations to track every flight globally. Their engineering blog details the sophisticated vector-based mapping and data tiling systems that make this possible, showcasing how complex aviation data becomes accessible visual information.

In air traffic control, AI adoption faces fierce resistance—and for good reason. Unlike cockpit automation that's had decades to prove itself, ATC remains fundamentally human-driven. While systems like Heathrow's AIMEE handle routine clearances and new tools help with conflict detection, the consensus is clear: AI augments but doesn't replace human controllers. As one expert noted, it takes years to develop the instinct for managing airspace, something AI can't simply replicate.

Today's news highlights include a shocking case of cybersecurity professionals using their insider access to deploy ransomware—the ultimate trust betrayal. On the creative side, LayoutitStudio's CSS-only terrain generator proves that web styling languages can create complex 3D worlds without JavaScript. And in a haunting discovery, scientists accidentally recorded the first dying human brain, revealing gamma waves suggesting memory replay in our final moments.

• FlightAware Engineering Blog - The fascinating technical details behind the company's aviation data infrastructure
• Airbus Safety Magazine on Autopilot in Turbulence
• FlightAware Misery Map
• FAA AI Safety Assurance Research

• US Traces Ransomware Attacks to 2 People Working for Cybersecurity Firms
• A CSS-Only Terrain Generator
• First recording of a dying human brain shows waves similar to memory flashbacks
• X is silently opening tweet links in webviews
• Aisuru botnet shifts from DDoS to residential proxies
• OpenAI and AWS sign $38 billion cloud deal

The main segment explores a milestone for the web platform: the Glasgow Haskell Compiler (GHC) now runs entirely in modern browsers via WebAssembly (Wasm). Developers can write, compile, and run Haskell without any local setup, lowering the barrier to entry for education and experimentation. Wasm provides a portable, memory‑safe execution sandbox that delivers near‑native performance across browsers and other runtimes.

Technically, this is significant: GHC’s sizeable runtime—supporting lazy evaluation, type inference, and rich language features—has been adapted to the browser’s security model, addressing memory management and FFI constraints. The result is a practical path to trying advanced functional programming in a tab, with implications for teaching, demos, and potentially web apps that benefit from strong static types.

In security, researchers describe “HeisenTrojans,” a class of attacks targeting Electronic Design Automation (EDA) tools rather than finished hardware. They report exploitable vulnerabilities in 83% of examined tools—covering buffer overflows, command injection, and memory corruption—raising the risk of silent netlist edits or backdoors during synthesis and layout. Because sign‑off checks validate geometry and timing rather than intent, such manipulations can evade traditional verification.

Finally, new cosmology results from DESI and the Union3 supernova catalog indicate a 4.2‑sigma deviation from the standard ΛCDM model, consistent with dark energy’s strength changing over time. If confirmed, this would prompt a significant re‑evaluation of the universe’s expansion history and long‑term fate, with scenarios ranging from slower expansion to eventual contraction.

• GHC Now Runs in the Browser
• MDN Web Docs: WebAssembly
• GHC WebAssembly Documentation
• Haskell.org: GHC

• Security: HeisenTrojans - 83% of Hardware Design Tools Have Exploitable Bugs
• Programming: GHC Now Runs in the Browser
• Weird: Is Dark Energy Getting Weaker?
• Background: Introduction to VHDL (Nandland)
• FCC to Rescind Ruling Requiring ISPs to Secure Networks
• Ubuntu 26.04 Will Use Rust for Core Linux Utilities
• MIT Physicists Find New Way to See Inside Atoms

TORCHLIGHT, a research tool presented at USENIX Security 2025, discovered 29 zero-day exploits affecting 12.71 million IoT devices hidden on the Tor network by analyzing 26 terabytes of traffic over twelve months. These aren't just smart fridges—they're industrial controllers, security cameras, and network equipment controlling critical infrastructure, now potentially compromised by untraceable attackers. The programming language Frink treats units of measurement as first-class citizens in its type system, preventing the kind of unit conversion error that destroyed NASA's Mars Climate Orbiter in 1999. Created by Alan Eliasen in 2001, it's been quietly used by engineers for over 20 years when precise unit tracking is critical. The Vera C. Rubin Observatory in Chile activated the world's largest digital camera (3,200 megapixels), discovering over 2,000 new asteroids in just its first 10 hours of operation—representing only 0.05% of its goal to map 20 billion galaxies.

This week's episodes covered substantial ground in technical territory. We explored how open source evolved through distinct decades, culminating in the argument that Git fundamentally changed power dynamics by making forking trivial. We examined the legal complexity developers face with generative AI tools, including the gray areas around feeding output from one model into another. The passionate defense of code longevity challenged "rewrite culture," using examples of 1970s Fortran code still running today because it was validated and works. Dijkstra's 1972 Turing Award lecture proved eerily prescient about 2025 AI anxiety, predicting that better tools just let us tackle harder problems. The FinOps deep dive explained why utilization reports without context are useless—sometimes low utilization is a feature, not a bug. And the week ended with a nuanced take on DHH's cloud exodus, defending his decision while outlining the crucial complications most teams must consider.

Additional stories include Apple being found guilty of App Store dominance abuse in the UK, Myanmar's military shutting down a massive online scam operation seizing Starlink terminals, and California State University partnering with Amazon, OpenAI, and Nvidia to become America's "first AI-empowered university." The common thread throughout the week: technology decisions rarely have simple answers.

• Ken White's Serious Trouble Podcast - Referenced as an example of accessible expert content outside one's specialty
• Mike Loukides / O'Reilly Radar - Has been linking to related Medium stories

• TORCHLIGHT Exposes 29 Zero-Day Exploits in 12 Million IoT Devices
• Frink - A Programming Language for Physical Calculations
• Frink Documentation
• Frink Sample Calculations
• World's Largest Camera Finds 2,000 Asteroids in First 10 Hours
• Apple Found to Have Abused App Store Dominance in UK
• Myanmar Military Shuts Down Major Online Scam Operation
• Cal State Partners with Tech Giants for AI Integration

DHH's decision to move Basecamp and HEY out of the public cloud sparked intense debate in the tech community. Still, as someone who interviewed him back in 2008 (which ended with us literally running from Chicago police over a filming permit), I respect his position: real numbers and real success back his argument. For mature applications with predictable loads and strong ops talent, owning infrastructure can absolutely make economic sense. But there's a lot more to this calculation than hardware versus EC2 pricing.

The public cloud bill that feels punishing is actually a feature you need to exploit. It forces immediate architectural decisions—why store 3 years of debug logs? Why run dev environments 24/7? That monthly invoice is a diagnostic tool that keeps waste visible. In private infrastructure, that pressure evaporates. Spend becomes sunk CapEx that feels "free" until you run out of capacity— and then you can't just spin up new instances.

Security is where the conversation gets serious. Hyperscalers handle thousands of quiet tasks—microcode patches, live VM migrations off suspect hosts, hardware attestation, cross-region controls. With vulnerabilities like TEE.fail affecting trusted execution environments across AMD, Intel, and Nvidia, you need an information security team plugged into a much larger community of experts. Your colo facility won't have hundreds of people thinking about physical security, side-channel attacks, and supply chain risks.

Then there's risk transfer. I learned this firsthand when lightning struck my search engine business in 1997, destroying both the central systems and the backups. Since then, I've seen unpredictable events in every role—multiple disk failures, backhoes cutting fiber, supply chain shocks that made SSDs scarce for months. Remember the Chelyabinsk meteor in 2013 that caused widespread infrastructure damage? Black Swan events happen on decade timelines, and one event can nullify years of savings.

We also cover today's tech news: NPM's "PhantomRaven" attack targeting AI-suggested packages, UV's promise to unify Python tooling with Rust-powered speed, and why 987654321/123456789 equals almost exactly 8.

• Why We're Leaving the Cloud - DHH
• TEE.fail Vulnerability Disclosure
• Chelyabinsk Meteor Event Documentation

• NPM flooded with malicious packages downloaded more than 86,000 times
• PhantomRaven NPM malware analysis by Koi
• UV is the best thing to happen to the Python ecosystem in a decade
• UV GitHub Repository
• UV Official Documentation
• 987654321 / 123456789
• Character.AI to Bar Children Under 18 From Using Its Chatbots
• GM Will Cut 1,750 Jobs in Electric Vehicle Business
• Microsoft Increases Investments Amid A.I. Race
• Alphabet Revenue Jumps 16% With Strong Cloud Sales

In the main segment, Tim unpacks the deceptive nature of utilization reports that FinOps teams rely on to identify "waste" in infrastructure. While industry statistics show servers running at shockingly low utilization rates—often 12-50%—Tim argues that acting on these numbers without context is like "performing surgery with a chainsaw." He explores how CPU utilization percentages are fundamentally misleading with modern processors, why databases legitimately need low utilization for disaster recovery and peak loads, and how operational realities like global teams, inherited systems, and technical debt create legitimate reasons for apparent over-provisioning.

The news segment covers significant security and policy developments: researchers demonstrate TEE.fail, a new physical attack that defeats trusted execution environments from Nvidia, AMD, and Intel using under $1,000 in equipment. The Python Software Foundation rejected a $1.5 million NSF security grant rather than comply with new anti-DEI requirements, highlighting how political decisions now directly affect open-source development. Plus coverage of Nvidia hitting a $5 trillion valuation, Amazon's 14,000-person layoffs targeting multiple departments, and analysis of OneUptime's bare-metal migration claiming $1.2M in annual savings.

Tim emphasizes that good FinOps requires understanding the full picture—technical constraints, business requirements, and human factors—rather than simply optimizing utilization metrics. The episode concludes that sustainable cost management comes from partnering with teams and recognizing that some "inefficiency" is actually necessary insurance for reliable operations.

• Tim O'Brien: "FinOps and Utilization Reports: It's More Complicated Than That"
• Brendan Gregg: "CPU Utilization is Wrong"
• Brendan Gregg: Systems Performance Book
• Brendan Gregg: The USE Method
• Gartner: "How to Make the Data Center Eco-Friendly"
• Uptime Institute: Enterprise data center utilization studies
• WifiTalents: Server Statistics and Industry Reports
• David Kopp: Server Utilization Research Notes

• FinOps: AWS to Bare Metal Two Years Later
• Security: New physical attacks are quickly diluting secure enclave defenses from Nvidia, AMD, and Intel
• Programming: Python plan to boost software security foiled by Trump admin's anti-DEI rules
• Weird: Man accidentally gets a leech up his nose. It took 20 days to figure it out.
• Nvidia hits record $5 trillion mark as CEO dismisses AI bubble concerns
• Amazon plans to lay off approximately 14,000 employees