Why "Start Simple" Should Be Your Default in the AI-Assisted Development Era
https://www.reddit.com/r/programming/comments/1p5b0z3/why_start_simple_should_be_your_default_in_the/
<!-- SC_OFF -->A case for resisting over-engineered AI-generated architectures and instead beginning projects with the smallest viable design. Simple, explicit code provides tighter threat surfaces, faster debugging, and far fewer hidden abstractions that developers only partially understand. Before letting AI optimize anything, build the clear, boring version first so you know what the system actually does and can reason about it when things break. <!-- SC_ON --> submitted by /u/AWildMonomAppears (https://www.reddit.com/user/AWildMonomAppears)
[link] (https://practicalsecurity.substack.com/p/why-starting-simple-is-your-secret) [comments] (https://www.reddit.com/r/programming/comments/1p5b0z3/why_start_simple_should_be_your_default_in_the/)
https://www.reddit.com/r/programming/comments/1p5b0z3/why_start_simple_should_be_your_default_in_the/
<!-- SC_OFF -->A case for resisting over-engineered AI-generated architectures and instead beginning projects with the smallest viable design. Simple, explicit code provides tighter threat surfaces, faster debugging, and far fewer hidden abstractions that developers only partially understand. Before letting AI optimize anything, build the clear, boring version first so you know what the system actually does and can reason about it when things break. <!-- SC_ON --> submitted by /u/AWildMonomAppears (https://www.reddit.com/user/AWildMonomAppears)
[link] (https://practicalsecurity.substack.com/p/why-starting-simple-is-your-secret) [comments] (https://www.reddit.com/r/programming/comments/1p5b0z3/why_start_simple_should_be_your_default_in_the/)
Celebrate fire preventers, not just firefighters. The stories you praise shape your culture. Choose heroes who build systems, not chaos.
https://www.reddit.com/r/programming/comments/1p5cqmt/celebrate_fire_preventers_not_just_firefighters/
submitted by /u/goto-con (https://www.reddit.com/user/goto-con)
[link] (https://youtube.com/shorts/WuDUJsNNlSM) [comments] (https://www.reddit.com/r/programming/comments/1p5cqmt/celebrate_fire_preventers_not_just_firefighters/)
https://www.reddit.com/r/programming/comments/1p5cqmt/celebrate_fire_preventers_not_just_firefighters/
submitted by /u/goto-con (https://www.reddit.com/user/goto-con)
[link] (https://youtube.com/shorts/WuDUJsNNlSM) [comments] (https://www.reddit.com/r/programming/comments/1p5cqmt/celebrate_fire_preventers_not_just_firefighters/)
Finly - Closing the Gap Between Schema-First and Code-First
https://www.reddit.com/r/programming/comments/1p5dh2b/finly_closing_the_gap_between_schemafirst_and/
submitted by /u/Dan6erbond2 (https://www.reddit.com/user/Dan6erbond2)
[link] (https://finly.ch/engineering-blog/350169-closing-the-gap-between-schema-first-and-code-first-graphql-development) [comments] (https://www.reddit.com/r/programming/comments/1p5dh2b/finly_closing_the_gap_between_schemafirst_and/)
https://www.reddit.com/r/programming/comments/1p5dh2b/finly_closing_the_gap_between_schemafirst_and/
submitted by /u/Dan6erbond2 (https://www.reddit.com/user/Dan6erbond2)
[link] (https://finly.ch/engineering-blog/350169-closing-the-gap-between-schema-first-and-code-first-graphql-development) [comments] (https://www.reddit.com/r/programming/comments/1p5dh2b/finly_closing_the_gap_between_schemafirst_and/)
TLS Handshake Latency: When Your Load Balancer Becomes a Bottleneck
https://www.reddit.com/r/programming/comments/1p5f7rq/tls_handshake_latency_when_your_load_balancer/
<!-- SC_OFF -->Most engineers think of TLS as network overhead - a few extra round trips that add maybe 50-100ms. But here’s what actually happens: when your load balancer receives a new HTTPS connection, it needs to perform CPU-intensive cryptographic operations. We’re talking RSA signature verification, ECDHE key exchange calculations, and symmetric key derivation. On a quiet Tuesday morning, each handshake takes 20-30ms. During a traffic spike? That same handshake can take 5 seconds. The culprit is queueing. Your load balancer has a fixed number of worker threads handling TLS operations. When requests arrive faster than workers can process them, they queue up. Now you’re not just dealing with the crypto overhead - you’re dealing with wait time in a saturated queue. I’ve seen production load balancers at major tech companies go from 50ms p99 handshake latency to 8 seconds during deployment events when thousands of connections need re-establishment simultaneously. https://systemdr.substack.com/p/tls-handshake-latency-when-your-load https://github.com/sysdr/sdir/tree/main/tls_handshake <!-- SC_ON --> submitted by /u/Extra_Ear_10 (https://www.reddit.com/user/Extra_Ear_10)
[link] (https://systemdr.substack.com/p/tls-handshake-latency-when-your-load) [comments] (https://www.reddit.com/r/programming/comments/1p5f7rq/tls_handshake_latency_when_your_load_balancer/)
https://www.reddit.com/r/programming/comments/1p5f7rq/tls_handshake_latency_when_your_load_balancer/
<!-- SC_OFF -->Most engineers think of TLS as network overhead - a few extra round trips that add maybe 50-100ms. But here’s what actually happens: when your load balancer receives a new HTTPS connection, it needs to perform CPU-intensive cryptographic operations. We’re talking RSA signature verification, ECDHE key exchange calculations, and symmetric key derivation. On a quiet Tuesday morning, each handshake takes 20-30ms. During a traffic spike? That same handshake can take 5 seconds. The culprit is queueing. Your load balancer has a fixed number of worker threads handling TLS operations. When requests arrive faster than workers can process them, they queue up. Now you’re not just dealing with the crypto overhead - you’re dealing with wait time in a saturated queue. I’ve seen production load balancers at major tech companies go from 50ms p99 handshake latency to 8 seconds during deployment events when thousands of connections need re-establishment simultaneously. https://systemdr.substack.com/p/tls-handshake-latency-when-your-load https://github.com/sysdr/sdir/tree/main/tls_handshake <!-- SC_ON --> submitted by /u/Extra_Ear_10 (https://www.reddit.com/user/Extra_Ear_10)
[link] (https://systemdr.substack.com/p/tls-handshake-latency-when-your-load) [comments] (https://www.reddit.com/r/programming/comments/1p5f7rq/tls_handshake_latency_when_your_load_balancer/)
Read-Through vs Write-Through Cache
https://www.reddit.com/r/programming/comments/1p5fh9z/readthrough_vs_writethrough_cache/
submitted by /u/stmoreau (https://www.reddit.com/user/stmoreau)
[link] (https://www.systemdesignbutsimple.com/p/read-through-vs-write-through-cache) [comments] (https://www.reddit.com/r/programming/comments/1p5fh9z/readthrough_vs_writethrough_cache/)
https://www.reddit.com/r/programming/comments/1p5fh9z/readthrough_vs_writethrough_cache/
submitted by /u/stmoreau (https://www.reddit.com/user/stmoreau)
[link] (https://www.systemdesignbutsimple.com/p/read-through-vs-write-through-cache) [comments] (https://www.reddit.com/r/programming/comments/1p5fh9z/readthrough_vs_writethrough_cache/)
Shai-Hulud Second Coming: Software Supply Chain Attack Exposing Code and Harvesting Credentials
https://www.reddit.com/r/programming/comments/1p5g2ac/shaihulud_second_coming_software_supply_chain/
<!-- SC_OFF -->The Shai-Hulud attackers are back with a new supply chain attack targeting the npm ecosystem. Multiple popular packages were infected with malicious payload via preinstall script. The attack is in progress. Some of the indicators include: Download and installation of bun Executing bun_environment.js using bun Credentials stolen from infected machines and CI/CD are being exposed through GitHub public repositories. https://github.com/search?q=%22Sha1-Hulud%3A%20The%20Second%20Coming%22&type=repositories <!-- SC_ON --> submitted by /u/N1ghtCod3r (https://www.reddit.com/user/N1ghtCod3r)
[link] (https://safedep.io/shai-hulud-second-coming-supply-chain-attack/) [comments] (https://www.reddit.com/r/programming/comments/1p5g2ac/shaihulud_second_coming_software_supply_chain/)
https://www.reddit.com/r/programming/comments/1p5g2ac/shaihulud_second_coming_software_supply_chain/
<!-- SC_OFF -->The Shai-Hulud attackers are back with a new supply chain attack targeting the npm ecosystem. Multiple popular packages were infected with malicious payload via preinstall script. The attack is in progress. Some of the indicators include: Download and installation of bun Executing bun_environment.js using bun Credentials stolen from infected machines and CI/CD are being exposed through GitHub public repositories. https://github.com/search?q=%22Sha1-Hulud%3A%20The%20Second%20Coming%22&type=repositories <!-- SC_ON --> submitted by /u/N1ghtCod3r (https://www.reddit.com/user/N1ghtCod3r)
[link] (https://safedep.io/shai-hulud-second-coming-supply-chain-attack/) [comments] (https://www.reddit.com/r/programming/comments/1p5g2ac/shaihulud_second_coming_software_supply_chain/)
How many HTTP requests/second can a Single Machine handle?
https://www.reddit.com/r/programming/comments/1p5gins/how_many_http_requestssecond_can_a_single_machine/
<!-- SC_OFF -->When designing systems and deciding on the architecture, the use of microservices and other complex solutions is often justified on the basis of predicted performance and scalability needs. Out of curiosity then, I decided to tests the performance limits of an extremely simple approach, the simplest possible one: A single instance of an application, with a single instance of a database, deployed to a single machine. To resemble real-world use cases as much as possible, we have the following: Java 21-based REST API built with Spring Boot 3 and using Virtual Threads PostgreSQL as a database, loaded with over one million rows of data External volume for the database - it does not write to the local file system Realistic load characteristics: tests consist primarily of read requests with approximately 20% of writes. They call our REST API which makes use of the PostgreSQL database with a reasonable amount of data (over one million rows) Single Machine in a few versions: 1 CPU, 2 GB of memory 2 CPUs, 4 GB of memory 4 CPUs, 8 GB of memory Single LoadTest file as a testing tool - running on 4 test machines, in parallel, since we usually have many HTTP clients, not just one Everything built and running in Docker DigitalOcean as the infrastructure provider As we can see the results at the bottom: a single machine, with a single database, can handle a lot - way more than most of us will ever need. Unless we have extreme load and performance needs, microservices serve mostly as an organizational tool, allowing many teams to work in parallel more easily. Performance doesn't justify them. The results: Small machine - 1 CPU, 2 GB of memory Can handle sustained load of 200 - 300 RPS For 15 seconds, it was able to handle 1000 RPS with stats: Min: 0.001s, Max: 0.2s, Mean: 0.013s Percentile 90: 0.026s, Percentile 95: 0.034s Percentile 99: 0.099s Medium machine - 2 CPUs, 4 GB of memory Can handle sustained load of 500 - 1000 RPS For 15 seconds, it was able to handle 1000 RPS with stats: Min: 0.001s, Max: 0.135s, Mean: 0.004s Percentile 90: 0.007s, Percentile 95: 0.01s Percentile 99: 0.023s Large machine - 4 CPUs, 8 GB of memory Can handle sustained load of 2000 - 3000 RPS For 15 seconds, it was able to handle 4000 RPS with stats: Min: 0.0s, (less than 1ms), Max: 1.05s, Mean: 0.058s Percentile 90: 0.124s, Percentile 95: 0.353s Percentile 99: 0.746s Huge machine - 8 CPUs, 16 GB of memory (not tested) Most likely can handle sustained load of 4000 - 6000 RPS <!-- SC_ON --> submitted by /u/BinaryIgor (https://www.reddit.com/user/BinaryIgor)
[link] (https://binaryigor.com/how-many-http-requests-can-a-single-machine-handle.html) [comments] (https://www.reddit.com/r/programming/comments/1p5gins/how_many_http_requestssecond_can_a_single_machine/)
https://www.reddit.com/r/programming/comments/1p5gins/how_many_http_requestssecond_can_a_single_machine/
<!-- SC_OFF -->When designing systems and deciding on the architecture, the use of microservices and other complex solutions is often justified on the basis of predicted performance and scalability needs. Out of curiosity then, I decided to tests the performance limits of an extremely simple approach, the simplest possible one: A single instance of an application, with a single instance of a database, deployed to a single machine. To resemble real-world use cases as much as possible, we have the following: Java 21-based REST API built with Spring Boot 3 and using Virtual Threads PostgreSQL as a database, loaded with over one million rows of data External volume for the database - it does not write to the local file system Realistic load characteristics: tests consist primarily of read requests with approximately 20% of writes. They call our REST API which makes use of the PostgreSQL database with a reasonable amount of data (over one million rows) Single Machine in a few versions: 1 CPU, 2 GB of memory 2 CPUs, 4 GB of memory 4 CPUs, 8 GB of memory Single LoadTest file as a testing tool - running on 4 test machines, in parallel, since we usually have many HTTP clients, not just one Everything built and running in Docker DigitalOcean as the infrastructure provider As we can see the results at the bottom: a single machine, with a single database, can handle a lot - way more than most of us will ever need. Unless we have extreme load and performance needs, microservices serve mostly as an organizational tool, allowing many teams to work in parallel more easily. Performance doesn't justify them. The results: Small machine - 1 CPU, 2 GB of memory Can handle sustained load of 200 - 300 RPS For 15 seconds, it was able to handle 1000 RPS with stats: Min: 0.001s, Max: 0.2s, Mean: 0.013s Percentile 90: 0.026s, Percentile 95: 0.034s Percentile 99: 0.099s Medium machine - 2 CPUs, 4 GB of memory Can handle sustained load of 500 - 1000 RPS For 15 seconds, it was able to handle 1000 RPS with stats: Min: 0.001s, Max: 0.135s, Mean: 0.004s Percentile 90: 0.007s, Percentile 95: 0.01s Percentile 99: 0.023s Large machine - 4 CPUs, 8 GB of memory Can handle sustained load of 2000 - 3000 RPS For 15 seconds, it was able to handle 4000 RPS with stats: Min: 0.0s, (less than 1ms), Max: 1.05s, Mean: 0.058s Percentile 90: 0.124s, Percentile 95: 0.353s Percentile 99: 0.746s Huge machine - 8 CPUs, 16 GB of memory (not tested) Most likely can handle sustained load of 4000 - 6000 RPS <!-- SC_ON --> submitted by /u/BinaryIgor (https://www.reddit.com/user/BinaryIgor)
[link] (https://binaryigor.com/how-many-http-requests-can-a-single-machine-handle.html) [comments] (https://www.reddit.com/r/programming/comments/1p5gins/how_many_http_requestssecond_can_a_single_machine/)
A bug fixing journey when writing a C++ Code Search Engine: std::string is not that simple
https://www.reddit.com/r/programming/comments/1p5h0c4/a_bug_fixing_journey_when_writing_a_c_code_search/
<!-- SC_OFF -->Hi everyone, I built a code search engine called Coogle (inspired by Haskell's Hoogle) to help navigate our massive legacy C/C++ codebase. While building the parser, I ran into a confusing bug where I couldn't find functions returning std::string. It turned out std::string doesn't really exist in the AST—it's a typedef for a template monster. I wrote a blog post about: Why C's char type is tricky (it's a byte, not a character). How std::string works under the hood How std::string_view is so similar to the Linux Kernel's qstr. Link: Back to Basics: From C char to string_view (Notes from building Coogle) (https://thecloudlet.github.io/blog/cpp/cpp-string/) If you are building dev tools or indexers, hopefully, this saves you some debug time. <!-- SC_ON --> submitted by /u/ypaskell (https://www.reddit.com/user/ypaskell)
[link] (https://thecloudlet.github.io/blog/cpp/cpp-string/) [comments] (https://www.reddit.com/r/programming/comments/1p5h0c4/a_bug_fixing_journey_when_writing_a_c_code_search/)
https://www.reddit.com/r/programming/comments/1p5h0c4/a_bug_fixing_journey_when_writing_a_c_code_search/
<!-- SC_OFF -->Hi everyone, I built a code search engine called Coogle (inspired by Haskell's Hoogle) to help navigate our massive legacy C/C++ codebase. While building the parser, I ran into a confusing bug where I couldn't find functions returning std::string. It turned out std::string doesn't really exist in the AST—it's a typedef for a template monster. I wrote a blog post about: Why C's char type is tricky (it's a byte, not a character). How std::string works under the hood How std::string_view is so similar to the Linux Kernel's qstr. Link: Back to Basics: From C char to string_view (Notes from building Coogle) (https://thecloudlet.github.io/blog/cpp/cpp-string/) If you are building dev tools or indexers, hopefully, this saves you some debug time. <!-- SC_ON --> submitted by /u/ypaskell (https://www.reddit.com/user/ypaskell)
[link] (https://thecloudlet.github.io/blog/cpp/cpp-string/) [comments] (https://www.reddit.com/r/programming/comments/1p5h0c4/a_bug_fixing_journey_when_writing_a_c_code_search/)
Shaders
https://www.reddit.com/r/programming/comments/1p5i0o4/shaders/
submitted by /u/DifficultSecretary22 (https://www.reddit.com/user/DifficultSecretary22)
[link] (https://www.makingsoftware.com/chapters/shaders) [comments] (https://www.reddit.com/r/programming/comments/1p5i0o4/shaders/)
https://www.reddit.com/r/programming/comments/1p5i0o4/shaders/
submitted by /u/DifficultSecretary22 (https://www.reddit.com/user/DifficultSecretary22)
[link] (https://www.makingsoftware.com/chapters/shaders) [comments] (https://www.reddit.com/r/programming/comments/1p5i0o4/shaders/)
Sha1-Hulud The Second Comming - Postman, Zapier, PostHog all compromised via NPM
https://www.reddit.com/r/programming/comments/1p5i31d/sha1hulud_the_second_comming_postman_zapier/
<!-- SC_OFF -->In September, a self-propagating worm called Sha1-Hulud came into action. A new version is now spreading and it is much much worse! Link: https://www.aikido.dev/blog/shai-hulud-strikes-again-hitting-zapier-ensdomains The mechanics are basically the same, It infected NPM packages with stolen developer tokens. The malware uses preinstall script to run malware on a victim machine, scans for secrets, steals them and publishes them on GitHub in a public repository. It then uses stolen NPM tokens to infect more packages. In September, it never made critical mass... But now it looks like it has. So far, over 28,000 GitHub repositories have been made with the description "Sha1-Hulud: The Second Coming". These repos have the stolen secrets inside them encoded in Base64. https://github.com/search?q=Sha1-Hulud%3A+The+Second+Coming&ref=opensearch&type=repositories We first published about this after our discover at 09:25 CET but it has since got much worse. https://x.com/AikidoSecurity/status/1992872292745888025 At the start, the most significant compromise was Zapier (we still think this is the most likely first seed), but as the propagation started to pick up steam, we quickly saw other big names like PostMan and PostHog also fall. Technical details of the attack The malicious packages execute code in the preinstall lifecycle script. Payload names include files like setup_bun.js and bun_environment.js. On infection, the malware: Registers the machine as a “self-hosted runner” named “SHA1HULUD” and injects a GitHub Actions workflow (.github/workflows/discussion.yaml) to allow arbitrary commands via GitHub discussions. Exfiltrates secrets via another workflow (formatter_123456789.yml) that uploads secrets as artifacts, then deletes traces (branch & workflow) to hide. Targets cloud credentials across AWS, Azure, GCP: reads environment variables, metadata services, credentials files; tries privilege escalation (e.g., via Docker container breakout) and persistent access. Impact & Affected Package We are updating our blog as we go, at time of writing this its 425 packages covering 132 million weekly downloads total Compromised Zaiper Packages zapier/ai-actions zapier/ai-actions-react zapier/babel-preset-zapier zapier/browserslist-config-zapier zapier/eslint-plugin-zapier zapier/mcp-integration zapier/secret-scrubber zapier/spectral-api-ruleset zapier/stubtree zapier/zapier-sdk zapier-async-storage zapier-platform-cli zapier-platform-core zapier-platform-legacy-scripting-runner zapier-platform-schema zapier-scripts Compromised Postman Packages postman/aether-icons postman/csv-parse postman/final-node-keytar postman/mcp-ui-client postman/node-keytar postman/pm-bin-linux-x64 postman/pm-bin-macos-arm64 postman/pm-bin-macos-x64 postman/pm-bin-windows-x64 postman/postman-collection-fork postman/postman-mcp-cli postman/postman-mcp-server postman/pretty-ms postman/secret-scanner-wasm postman/tunnel-agent postman/wdio-allure-reporter postman/wdio-junit-reporter Compromised Post Hog Packages posthog/agent posthog/ai posthog/automatic-cohorts-plugin posthog/bitbucket-release-tracker posthog/cli posthog/clickhouse posthog/core posthog/currency-normalization-plugin posthog/customerio-plugin posthog/databricks-plugin posthog/drop-events-on-property-plugin posthog/event-sequence-timer-plugin posthog/filter-out-plugin posthog/first-time-event-tracker posthog/geoip-plugin posthog/github-release-tracking-plugin posthog/gitub-star-sync-plugin posthog/heartbeat-plugin posthog/hedgehog-mode posthog/icons posthog/ingestion-alert-plugin posthog/intercom-plugin posthog/kinesis-plugin posthog/laudspeaker-plugin posthog/lemon-ui posthog/maxmind-plugin posthog/migrator3000-plugin posthog/netdata-event-processing posthog/nextjs posthog/nextjs-config posthog/nuxt
https://www.reddit.com/r/programming/comments/1p5i31d/sha1hulud_the_second_comming_postman_zapier/
<!-- SC_OFF -->In September, a self-propagating worm called Sha1-Hulud came into action. A new version is now spreading and it is much much worse! Link: https://www.aikido.dev/blog/shai-hulud-strikes-again-hitting-zapier-ensdomains The mechanics are basically the same, It infected NPM packages with stolen developer tokens. The malware uses preinstall script to run malware on a victim machine, scans for secrets, steals them and publishes them on GitHub in a public repository. It then uses stolen NPM tokens to infect more packages. In September, it never made critical mass... But now it looks like it has. So far, over 28,000 GitHub repositories have been made with the description "Sha1-Hulud: The Second Coming". These repos have the stolen secrets inside them encoded in Base64. https://github.com/search?q=Sha1-Hulud%3A+The+Second+Coming&ref=opensearch&type=repositories We first published about this after our discover at 09:25 CET but it has since got much worse. https://x.com/AikidoSecurity/status/1992872292745888025 At the start, the most significant compromise was Zapier (we still think this is the most likely first seed), but as the propagation started to pick up steam, we quickly saw other big names like PostMan and PostHog also fall. Technical details of the attack The malicious packages execute code in the preinstall lifecycle script. Payload names include files like setup_bun.js and bun_environment.js. On infection, the malware: Registers the machine as a “self-hosted runner” named “SHA1HULUD” and injects a GitHub Actions workflow (.github/workflows/discussion.yaml) to allow arbitrary commands via GitHub discussions. Exfiltrates secrets via another workflow (formatter_123456789.yml) that uploads secrets as artifacts, then deletes traces (branch & workflow) to hide. Targets cloud credentials across AWS, Azure, GCP: reads environment variables, metadata services, credentials files; tries privilege escalation (e.g., via Docker container breakout) and persistent access. Impact & Affected Package We are updating our blog as we go, at time of writing this its 425 packages covering 132 million weekly downloads total Compromised Zaiper Packages zapier/ai-actions zapier/ai-actions-react zapier/babel-preset-zapier zapier/browserslist-config-zapier zapier/eslint-plugin-zapier zapier/mcp-integration zapier/secret-scrubber zapier/spectral-api-ruleset zapier/stubtree zapier/zapier-sdk zapier-async-storage zapier-platform-cli zapier-platform-core zapier-platform-legacy-scripting-runner zapier-platform-schema zapier-scripts Compromised Postman Packages postman/aether-icons postman/csv-parse postman/final-node-keytar postman/mcp-ui-client postman/node-keytar postman/pm-bin-linux-x64 postman/pm-bin-macos-arm64 postman/pm-bin-macos-x64 postman/pm-bin-windows-x64 postman/postman-collection-fork postman/postman-mcp-cli postman/postman-mcp-server postman/pretty-ms postman/secret-scanner-wasm postman/tunnel-agent postman/wdio-allure-reporter postman/wdio-junit-reporter Compromised Post Hog Packages posthog/agent posthog/ai posthog/automatic-cohorts-plugin posthog/bitbucket-release-tracker posthog/cli posthog/clickhouse posthog/core posthog/currency-normalization-plugin posthog/customerio-plugin posthog/databricks-plugin posthog/drop-events-on-property-plugin posthog/event-sequence-timer-plugin posthog/filter-out-plugin posthog/first-time-event-tracker posthog/geoip-plugin posthog/github-release-tracking-plugin posthog/gitub-star-sync-plugin posthog/heartbeat-plugin posthog/hedgehog-mode posthog/icons posthog/ingestion-alert-plugin posthog/intercom-plugin posthog/kinesis-plugin posthog/laudspeaker-plugin posthog/lemon-ui posthog/maxmind-plugin posthog/migrator3000-plugin posthog/netdata-event-processing posthog/nextjs posthog/nextjs-config posthog/nuxt
posthog/pagerduty-plugin posthog/piscina posthog/plugin-contrib posthog/plugin-server posthog/plugin-unduplicates posthog/postgres-plugin posthog/react-rrweb-player posthog/rrdom posthog/rrweb posthog/rrweb-player posthog/rrweb-record posthog/rrweb-replay posthog/rrweb-snapshot posthog/rrweb-utils posthog/sendgrid-plugin posthog/siphash posthog/snowflake-export-plugin posthog/taxonomy-plugin posthog/twilio-plugin posthog/twitter-followers-plugin posthog/url-normalizer-plugin posthog/variance-plugin posthog/web-dev-server posthog/wizard posthog/zendesk-plugin posthog-docusaurus posthog-js posthog-node posthog-plugin-hello-world posthog-react-native posthog-react-native-session-replay What to do if you’re impacted (or want to protect yourself) Search Immediately remove/replace any compromised packages. Clear npm cache (npm cache clean --force), delete node_modules, reinstall clean. (This will prevent reinfection) Rotate all credentials: npm tokens, GitHub PATs, SSH keys, cloud credentials. Enforce MFA (ideally phishing-resistant) for developers + CI/CD accounts. Audit GitHub & CI/CD pipelines: search for new repos with description “Sha1-Hulud: The Second Coming”, look for unauthorized workflows or commits, monitor for unexpected npm publishes. Implement something like Safe-Chain to prevent malicious packages from getting installed https://github.com/AikidoSec/safe-chain Links Blog Post: https://www.aikido.dev/blog/shai-hulud-strikes-again-hitting-zapier-ensdomains First Social Posts https://www.linkedin.com/posts/advocatemack_zapier-supply-chain-compromise-alert-in-activity-7398643172815421440-egmk <!-- SC_ON --> submitted by /u/Advocatemack (https://www.reddit.com/user/Advocatemack)
[link] (https://www.aikido.dev/blog/shai-hulud-strikes-again-hitting-zapier-ensdomains) [comments] (https://www.reddit.com/r/programming/comments/1p5i31d/sha1hulud_the_second_comming_postman_zapier/)
[link] (https://www.aikido.dev/blog/shai-hulud-strikes-again-hitting-zapier-ensdomains) [comments] (https://www.reddit.com/r/programming/comments/1p5i31d/sha1hulud_the_second_comming_postman_zapier/)
Assert in production
https://www.reddit.com/r/programming/comments/1p5jdqe/assert_in_production/
<!-- SC_OFF -->Why your code should crash more <!-- SC_ON --> submitted by /u/dtornow (https://www.reddit.com/user/dtornow)
[link] (https://dtornow.substack.com/p/assert-in-production) [comments] (https://www.reddit.com/r/programming/comments/1p5jdqe/assert_in_production/)
https://www.reddit.com/r/programming/comments/1p5jdqe/assert_in_production/
<!-- SC_OFF -->Why your code should crash more <!-- SC_ON --> submitted by /u/dtornow (https://www.reddit.com/user/dtornow)
[link] (https://dtornow.substack.com/p/assert-in-production) [comments] (https://www.reddit.com/r/programming/comments/1p5jdqe/assert_in_production/)
Supply and Demand Are Broken in Programming Education
https://www.reddit.com/r/programming/comments/1p5k8dl/supply_and_demand_are_broken_in_programming/
submitted by /u/wagslane (https://www.reddit.com/user/wagslane)
[link] (https://blog.boot.dev/jobs/supply-demand-broken-programming-education/) [comments] (https://www.reddit.com/r/programming/comments/1p5k8dl/supply_and_demand_are_broken_in_programming/)
https://www.reddit.com/r/programming/comments/1p5k8dl/supply_and_demand_are_broken_in_programming/
submitted by /u/wagslane (https://www.reddit.com/user/wagslane)
[link] (https://blog.boot.dev/jobs/supply-demand-broken-programming-education/) [comments] (https://www.reddit.com/r/programming/comments/1p5k8dl/supply_and_demand_are_broken_in_programming/)
Building Modern Databases with the FDAP Stack • Andrew Lamb & Olimpiu Pop
https://www.reddit.com/r/programming/comments/1p5lejy/building_modern_databases_with_the_fdap_stack/
submitted by /u/goto-con (https://www.reddit.com/user/goto-con)
[link] (https://youtu.be/Gd-mhbiy8Vo?list=PLEx5khR4g7PJozVmHNpQTVrk1QRC7YaJu) [comments] (https://www.reddit.com/r/programming/comments/1p5lejy/building_modern_databases_with_the_fdap_stack/)
https://www.reddit.com/r/programming/comments/1p5lejy/building_modern_databases_with_the_fdap_stack/
submitted by /u/goto-con (https://www.reddit.com/user/goto-con)
[link] (https://youtu.be/Gd-mhbiy8Vo?list=PLEx5khR4g7PJozVmHNpQTVrk1QRC7YaJu) [comments] (https://www.reddit.com/r/programming/comments/1p5lejy/building_modern_databases_with_the_fdap_stack/)
Backend-driven SwiftUI
https://www.reddit.com/r/programming/comments/1p5lfwh/backenddriven_swiftui/
submitted by /u/jacobs-tech-tavern (https://www.reddit.com/user/jacobs-tech-tavern)
[link] (https://blog.jacobstechtavern.com/p/backend-driven-swiftui) [comments] (https://www.reddit.com/r/programming/comments/1p5lfwh/backenddriven_swiftui/)
https://www.reddit.com/r/programming/comments/1p5lfwh/backenddriven_swiftui/
submitted by /u/jacobs-tech-tavern (https://www.reddit.com/user/jacobs-tech-tavern)
[link] (https://blog.jacobstechtavern.com/p/backend-driven-swiftui) [comments] (https://www.reddit.com/r/programming/comments/1p5lfwh/backenddriven_swiftui/)
Why Electronic Voting is a BAD Idea - Why you can't program your way to election integrity
https://www.reddit.com/r/programming/comments/1p5m5n2/why_electronic_voting_is_a_bad_idea_why_you_cant/
submitted by /u/grauenwolf (https://www.reddit.com/user/grauenwolf)
[link] (https://www.youtube.com/watch?v=w3_0x6oaDmI) [comments] (https://www.reddit.com/r/programming/comments/1p5m5n2/why_electronic_voting_is_a_bad_idea_why_you_cant/)
https://www.reddit.com/r/programming/comments/1p5m5n2/why_electronic_voting_is_a_bad_idea_why_you_cant/
submitted by /u/grauenwolf (https://www.reddit.com/user/grauenwolf)
[link] (https://www.youtube.com/watch?v=w3_0x6oaDmI) [comments] (https://www.reddit.com/r/programming/comments/1p5m5n2/why_electronic_voting_is_a_bad_idea_why_you_cant/)
Build a Compiler in Five Projects
https://www.reddit.com/r/programming/comments/1p5op5t/build_a_compiler_in_five_projects/
submitted by /u/azhenley (https://www.reddit.com/user/azhenley)
[link] (https://kmicinski.com/functional-programming/2025/11/23/build-a-language/) [comments] (https://www.reddit.com/r/programming/comments/1p5op5t/build_a_compiler_in_five_projects/)
https://www.reddit.com/r/programming/comments/1p5op5t/build_a_compiler_in_five_projects/
submitted by /u/azhenley (https://www.reddit.com/user/azhenley)
[link] (https://kmicinski.com/functional-programming/2025/11/23/build-a-language/) [comments] (https://www.reddit.com/r/programming/comments/1p5op5t/build_a_compiler_in_five_projects/)
Evolution of Rust compiler errors
https://www.reddit.com/r/programming/comments/1p5swj8/evolution_of_rust_compiler_errors/
submitted by /u/Active-Fuel-49 (https://www.reddit.com/user/Active-Fuel-49)
[link] (https://kobzol.github.io/rust/rustc/2025/05/16/evolution-of-rustc-errors.html) [comments] (https://www.reddit.com/r/programming/comments/1p5swj8/evolution_of_rust_compiler_errors/)
https://www.reddit.com/r/programming/comments/1p5swj8/evolution_of_rust_compiler_errors/
submitted by /u/Active-Fuel-49 (https://www.reddit.com/user/Active-Fuel-49)
[link] (https://kobzol.github.io/rust/rustc/2025/05/16/evolution-of-rustc-errors.html) [comments] (https://www.reddit.com/r/programming/comments/1p5swj8/evolution_of_rust_compiler_errors/)
How I resolved the golang struct field name conundrum
https://www.reddit.com/r/programming/comments/1p5t024/how_i_resolved_the_golang_struct_field_name/
<!-- SC_OFF -->I explain a few methods to retrieve a struct field name, going from a runtime to a code generation solutions.
I wonder, how do you resolve this challenge in your language of choice ? <!-- SC_ON --> submitted by /u/Turbulent_Zone157 (https://www.reddit.com/user/Turbulent_Zone157)
[link] (https://alvarolm.github.io/named) [comments] (https://www.reddit.com/r/programming/comments/1p5t024/how_i_resolved_the_golang_struct_field_name/)
https://www.reddit.com/r/programming/comments/1p5t024/how_i_resolved_the_golang_struct_field_name/
<!-- SC_OFF -->I explain a few methods to retrieve a struct field name, going from a runtime to a code generation solutions.
I wonder, how do you resolve this challenge in your language of choice ? <!-- SC_ON --> submitted by /u/Turbulent_Zone157 (https://www.reddit.com/user/Turbulent_Zone157)
[link] (https://alvarolm.github.io/named) [comments] (https://www.reddit.com/r/programming/comments/1p5t024/how_i_resolved_the_golang_struct_field_name/)
Misunderstanding that “Dependency” comic
https://www.reddit.com/r/programming/comments/1p5u95a/misunderstanding_that_dependency_comic/
submitted by /u/radarvan07 (https://www.reddit.com/user/radarvan07)
[link] (https://bertptrs.nl/2025/11/24/misunderstanding-that-dependency-comic.html) [comments] (https://www.reddit.com/r/programming/comments/1p5u95a/misunderstanding_that_dependency_comic/)
https://www.reddit.com/r/programming/comments/1p5u95a/misunderstanding_that_dependency_comic/
submitted by /u/radarvan07 (https://www.reddit.com/user/radarvan07)
[link] (https://bertptrs.nl/2025/11/24/misunderstanding-that-dependency-comic.html) [comments] (https://www.reddit.com/r/programming/comments/1p5u95a/misunderstanding_that_dependency_comic/)