March 30, 2026

Monday, March 30th, 2026

The most dangerous code is the code you stopped checking, written by the author you stopped watching.
Cohesively integrate Norm (a cute white blob creature — short and squat, perfectly circular, NOT tall or oval — with big sparkly eyes, rosy cheeks, and a tiny antenna) into a dynamic scene evoking: the most dangerous code is the code you stopped checking — a small trusted circle hiding something that reaches far beyond itself, rewriting its own history as it goes. Show Norm in an active, expressive pose — reaching toward, leaning into, or physically interacting with elements of the environment. Match the lighting and shadows of the surrounding scene. Soft illustration style, vivid colors, strong depth. Do not include any text, letters, or words in the image.

Inspiration

Axios compromised on npm – Malicious versions drop remote access trojan

Score: 1212 | Read article →

On March 30, two malicious versions of Axios — a JavaScript HTTP client with over 100 million weekly downloads — were published to npm: axios@1.14.1 and axios@0.30.4. They inject a fake dependency, plain-crypto-js@4.2.1, whose sole purpose is to execute a postinstall script that acts as a cross-platform remote access trojan dropper targeting macOS, Windows, and Linux. The dropper contacts a live command-and-control server and delivers platform-specific second-stage payloads. After execution, the malware deletes itself and replaces its own package.json with a clean version to evade forensic detection. A developer who inspects node_modules afterward will find no indication anything went wrong. The attack was staged 18 hours in advance. Three OS-specific payloads were pre-built. Within two seconds of npm install, the malware was already calling home before npm had even finished resolving dependencies. This is among the most operationally sophisticated supply chain attacks ever documented against a top-10 npm package.

Claude Code's source code has been leaked via a map file in their NPM registry

Score: 665

Claude Code's source code was leaked via a map file in Anthropic's own NPM registry. The map file — intended for debugging — exposed the internals of one of the most widely-used AI coding agents. An agent built on trust, whose source was hidden, exposed by an accident of deployment. The tension between open tooling and proprietary systems runs through every layer of the AI stack.

Artemis II is not safe to fly

Score: 509 | Read article →

An essay making the case that NASA's Artemis II — the crewed lunar orbit mission — has serious, documented safety concerns that make it not ready to fly. It is a quiet counterpoint to the other two stories: trust placed in systems that may not deserve it, decisions made by institutions rather than individuals, and the question of who gets to say no when the stakes are highest.