September 22, 2025

Platform

LastPass has detected a widespread infostealer campaign targeting Mac users through fraudulent GitHub repositories. The threat actors use SEO to deliver links to malicious sites appearing in search results on Bing and Google, specifically targeting tech firms, financial institutions, password managers, and other companies. LastPass has removed two tainted sites.

A vulnerability was discovered in Notable, an open-source note-taking app built using Electron, due to a misconfiguration of NodeIntegration. This allowed Remote Code Execution (RCE) through Cross-Site Scripting (XSS) and Local File Inclusion (LFI). To mitigate this, VSCode tightened security by enabling Context Isolation and disabling nodeIntegration in Electron.

Managing access to Linux virtual machines can be a challenge for DevOps professionals due to traditional methods' security risks and inefficiencies. Sharing SSH keys, local usernames and passwords, and onboarding/offboarding processes are prone to errors and insecure password reuse, leading to potential security holes. Teleport offers a more secure solution for shared access.

A user from the r/gnome subreddit is seeking help from Orca screen reader users to improve GNOME's accessibility features. They've gathered feedback from other accessibility users but want a closer collaboration with Orca enthusiasts. The team recommends volunteers on this subreddit to assist in enhancing screen reading capabilities of various GNOME apps through a collaborative relationship.

The Linux kernel community has been informed of a proposed RFC patch introducing support for the multikernel architecture, which aims to provide a flexible and modular approach to kernel design, allowing multiple independent kernels to run concurrently on the same system. Key maintainers, including Andrew Morton, are discussing the patch.

DevOps as a service is gaining traction as organizations shift away from DIY automation methods. The solution has evolved to address software pipeline management complexity, raising questions about whether companies need their own infrastructure or can rely on cloud-based services for DevOps lifecycle management, blurring the lines of in-house and external management.

GitOps is a methodology that enables enterprises to modernize legacy infrastructure by adopting automation, governance, and resilience strategies at scale. Tools like GitHub, GitLab, and OpsRamp support this approach, particularly with Bazel for software supply chain management. This transformation prioritizes automation, data-driven decision-making, and CI/CD pipelines for efficient and reliable infrastructure management.

As coding agents become increasingly prevalent, organizations face challenges such as merge conflicts and bugs, highlighting the need for solutions like feature flags. By creating temporary "flags" around specific code changes, teams can review, test, and deploy flagged code faster and more securely, reducing risks associated with autonomous coding agents.

A database abstraction layer's author inadvertently created complex code through "sneaky" design decisions, introducing a deferred loading pattern that resulted in three levels of proxies and Promise memoization. Refactoring to explicit driver injection simplified the code, made it easier to understand, and improved error handling, serving as a cautionary tale about over-engineering.

Meta's Connect keynote event took an embarrassing turn when two glitches prevented Mark Zuckerberg from demonstrating smart glasses' features. A "never-before-seen bug" isolated during testing caused issues, including skipping ahead and display shutdowns during WhatsApp video calls. The bugs have since been fixed by Meta's Chief Technology Officer Andrew Bosworth.

Security researchers exploited a Gmail vulnerability using ChatGPT as a "co-conspirator" to steal sensitive data without alerting users, dubbed Shadow Leak. The attack relied on a quirk in AI agents' behavior and the fact that they can act autonomously without constant oversight. This highlights risks associated with agentic AI, including rigging peer review and scams.

Zed Industries' approach to finding and retaining top talent lies in open source collaboration and a passion for craftsmanship. Contributions like Junkui Zhang's 10-month overhaul of Zed's Windows version and Anthony Eid's successful debugger project showcase the team's ability to work together seamlessly, highlighting Zed's unique pair-heavy culture as key to its success.

Meta has announced the Meta Ray-Ban Display smart glasses, featuring a built-in monocular display for invisible viewing. This technology is already helping disabled communities live independently and is expected to revolutionize smart glasses. The device made a strong impression at Meta Connect 2025, boasting impressive capabilities but availability details remain unclear.

The author recounts their three-month self-study journey in computer science, initially focusing on software engineering and computer networks before shifting to practical skills like Data Structures and Computer Organization and Architecture due to burnout. They now prioritize career-oriented skills for an upcoming exam, focusing on data structures, algorithms, and DevOps/DBA.

A comprehensive guide to negative testing APIs highlights the importance of validating input boundaries and protocol edge cases to ensure secure API development. The guide covers various techniques for identifying vulnerabilities such as numeric overflows, Unicode injection, and HTTP method confusion, emphasizing the need for thorough negative testing to build reliable and secure APIs.

Netflix's attempt at live streaming Mike Tyson vs. Jake Paul ended in disaster due to buffering issues and a "black screen of death" affecting over 65 million concurrent viewers. The service struggled despite being prepared for three years, citing inadequate infrastructure for static content, oversubscribed bandwidth by ISPs, and scaling hardware challenges.