devtake.dev — GitHub

devtake.dev — GitHubArticles on devtake.dev covering GitHub.https://devtake.dev/en-usRed Hat's npm namespace and Arch's AUR were both backdoored within two weeks of each otherhttps://devtake.dev/article/npm-registry-supply-chain-wave/https://devtake.dev/article/npm-registry-supply-chain-wave/A worm hijacked Red Hat's npm namespace, a rootkit spread through 1,500 Arch AUR packages, and a SOC 2-certified AI gateway shipped malware. Registries are under fire.Sat, 13 Jun 2026 12:45:00 GMTsecuritysecuritysupply-chainnpmopen-sourcemalwareluca-reinhardtGitHub banned the researcher dropping Windows zero-days. The code was already mirrored everywhere.https://devtake.dev/article/github-bans-researcher-windows-zero-day/https://devtake.dev/article/github-bans-researcher-windows-zero-day/GitHub wiped Nightmare-Eclipse's account on May 23 after weeks of unpatched Windows exploits. The ban reopened the oldest fight in security: who decides what research gets hosted?Fri, 29 May 2026 06:50:00 GMTsecuritysecuritygithubvulnerability-disclosurezero-daymicrosoftwindowssupply-chainrceluca-reinhardtSQLite won't accept AI-written code, but QEMU just opened the door to ithttps://devtake.dev/article/sqlite-refuses-agentic-code-qemu-opens-door/https://devtake.dev/article/sqlite-refuses-agentic-code-qemu-opens-door/Two of the most cautious C projects split on AI contributions in the same week. The real fight is over copyright provenance and who cleans up the slop.Fri, 29 May 2026 05:35:00 GMTopen-sourceopen-sourcesqliteqemuai-codingagentic-codingmaintainerslicensingllmsoren-vanekMicrosoft is canceling Claude Code for its engineers. They have until June 30 to switch to Copilot CLI.https://devtake.dev/article/microsoft-cancels-claude-code-licenses/https://devtake.dev/article/microsoft-cancels-claude-code-licenses/Internal Claude Code licenses end June 30, 2026, for Microsoft's Experiences + Devices group. Engineers move to GitHub Copilot CLI instead.Sat, 23 May 2026 10:00:00 GMTaimicrosoftanthropicclaude-codegithub-copilotcopilot-cliai-assistantagentic-codingdieter-morelliKarpathy posted four notes about Claude Code. The CLAUDE.md they spawned has 110K GitHub stars.https://devtake.dev/article/karpathy-claude-md-github-trending/https://devtake.dev/article/karpathy-claude-md-github-trending/Forrest Chang turned Andrej Karpathy's January coding thread into a 70-line CLAUDE.md. It now has 110,000+ stars and has trended on GitHub for 28 weeks.Fri, 22 May 2026 10:30:00 GMTaiandrej-karpathyclaude-codeclaudeai-agentsagentic-codingai-assistantgithubdev-toolsdieter-morelliGitHub's internal repos were breached. The attacker came in through a poisoned VS Code extension.https://devtake.dev/article/github-internal-repos-breach-vscode-extension/https://devtake.dev/article/github-internal-repos-breach-vscode-extension/GitHub detected the intrusion on May 18 after a malicious VS Code extension compromised an employee's device. The attacker claims to have exfiltrated 3,800 internal repositories.Fri, 22 May 2026 10:15:00 GMTsecuritysecuritygithubvscodesupply-chaincredential-theftdev-toolsluca-reinhardtA CISA contractor left GovCloud admin keys on public GitHub. The file was named 'Important AWS Tokens.txt'.https://devtake.dev/article/cisa-aws-govcloud-keys-github-leak/https://devtake.dev/article/cisa-aws-govcloud-keys-github-leak/GitGuardian found a public CISA repo with 844 MB of secrets, including AWS GovCloud admin keys. The repo sat open for six months.Thu, 21 May 2026 11:15:00 GMTsecuritysecuritycisagithubsupply-chaincredential-theftawsgitguardiangovcloudluca-reinhardtBun's million-line Rust rewrite is now mainline. 99.8% of tests pass and 13,000 unsafe blocks remain.https://devtake.dev/article/bun-rust-rewrite-merged/https://devtake.dev/article/bun-rust-rewrite-merged/Jarred Sumner merged the Bun-in-Rust PR on May 14, ending Zig as Bun's runtime language. Binary shrinks 3-8 MB; one analysis counted 13,000 unsafe blocks.Fri, 15 May 2026 09:15:00 GMTopen-sourcebunrustzigjavascriptruntimeanthropicclaude-codeagentic-codingsoren-vanekTanStack published its npm supply-chain postmortem. The attack chained three GitHub Actions flaws.https://devtake.dev/article/tanstack-npm-supply-chain-postmortem/https://devtake.dev/article/tanstack-npm-supply-chain-postmortem/Attackers compromised 42 TanStack packages through a pull_request_target exploit, cache poisoning, and OIDC token theft. An external researcher caught it in 20 minutes.Tue, 12 May 2026 10:15:00 GMTsecuritysecuritysupply-chainnpmtanstackgithub-actionscredential-theftdev-toolsluca-reinhardtGitLab is cutting staff and killing its CREDIT values. The CEO calls it 'Act 2.'https://devtake.dev/article/gitlab-act-2-workforce-reduction/https://devtake.dev/article/gitlab-act-2-workforce-reduction/CEO Bill Staples announced a restructuring he frames around agentic AI, retiring GitLab's six core values for three new operating principles. Exact layoff numbers come June 2.Tue, 12 May 2026 10:00:00 GMTwebgitlablayoffsrestructuringai-agentsdev-toolsdevopsagentic-codingnaomi-parkRPCS3's maintainers will ban contributors who submit undisclosed AI pull requestshttps://devtake.dev/article/rpcs3-ai-slop-pull-requests-policy/https://devtake.dev/article/rpcs3-ai-slop-pull-requests-policy/The PS3 emulator project posted on X on May 10, citing 'AI slop' that has been clogging review. The hard line: ban-on-sight if you don't disclose.Mon, 11 May 2026 10:15:00 GMTopen-sourceopen-sourcerpcs3emulatorgithubai-codingai-slopplaystation-3contributorssoren-vanekVS Code shipped 'Co-Authored-by Copilot' on every commit by default. Microsoft is reverting it.https://devtake.dev/article/vscode-ai-coauthor-default-pr-310226/https://devtake.dev/article/vscode-ai-coauthor-default-pr-310226/A two-line PR flipped the AI co-author flag from off to all in April. Hand-typed commits started getting Copilot attribution. The maintainer apologized and promised a fix in 1.119.Tue, 05 May 2026 09:15:00 GMTwebgithub-copilotvscodemicrosoftdev-toolsai-coauthorgitjavascriptai-assistantluca-reinhardtGitHub Copilot's Claude Opus multiplier jumps to 27x on June 1. Monthly plans dodge the hike.https://devtake.dev/article/github-copilot-multiplier-hike-june-2026/https://devtake.dev/article/github-copilot-multiplier-hike-june-2026/GitHub's new model multiplier table for Copilot Pro and Pro+ annual plans lands June 1. Opus 4.6 goes 3 to 27. Sonnet 4.6 goes 1 to 9.Mon, 04 May 2026 10:45:00 GMTaigithub-copilotgithubai-agentspricingmicrosoftanthropicclaude-opusdev-toolsdieter-morelliZed 1.0 ships its agentic editor. The Atom team's Rust rewrite finally has a stable label.https://devtake.dev/article/zed-1-0-rust-editor-launch/https://devtake.dev/article/zed-1-0-rust-editor-launch/Zed Industries shipped 1.0 on April 29 after five years of Rust and GPU work. Free forever for humans, with $10/month hosted AI and an open Agent Client Protocol.Thu, 30 Apr 2026 09:30:00 GMTopen-sourcezedrustdev-toolsagentic-codingopen-sourcecursorcode-editorsai-assistantsoren-vanekMitchell Hashimoto is pulling Ghostty off GitHub. The reason is daily outages.https://devtake.dev/article/ghostty-leaving-github-mitchell-hashimoto/https://devtake.dev/article/ghostty-leaving-github-mitchell-hashimoto/Ghostty's creator has tracked GitHub outages every workday for months. After 18 years on the platform, he's moving the project. A read-only mirror stays.Wed, 29 Apr 2026 09:25:00 GMTopen-sourceghosttygithubopen-sourcedev-toolsmitchell-hashimototerminalhashicorpsoren-vanekWiz found an RCE in GitHub's git-push pipeline. The patch shipped in six hours.https://devtake.dev/article/github-rce-cve-2026-3854-wiz/https://devtake.dev/article/github-rce-cve-2026-3854-wiz/CVE-2026-3854 is a CVSS 8.7 RCE in GitHub's git-push pipeline. github.com fixed it within hours. 88% of Enterprise Server installs were still vulnerable at disclosure.Wed, 29 Apr 2026 09:05:00 GMTsecuritygithubsecuritycve-2026-3854rcesupply-chainwizgithub-actionsdev-toolsluca-reinhardtGitHub Copilot kills premium requests on June 1. Token billing arrives, fallback models do not.https://devtake.dev/article/github-copilot-usage-based-billing/https://devtake.dev/article/github-copilot-usage-based-billing/On June 1 every Copilot plan switches to GitHub AI Credits priced per token. Code completions stay free. Fallback models and credit rollover do not.Tue, 28 Apr 2026 11:00:00 GMTaigithub-copilotgithubai-agentspricingmicrosoftanthropicclaude-opusdev-toolsdieter-morelliGitHub Copilot paused new signups and kicked Opus out of Pro. Here's what actually changed.https://devtake.dev/article/github-copilot-pro-plan-changes/https://devtake.dev/article/github-copilot-pro-plan-changes/GitHub froze Copilot Pro/Pro+/Student signups on April 20 and moved Claude Opus 4.7 behind the $39 Pro+ tier. Agent workflows broke the old math.Wed, 22 Apr 2026 11:30:00 GMTaigithub-copilotanthropicmicrosoftclaude-opusai-agentspricingdev-toolsdieter-morelliprotobuf.js RCE: a 52M/week npm package was one bad type name from code executionhttps://devtake.dev/article/protobuf-javascript-rce-cve/https://devtake.dev/article/protobuf-javascript-rce-cve/GHSA-xq3m-2v4x-88gg hits protobuf.js ≤8.0.0 / ≤7.5.4. Attacker-controlled schemas executed arbitrary JS on decode. One-line fix patched it.Tue, 21 Apr 2026 12:00:00 GMTsecuritynpmprotobufjavascriptsupply-chainrceendor-labsgrpcluca-reinhardtInside GitHub's fake star economy: 6 million bought stars and how to spot themhttps://devtake.dev/article/github-fake-star-economy/https://devtake.dev/article/github-fake-star-economy/A Carnegie Mellon study counted 6 million suspected fake stars across 18,617 GitHub repos. Here's what the StarScout research actually found and how to read a star count now.Mon, 20 Apr 2026 16:00:00 GMTopen-sourcegithubfake-starsstarscoutopen-sourcesoftware-researchicse-2026supply-chainai-repossoren-vanekRuby Central admits 'real financial jeopardy' seven months after the RubyGems takeoverhttps://devtake.dev/article/ruby-central-rubygems-financial-crisis/https://devtake.dev/article/ruby-central-rubygems-financial-crisis/Ruby Central cut its executive director, CFO, and PR firm, and shifted to a volunteer working board. The April 16 letter closes the arc from September's RubyGems walkout.Mon, 20 Apr 2026 12:00:00 GMTopen-sourcerubyrubygemsruby-centralbundlergem-cooperativeshopifyopen-source-governancesoren-vanekTrivy got hijacked: 75 of 76 version tags rewrote to drop a CI secret-stealerhttps://devtake.dev/article/trivy-supply-chain-attack-compromise/https://devtake.dev/article/trivy-supply-chain-attack-compromise/Attackers force-pushed 75 of 76 trivy-action tags to a malicious commit. Pinning by tag turned a trusted scanner into an infostealer for CI pipelines.Sat, 18 Apr 2026 08:30:00 GMTsecuritysupply-chaintrivyaqua-securitygithub-actionscicddevsecopsteampcpluca-reinhardt