🦥So everyone's getting hacked now...

Hello friends!

Welcome to this week’s Sloth Bytes. I hope you had a great week.

This week is really heavy on security (yikes…)

When you type a prompt, you summarize. When you speak one, you explain. Wispr Flow captures your full reasoning — constraints, edge cases, examples, tone — and turns it into clean, structured text you paste into ChatGPT, Claude, or any AI tool. The difference shows up immediately. More context in, fewer follow-ups out.

89% of messages sent with zero edits. Used by teams at OpenAI, Vercel, and Clay. Try Wispr Flow free — works on Mac, Windows, and iPhone.

Start flowing free

A threat group called TeamPCP ran a two-phase supply chain attack dubbed "Mini Shai-Hulud" that hit both npm and PyPI.

Over 170+ packages were affected, with TanStack being one of the biggest names caught in the blast.

Luckily, nobody got phished and nobody leaked a password. The attack chained three separate vulnerabilities together:

So what does this attack do? Well, it generates a temporary password to publish the package and then the attacker can pull that password out of memory mid-run and use it to push malware before the pipeline finishes. Basically, the package’s own release system do all the hacking.

If you ran npm install or pip install on any affected packages this week:

Google's Threat Intelligence Group published a report confirming something the security industry has been quietly anxious about for a while.

An unnamed criminal group used AI to discover a previously unknown vulnerability in a popular open-source web administration tool, write an exploit for it, and deploy it.

The exploit was a 2FA bypass where it would get someone's login credentials, run the script, and skip the second factor entirely. Google caught it before the planned mass exploitation campaign launched and worked with the vendor to patch it quietly.

How did researchers figure out AI wrote it? The code had lots of delicious slop:

"AI will help hackers" has been a talking point and a concern for years now. This is the first confirmed case of it happening in the wild. Google caught it early THIS time, but who knows what’ll happen when other attacks happen.

Kinda funny after talking about an AI attack, but OpenAI launched Daybreak, their new cybersecurity initiative built on GPT-5.5 models and Codex Security.

The idea is straightforward: use AI to find vulnerabilities in your codebase before attackers do, validate that patches actually fix the problem, and reduce the time between "we found a bug" and "it's deployed." Cloudflare, Cisco, CrowdStrike, Oracle, and Zscaler are already using it.

Daybreak runs three model tiers depending on your use case. GPT-5.5 for general security work. GPT-5.5 with Trusted Access for Cyber for verified defensive workflows. GPT-5.5-Cyber for authorized red-teaming and pen testing. Each tier has different access controls and identity verification requirements.

We’re approaching the era of slop vs slop. How exciting.

I'm going back to writing code by hand - A dev vibe-coded a Kubernetes TUI for 7 months and ended up with some interesting results… (you can probably guess)

A History of IDEs at Google - An interesting article talking about how 80% of google engineer were using the same IDE, and saw some unexpected benefits that came from it.

I've Added a Few Things to My AI Coding Workflow - Cool video by Chris showing how he’s using AI in his developer workflow to build some cool apps. Really useful if you build mobile apps.

3 Constraints Before I Build Anything - Very short blog post, but after reading it, I think it’ll help a lot of you not quit a personal project.

Zed 1.0 - After five years of development, Zed finally hit 1.0. It’s an IDE built in Rust which means it’s BLAZINGLY FAST (it actually is). It also has real-time collab, parallel AI agents support, and an actual "disable all AI features" toggle for devs who don’t want AI and just want a fast editor.

react-doctor - A very helpful tool that audits your React code and gives it a score. It’ll flag bad patterns and give some recommendations to fix it.

Pi Coding Agent — A minimal, open-source terminal coding agent with only four built-in tools (read, write, edit, bash) that you extend with TypeScript. Connects to 15+ model providers, runs entirely locally with no SaaS backend, and the philosophy is "adapt to your workflow, not the other way around."

Remix 3 Beta - Fun thing to test. Remix has dropped React entirely and is trying to become a true full stack framework where there’s no longer separate packages, it’s all inside the framework. You can start building with a single command: npx remix@next new my-app.

I've been sending this newsletter for a while now and realized something:

I do a lot of talking and not enough listening.

I want to start learning more about the people reading this, and so starting today, I'm ending every issue with a question. Reply and I'll do my best to write back!

Question for you this week: What made you get into coding?

For me, it was the ability to create cool things on a computer. Specifically I wanted to create video games since I thought they were so cool. I was also crazy addicted to them…

Anyways, that’s all from me!

Have a great week, be safe, make good choices, and have fun coding.

If I made a mistake or you have any questions, feel free to comment below or reply to the email!

See you all next week.

If your company is interested in reaching an audience of developers and programming enthusiasts, you may want to advertise with us here.