Developer-Tools
- Engineering Culture: Tools, Practices, and How AI Is Changing the Work
A living signal on engineering in 2026. Cursor 3 ships an Agents Window for multi-agent coding workflows; JPMorgan Chase mandates AI tool use for 65,000 engineers and ties performance ratings to adoption.
- Apifox CDN Supply Chain Attack: Malicious JavaScript Hidden in the Official Analytics Script
SlowMist confirmed attackers injected obfuscated JavaScript into an official Apifox CDN script, enabling credential theft and remote code execution across every Electron desktop client that loaded it.
- WaterPlum's VS Code Trap: How Opening a Folder Deploys a RAT
North Korean threat group WaterPlum is distributing StoatWaffle malware via malicious VS Code projects that auto-execute on folder open. Fake developer job interviews deliver the payload -- no click required once you open the repo.
- The Claude Code Plugins Worth Installing in 2026
Claude Code's plugin system extends the CLI with slash commands, agents, hooks, and MCP servers. This is a practical roundup of which plugins are actually worth adding to your setup.
- The BitTorrent Creator Thinks CRDTs Can Fix Merge Conflicts Forever
Bram Cohen published Manyana, a ~470-line Python demo proposing CRDTs as the foundation for a new version control system. The core insight: a CRDT merge cannot fail by definition, which is a fundamentally different property from anything git offers.
- Claude Code Platform: Tracking the Agentic Dev Platform Evolution
No material updates -- quiet Sunday for this topic.
- Gemini 3.1 Pro: #1 on the intelligence index, with caveats
Gemini 3.1 Pro launched February 19 with a 77.1% ARC-AGI-2 score (more than double its predecessor), #1 on the Artificial Analysis Intelligence Index, 1M token context, and $2/$12 per million pricing. The caveats: preview status and notably high verbosity. Where it fits in the frontier developer choice.
- Android's 24-Hour Sideloading Wall Is Not What Google Says It Is
Starting September 2026, sideloading an unverified app on Android requires a 9-step process with a mandatory 24-hour wait. Google's anti-scam justification is real. What they're not saying out loud is that this also closes the gap between Android's openness and iOS's walled garden.
- OpenAI Acquires Astral: The Python Toolchain Moves Inside Codex
OpenAI is acquiring Astral -- the team behind uv, Ruff, and ty, with hundreds of millions of monthly downloads. The tools that manage Python environments, lint code, and enforce type safety are moving inside Codex. What changes, what doesn't, and what the governance questions are.
- CVE-2026-3888: Snap LPE -- Patch It Now
CVE-2026-3888 is a local privilege escalation in Ubuntu's Snap package manager (CVSS 7.8). An unprivileged attacker waits for systemd-tmpfiles to delete /tmp/.snap -- 10-30 days depending on Ubuntu version -- then recreates it with malicious payloads. snap-confine bind-mounts them as root on next sandbox init. Patch is available now.
- AI Tooling Doubles the Credential Leak Rate: Secrets Sprawl 2026
GitGuardian's 2026 report: 28.65 million hardcoded secrets on public GitHub, 81% surge in AI-service credential leaks, Claude Code commits leaking at double the baseline rate, and 24,000 secrets exposed in MCP config files. The leak surface has grown with the tooling surface.