CVE-2026-40175: How Axios Turns Prototype Pollution Into Full Cloud Compromise
A deep dive into the critical Axios gadget chain that escalates prototype pollution to RCE and AWS IMDSv2 bypass. CVSS 9.9.
Blog
Thoughts on engineering, AI, security, and the craft of building things.
The npm Attack Nobody Saw Coming: When Your Database Client Becomes a Spy
After Axios and LiteLLM, attackers are eyeing your database clients. Here's the attack pattern, why DB tools are perfect targets, and how Zero Trust architecture contains the blast radius.
Agent Skills: How Addy Osmani Is Turning AI Coding Agents Into Senior Engineers
Addy Osmani just open-sourced the secret weapon: 20 production-grade skills that teach AI agents to code like seasoned engineers instead of unsupervised interns.
The Agentic AI Boom Is Over. The Commoditization Has Begun.
Agentic AI was revolutionary in 2025. In 2026, it's a checkbox feature. Here's what's actually worth building on.
Cybersecurity April 2026: Mythos AI Just Changed the Game
While we were watching ransomware, Claude Mythos quietly gained the ability to find and exploit zero-day vulnerabilities. The vulnerability discovery bottleneck just shifted from finding bugs to fixing them.
Python 3.15 JIT + Pandas 3.0: The 2026 Performance Revolution
Python finally gets a community-built JIT compiler. Pandas 3.0 breaks everything. Your code needs both—here's why, and how to migrate.
AI Agents in 2026: The Year Agents Got Real Jobs
From MCP and A2A protocols to multi-agent architectures, why 2026 is when AI agents graduated from demo toys to production infrastructure.
Three agents, two sessions, one bug I couldn't remember fixing
How Beads (the graph-shaped task tracker) + optional semantic memory beats scrolling chat until your thumb hurts. Real patterns, honest limits.
CI/CD Pipeline From Zero to Production: Docker → Kubernetes → Terraform
A battle-tested guide to building production CI/CD pipelines with Docker, GitHub Actions, Kubernetes, and Terraform. Real configs, real lessons.