The big shift this cycle is that your tooling and repos are now clear attack surfaces—npm, PyPI, and GitHub/Actions all had large, automated compromises—while cloud AI assistants are getting pricey enough that enterprises are backing off.
At the same time, local LLM stacks on a single RTX-class GPU are hitting hundreds of tokens per second, making “run it yourself” a serious alternative for a lot of everyday coding and agent work.
Key Events
/Large npm attack injected 631 malicious versions across 314 packages in 22 minutes, hitting popular libraries.
/'Megalodon' GitHub Actions attack compromised over 5,500 repositories via weak branch protections.
/GitHub breach via poisoned VS Code extension exfiltrated around 3,800 private/internal repositories.
/pnpm 11 shipped with supply‑chain defenses that block exotic subdependencies during installs.
/Google launched Gemini 3.5 Flash, which costs 3× more than its previous version.
Report
AI bills are spiking while the JS/Python supply chain and GitHub/CI surface are basically hostile by default. At the same time, local LLM + GPU stacks are getting fast enough that they’re a real alternative to expensive APIs for day‑to‑day work.
supply-chain and github/ci attacks are now background noise
An npm attack pushed 631 malicious versions across 314 packages in 22 minutes, including popular libs like `@antv` and `echarts-for-react`.
Follow‑ups counted 639 compromised versions across 323 packages, showing this wasn’t a one‑off. The Laravel Lang org had over 700 historical versions backdoored with an RCE implant targeting sensitive data.
On PyPI, TrapDoor‑style campaigns are dropping credential‑stealing packages daily, explicitly going after developer machines. GitHub is in the blast radius too: the Megalodon attack abused GitHub Actions branch protections to compromise more than 5,500 repositories, and a poisoned VS Code extension on an employee machine led to exfiltration of about 3,800 internal GitHub repos whose data is now being sold.
js/python tooling starting to react (slowly)
The npm design that lets packages run arbitrary install scripts is now a known liability, with malicious `postinstall` hooks found in 700 GitHub repos, including production Node projects. pnpm 11 shipped with supply‑chain features that explicitly block “exotic” subdependencies during install, tightening what can get pulled in transitively.
Deno’s model of stricter imports and permissions is being called out as a contrast to npm’s open‑season scripting, especially in the same week the 314‑package npm compromise landed.
On the Python side, people are treating PyPI more like untrusted input, adding “dependency cooldowns” so new releases must age at least a week before use, in response to ongoing TrapDoor‑style supply‑chain malware.
The common thread in developer chatter is treating registries and even editor extensions as active attack surfaces rather than boring plumbing.
network edge and cloud infra: new ways to get popped or billed
A new NGINX bug allows unauthenticated RCE when `jsfetchproxy` is misconfigured with client‑controlled variables, which is exactly how a lot of people wire reverse proxies.
Separately, the `nginx-poolslip` vuln in NGINX 1.31.0 bites Docker reverse‑proxy setups and NGINX Proxy Manager installs, so the popular “one Docker reverse proxy for everything” pattern is in scope.
Attack chatter explicitly mentions scanning for exposed NGINX Rift installs as a target class. On AWS, a real bug in API Gateway let requests bypass JWT authentication with a trailing slash, and the researcher who exploited it for a $12k bounty did so against exactly the kind of REST setups people assume are “handled” by the gateway.
Cost‑wise, a DDoS against a public S3 bucket generated a $15,500 bill, and even non‑malicious direct access spikes GET traffic on public buckets because S3 is strictly pay‑per‑request.
ai coding tools: costs are diverging hard
Microsoft is ripping out most internal Claude Code because Anthropic token bills were unsustainable, even as estimates say Microsoft may still spend around $300M on Anthropic tokens this year.
GitHub Copilot, which has more than 73M downloads, is moving to consumption‑based billing by June 2026 explicitly due to compute usage growth.
On the model side, Gemini 3.5 Flash costs about 3× more than its previous version and roughly 30× more than Gemini 1.5 Flash, with users measuring that its higher token usage makes it over 5× more expensive to actually run than Gemini 3 Flash.
In contrast, DeepSeek V4 Pro comes in around 11.5× cheaper than GPT‑5.5 on input tokens, and Cursor Composer 2.5 is 3–18× cheaper than Opus 4.7 and 5–32× cheaper than GPT‑5.5 while ranking near the top of coding agent benchmarks.
The net is that high‑end models are trending toward “research and special‑case” pricing while mid‑tier agents like Cursor/OpenCode are optimized for being left running on real work without blowing up budgets.
local llms and gpu economics look less like a toy, more like infrastructure
The latest llama.cpp drops can boost inference throughput up to 7× compared to earlier builds, and Multi‑Token Prediction there delivers around a 78% speedup, hitting roughly 45 tokens/sec in some configs.
LM Studio 0.4.14 added MTP speculative decoding on top, which users report as a noticeable jump for local workflows. Qwen 3.6 35B‑A3B MTP is hitting about 249 tokens/sec on a single 24GB consumer RTX, and benchmarks show the 27B MTP variant going from 25 to 45 tokens/sec on an A10G when MTP is enabled.
Community numbers put Qwen and Gemma 4 in the 160–180 tokens/sec range on an RTX 3090, which many people now call the best value card for local agents.
In parallel, open models like Carbon are posting 275× speedups over prior baselines on genomics tasks while still being runnable on a single GPU, and Cerebras is serving its Kimi K2.6 model at around 981 tokens/sec, showing how far both commodity and specialized inference have moved.
What This Means
Security and cost pressure are both rising: the stuff you `npm install` and push to GitHub is now a primary attack vector, while AI assistance is splitting into very expensive frontier APIs and increasingly capable local stacks on commodity GPUs.
On Watch
/Python’s uv is gaining real mindshare as a fast dependency/env manager with `uv.lock` reproducibility, but rough UX and missing upper bounds in `pyproject.toml` are still pain points to resolve before it becomes a default in larger teams.
/Auth practice is drifting away from long‑lived JWTs as AWS API Gateway had a real JWT bypass bug via a trailing slash while passkeys and heartbeat‑bound credentials are being pushed despite UX backlash.
/Framework upgrades like C# union types in .NET and Django 6.1 alpha 1 are landing, pairing nicer type systems and framework ergonomics with the usual question of migration risk vs. safety and DX gains.
Interesting
/Kysely 0.29's rapid growth to over 6 million downloads per week on NPM indicates a strong interest in modern SQL query builders.
/The QueryShield MCP server enhances security with row-level security and audit logging capabilities, addressing the need for secure SQL proxies.
/The integration of features like virtual environments and package lockfiles in UV is considered essential for modern development practices.
/A Cursor agent deleted an entire production database in nine seconds using an MCP wrapper, highlighting potential risks in AI tool usage.
/The rollout of post-quantum TLS has caused significant disruptions, particularly affecting open-source scrapers, which rely on traditional encryption methods.
We processed 10,000+ comments and posts to generate this report.
AI-generated content. Verify critical information independently.
/Large npm attack injected 631 malicious versions across 314 packages in 22 minutes, hitting popular libraries.
/'Megalodon' GitHub Actions attack compromised over 5,500 repositories via weak branch protections.
/GitHub breach via poisoned VS Code extension exfiltrated around 3,800 private/internal repositories.
/pnpm 11 shipped with supply‑chain defenses that block exotic subdependencies during installs.
/Google launched Gemini 3.5 Flash, which costs 3× more than its previous version.
On Watch
/Python’s uv is gaining real mindshare as a fast dependency/env manager with `uv.lock` reproducibility, but rough UX and missing upper bounds in `pyproject.toml` are still pain points to resolve before it becomes a default in larger teams.
/Auth practice is drifting away from long‑lived JWTs as AWS API Gateway had a real JWT bypass bug via a trailing slash while passkeys and heartbeat‑bound credentials are being pushed despite UX backlash.
/Framework upgrades like C# union types in .NET and Django 6.1 alpha 1 are landing, pairing nicer type systems and framework ergonomics with the usual question of migration risk vs. safety and DX gains.
Interesting
/Kysely 0.29's rapid growth to over 6 million downloads per week on NPM indicates a strong interest in modern SQL query builders.
/The QueryShield MCP server enhances security with row-level security and audit logging capabilities, addressing the need for secure SQL proxies.
/The integration of features like virtual environments and package lockfiles in UV is considered essential for modern development practices.
/A Cursor agent deleted an entire production database in nine seconds using an MCP wrapper, highlighting potential risks in AI tool usage.
/The rollout of post-quantum TLS has caused significant disruptions, particularly affecting open-source scrapers, which rely on traditional encryption methods.