U.S. government apps found embedding Huawei spyware, axios npm package hit with a supply chain RAT, and AI agents are making zero-day discovery trivially easy

StepSecurity

axios Compromised on npm — Malicious Versions Drop Remote Access Trojan

Two malicious versions of the popular axios npm package (1.14.1 and 0.30.4) were published on March 31, 2026, after an attacker compromised a lead maintainer's npm account and injected a fake dependency containing a multi-stage remote access trojan targeting macOS, Windows, and Linux. The attack exploited postinstall hooks to deliver platform-specific RAT payloads that connected to a C2 server and then self-destructed to evade detection, affecting a library with over 300 million weekly downloads. Users are advised to downgrade to [email protected] or [email protected], rotate credentials on affected machines, and use npm install --ignore-scripts in CI/CD pipelines to prevent similar postinstall hook attacks.

sockpuppet.org

Vulnerability Research Is Cooked

The author argues that AI coding agents are making it trivially easy to discover zero-day vulnerabilities at scale, eliminating the need for elite human expertise by systematically tracing input flows and matching known bug patterns across any codebase. This capability shift threatens to destabilize security across critical infrastructure — hospitals, banks, networked devices — which lack the resources for rapid patching that well-funded platforms enjoy. The resulting flood of exploitable vulnerabilities may prompt regulatory responses that paradoxically constrain defensive security research more than offensive exploitation.

Android Developers

Android Developer Verification Rolling Out to All Developers

Google is rolling out mandatory developer verification across Android to combat sideloaded malware, which the company claims is over 90 times more prevalent than malware from Google Play. Developers can begin verification immediately via Play Console, with user-facing protections launching in September 2026 in Brazil, Indonesia, Singapore, and Thailand followed by global expansion in 2027. Students and hobbyists will have access to free limited distribution accounts for up to 20 devices starting June 2026, but installations from unregistered developers will trigger additional friction.

Vercel

Agent Responsibly

Vercel's internal talk-turned-blog-post argues that AI coding agents introduce a dangerous gap between code that looks correct and code that is safe to run in production. The author distinguishes between relying on agents (blindly shipping large PRs no one fully understands) versus leveraging them (accelerating work while maintaining full ownership and judgment over what gets shipped). The recommended solution is infrastructure-first: canary deployments with automatic rollback, continuous validation, and operational knowledge encoded as executable guardrails rather than tighter code review processes.

Ollama

Ollama Is Now Powered by MLX on Apple Silicon in Preview

Ollama has released a preview integrating Apple's MLX machine learning framework for Apple Silicon devices, delivering up to 2x faster decode speeds and notably higher prefill throughput on M5 chips. The update also adds support for NVIDIA's NVFP4 quantization format for higher quality responses and optimizes for demanding workloads such as coding agents, targeting Macs with more than 32GB of unified memory. The release leverages Apple's unified memory architecture and GPU Neural Accelerators to make local LLM inference significantly more competitive with cloud offerings.

LeadDev

'Addictive' Agentic Coding Has Developers Losing Sleep

Agentic coding tools are delivering productivity gains but at a cost to developer wellbeing, with engineers reporting sleep loss, burnout, and difficulty maintaining boundaries as they work alongside increasingly autonomous AI assistants. The tools' addictive quality stems from their ability to keep executing tasks autonomously, pulling developers into late-night sessions where they feel compelled to monitor or guide the agent's progress. The article highlights a growing tension between the promise of AI-driven velocity and the human cost of always-on, agentic workflows.

Haskell Blog

A Couple Million Lines of Haskell: Production Engineering at Mercury

Mercury, a fintech company, runs approximately 2 million lines of Haskell in production, demonstrating that Haskell's practical value lies in encoding institutional knowledge into types and making correct procedures the easiest path forward. The article outlines key engineering practices such as treating purity as a containment boundary, designing domain models independent of transport layers, and leveraging strong refactoring capabilities. It makes the case that Haskell's real-world benefits come from operational discipline and type-driven design rather than theoretical purity alone.

LWN.net

Rust's Next-Generation Trait Solver

The Rust compiler team is working on a rewrite of the trait solver — the component that determines which function implementation to call when a trait method is invoked across multiple types. The new solver addresses circular dependency issues in trait resolution by using a provisional caching mechanism that allows it to handle self-referential trait structures that currently cause infinite loops or compilation failures. The next-generation solver is already used for coherence checking in stable Rust, with full enablement pending resolution of around 76 remaining bugs, mostly internal compiler errors and performance issues.

Database Doctor

Joins are NOT Expensive

The article debunks the common belief that SQL joins are computationally expensive, arguing that denormalizing data into wide 'One Big Table' models is rarely a performance win. Through empirical benchmarks on both columnar (DuckDB) and row-based (PostgreSQL) databases, the author shows that joins consistently outperform pre-joined flat tables — especially as column counts grow — because columnar storage must decompress and reassemble data anyway, making pre-joins a costly illusion. The conclusion is that normalized schemas with joins offer better performance and far lower storage overhead than denormalized alternatives.