Flux
research-llm-apis 2026-04-04
IA Programmation

research-llm-apis 2026-04-04

Release: research-llm-apis 2026-04-04 I'm working on a major change to my LLM Python library and CLI tool. LLM provides an abstraction layer over hundreds of different LLMs from dozens of different vendors thanks to its plugin system, and some of those vendors have grown new features over the past year which LLM's abstraction layer can't handle, such as server-side tool execution. To help design that new abstraction layer I had Claude Code read through the Python client libraries for Anthropic,…

Simon Willison's Weblog
Quoting Kyle Daigle
IA Programmation

Quoting Kyle Daigle

[GitHub] platform activity is surging. There were 1 billion commits in 2025. Now, it's 275 million per week, on pace for 14 billion this year if growth remains linear (spoiler: it won't.) GitHub Actions has grown from 500M minutes/week in 2023 to 1B minutes/week in 2025, and now 2.1B minutes so far this week. — Kyle Daigle, COO, GitHub Tags: github, github-actions

Simon Willison's Weblog
Vulnerability Research Is Cooked
IA Programmation

Vulnerability Research Is Cooked

Vulnerability Research Is Cooked Thomas Ptacek's take on the sudden and enormous impact the latest frontier models are having on the field of vulnerability research. Within the next few months, coding agents will drastically alter both the practice and the economics of exploit development. Frontier model improvement won’t be a slow burn, but rather a step function. Substantial amounts of high-impact vulnerability research (maybe even most of it) will happen simply by pointing an agent at a…

Simon Willison's Weblog
The cognitive impact of coding agents
IA Programmation

The cognitive impact of coding agents

A fun thing about recording a podcast with a professional like Lenny Rachitsky is that his team know how to slice the resulting video up into TikTok-sized short form vertical videos. Here's one he shared on Twitter today which ended up attracting over 1.1m views! That was 48 seconds. Our full conversation lasted 1 hour 40 minutes. Tags: ai-ethics, coding-agents, agentic-engineering, generative-ai, podcast-appearances, ai, llms, cognitive-debt

Simon Willison's Weblog
Quoting Willy Tarreau
IA Programmation

Quoting Willy Tarreau

On the kernel security list we've seen a huge bump of reports. We were between 2 and 3 per week maybe two years ago, then reached probably 10 a week over the last year with the only difference being only AI slop, and now since the beginning of the year we're around 5-10 per day depending on the days (fridays and tuesdays seem the worst). Now most of these reports are correct, to the point that we had to bring in more maintainers to help us. And we're now seeing on a daily basis something that…

Simon Willison's Weblog
Quoting Greg Kroah-Hartman
IA Programmation

Quoting Greg Kroah-Hartman

Months ago, we were getting what we called 'AI slop,' AI-generated security reports that were obviously wrong or low quality. It was kind of funny. It didn't really worry us. Something happened a month ago, and the world switched. Now we have real reports. All open source projects have real reports that are made with AI, but they're good, and they're real. — Greg Kroah-Hartman, Linux kernel maintainer (bio), in conversation with Steven J. Vaughan-Nichols Tags: security, linux,…

Simon Willison's Weblog
Attackers Are Hunting High-Impact Node.js Maintainers in a Coordinated Social Engineering Campaign
Cybersécurité Programmation

Attackers Are Hunting High-Impact Node.js Maintainers in a Coordinated Social Engineering Campaign

Since we published our initial analysis of the axios compromise, a deep dive into its hidden blast radius, and a report on the maintainer confirming it was social engineering, maintainers across the Node.js ecosystem have come out of the woodwork to report that they were targeted by the same social engineering campaign. The accounts now span some of the most widely depended-upon packages in the npm registry and Node.js core itself, and together they confirm that axios was not a one-off target.…

Socket
Can JavaScript Escape a CSP Meta Tag Inside an Iframe?
IA Programmation

Can JavaScript Escape a CSP Meta Tag Inside an Iframe?

Research: Can JavaScript Escape a CSP Meta Tag Inside an Iframe? In trying to build my own version of Claude Artifacts I got curious about options for applying CSP headers to content in sandboxed iframes without using a separate domain to host the files. Turns out you can inject <meta http-equiv="Content-Security-Policy"...> tags at the top of the iframe content and they'll be obeyed even if subsequent untrusted JavaScript tries to manipulate them. Tags: iframes, security, javascript,…

Simon Willison's Weblog
The Axios supply chain attack used individually targeted social engineering
IA Programmation

The Axios supply chain attack used individually targeted social engineering

The Axios team have published a full postmortem on the supply chain attack which resulted in a malware dependency going out in a release the other day, and it involved a sophisticated social engineering campaign targeting one of their maintainers directly. Here's Jason Saayman'a description of how that worked: so the attack vector mimics what google has documented here: https://cloud.google.com/blog/topics/threat-intelligence/unc1069-targets-cryptocurrency-ai-social-engineering they tailored…

Simon Willison's Weblog
The Cathedral, the Bazaar, and the Winchester Mystery House
IA

The Cathedral, the Bazaar, and the Winchester Mystery House

The following article originally appeared on Drew Breunig’s blog and is being republished here with the author’s permission. In 1998, Eric S. Raymond published the founding text of open source software development, The Cathedral and the Bazaar. In it, he detailed two methods of building software: The bazaar model was enabled by the internet, which […]

O'Reilly Radar — AI/ML
Esc