Flux
Couleur d'accent
The PHP Podcast 2026.06.17
Programmation Web

The PHP Podcast 2026.06.17

🎙️ PHP Podcast – June 17, 2026 Hosts: Sara Golemon & Holly Schilling | Guests: Paul Reinheimer & Sean Coates Eric and John are still locked in the basement. Sara is literally on a boat in Spain. Normal show, totally normal. 🚢 Sara Broadcasts from a Harbor in A Coruña Sara is joining this week’s […] The post The PHP Podcast 2026.06.17 appeared first on PHP Architect.

PHP Architect
GLM-5.2 is probably the most powerful text-only open weights LLM
IA Programmation

GLM-5.2 is probably the most powerful text-only open weights LLM

Chinese AI lab Z.ai released GLM-5.2 to their coding plan subscribers on June 13th, and then yesterday (June 16th) released the full open weights under an MIT license. Similar in size to their previous GLM-5 and GLM-5.1 releases, this is 753B parameter, 1.51TB monster - with 40 active parameters (Mixture of Experts). GLM-5.2 is a text input only model - Z.ai have a separate vision family most recently represented by GLM-5V-Turbo, but that one isn't open weights. GLM-5.2 has a 1 million token…

Simon Willison's Weblog
Socket Firewall Now Blocks Malicious VS Code and Open VSX Extensions
Cybersécurité Programmation

Socket Firewall Now Blocks Malicious VS Code and Open VSX Extensions

In May 2026, GitHub disclosed that attackers compromised an employee device through a poisoned third-party VS Code extension, allowing them to exfiltrate roughly 3,800 GitHub-internal repositories. The extension was Nx Console 18.95.0, a malicious release that reached both the Visual Studio Marketplace and Open VSX before removal. That incident should change how security teams think about editor extensions. Socket researchers have also documented repeated GlassWorm attacks across Open VSX,…

Socket
Quoting Charity Majors
IA Programmation

Quoting Charity Majors

What happened in 2025 was this: the economics of code production were turned upside down. Instead of being very hard, time-consuming, and expensive to generate code, it became effectively free and instant. Lines of code went from being treasured, reused, cared for and carefully curated, to being disposable and regenerable, practically overnight. — Charity Majors, AI demands more engineering discipline. Not less Tags: charity-majors, ai-assisted-programming, generative-ai, ai, llms

Simon Willison's Weblog
Why skipping Eloquent doesn’t mean skipping SQL injection protection
Programmation Web

Why skipping Eloquent doesn’t mean skipping SQL injection protection

Video version at: https://youtu.be/gAVfQhPw8Do A few weeks ago, I posted something on LinkedIn that ruffled some feathers. Here’s what I said: “Defaulting to the ORM for everything isn’t a best practice. It’s just the path of least resistance.” The replies came in fast, and a good chunk of them said the same thing: “That’s unsafe! […] The post Why skipping Eloquent doesn’t mean skipping SQL injection protection appeared first on PHP Architect.

PHP Architect
The Case Against Building Your Own Agent Platform
IA

The Case Against Building Your Own Agent Platform

You know the meeting. The board wants an AI agent strategy by end of quarter. Someone on the leadership team has read a McKinsey report. You’ve been voluntold to build the platform. The slide deck says “AI-native.” The acceptance criteria are vague. Somebody mentions LangGraph, and somebody else says, “We’ll just wrap it ourselves.” You […]

O'Reilly Radar — AI/ML
140+ Mastra npm Packages Compromised in Coordinated Supply Chain Attack
Cybersécurité Programmation

140+ Mastra npm Packages Compromised in Coordinated Supply Chain Attack

Socket has detected a malicious npm supply chain campaign involving compromised @mastra/* packages published under the Mastra namespace. A single npm account (ehindero) mass-published more than 140 malicious packages across the Mastra scope within a short window on 2026-06-17. The compromised package versions themselves contain unmodified code; the attack is delivered through an injected dependency, a typosquatted package named easy-day-js added to each package's dependency list. easy-day-js…

Socket
<click-to-play> — a still that plays
IA Programmation

<click-to-play> — a still that plays

Tool: &lt;click-to-play&gt; — a still that plays A progressive enchantment Web Component that turns this markup: &lt;click-to-play&gt; &lt;a href="URL to GIF"&gt; &lt;img src="URL to first frame" alt="..."&gt; &lt;/a&gt; &lt;/click-to-play&gt; Into a still frame with a click to play button which loads the GIF on demand. For when you don't want big GIFs to be loaded unless people want to play them. Here's an example that demonstrates the new row editing tools in Datasette - in fact I built this…

Simon Willison's Weblog
NetNewsWire Status
IA Programmation

NetNewsWire Status

NetNewsWire Status I find this inspiring. Brent Simmons retired a year ago, and his retirement project is making one piece of software really, really good - free from any commercial pressure. The software is NetNewsWire - "it's like podcasts, but for reading" - first released in 2002 and made open source in 2018. I've been using it on Mac and iPhone for several years now and I'm finding it indispensable. Via Lobste.rs Tags: brent-simmons, netnewswire, open-source

Simon Willison's Weblog
npm Package Uses Prompt Injection and Token Flooding to Disrupt AI Malware Scanners
Cybersécurité Programmation

npm Package Uses Prompt Injection and Token Flooding to Disrupt AI Malware Scanners

Last week, Socket Threat Research reported that newer Mini Shai-Hulud, Miasma, and Hades packages were embedding fake prompt-injection headers before obfuscated JavaScript payloads. Those comments did not affect runtime execution, but they appeared designed to interfere with AI-assisted malware review. Now we are seeing that same idea tested more directly in a package that appears designed to probe how AI-based scanners handle prompt injection, safety-triggering content, and context flooding.…

Socket
Esc