Major Companies Just Got Hacked Through Their Code

"Your biggest security vulnerability isn't your code, it's everyone else's code that your code depends on."

Hello Builders! 👋

A security researcher just pwned X, Vercel, Cursor, and Discord through a supply-chain attack, and the Hacker News crowd is losing their minds (356 comments and counting). This isn't some theoretical threat – actual production systems at companies we use daily got compromised.

Here's the reality check: we're all speedrunning deployment with tools like Cursor and Vercel, trusting npm packages without a second thought. The same AI-powered workflow that lets you ship in hours also means you're one malicious dependency away from exposing your entire stack. The researcher demonstrated how easy it is to inject code into popular packages that these platforms depend on.

OpenAI Drops GPT-5.2-Codex - New coding model promises better agentic development and cybersecurity performance.

Vibe Coding Security Scanner - Jacob's shipping a security scanner that actually vibes with your code after beta testing rounds proved it works.

AI Workplace Search Assistant - Carmine built an AI that digs through all your scattered work accounts so you stop losing that one Slack thread.

Google Ships T5Gemma 2 - Next-gen encoder-decoder model built on Gemma 3 adds multimodality and extended context, joining the "everything needs vision now" party.

FunctionGemma Brings Edge Calling - Tiny 270M parameter Gemma 3 model fine-tuned for function calling runs on device, perfect for when you need your toaster to parse JSON.

Supabase Launches Vector Buckets - New storage option promises durability and cost savings for embeddings, because storing millions of float arrays was getting expensive.

Production RAG Reality Check - Six hard-earned lessons on data quality, retrieval design, and evaluation from actual production RAG systems that didn't implode.

Google AI Studio Speed Run - Four concrete ways to use AI Studio's Build mode for faster prototyping, clearer communication, and actual automation that works.

200+ n8n Templates Explored - Deep dive into n8n's template repo reveals surprisingly sophisticated AI automation and RAG workflows you can actually steal.

Perplexity + NotebookLM Stack - How pairing these two AI tools creates a research workflow that's genuinely better than the old way.

History LLMs Train on Old Books - Models trained exclusively on pre-1913 texts raise questions about copyright-free training data and historical bias.

Prove Your Code Works - Simon Willison's post sparked 600+ comments debating what "proven to work" actually means in production.

Sam Bets on Total Memory - Altman claims the real breakthrough isn't reasoning but AI remembering every conversation, email, and doc across your lifetime.

v0 Wants Your Wishlist - Vercel's AI builder is crowdsourcing 2026 feature requests, and replies are full of spicy takes on what's missing.

ChatGPT Hits $3B Mobile Revenue - Reached the milestone in just 31 months, faster than TikTok or any major streaming app ever did.

OpenAI Eyes $830B Valuation - Trying to raise $100B by Q1 2026 with sovereign wealth funds, because apparently the previous valuation wasn't ambitious enough.

Anthropic Partners with DOE - Providing Claude and dedicated engineers to Department of Energy's Genesis Mission to accelerate scientific discovery at scale.

AI Labs Add Teen Detection - OpenAI and Anthropic rolling out age prediction systems to identify 13-17 year olds and adjust responses accordingly.

Figure Founder's $100M AI Lab - Brett Adcock is self-funding "Hark," a new lab building human-centric AI after his humanoid robotics company hit $39B valuation.

Wild that we're celebrating GPT-5.2-Codex dropping the same day someone casually pwned half the dev ecosystem through a supply chain attack. Maybe audit your dependencies before you let AI write more of them?

What are you shipping this weekend (and how many npm packages deep is your trust going)?

Keep shipping,

P.S. If you're building RAG systems, that production lessons post is actually worth the read. Unlike most "lessons learned" posts, this one has real scars.