This records the weekly technology content worth sharing, released every Friday.
This magazine is open source , and we welcome submissions from you. There is also the service "Who is Hiring" that posts programmer job postings. For collaborations, please contact us via email ([email protected]).
Cover image
of the Tencent headquarters campus scheduled to be launched this year, commonly known as "Penguin Island," includes not only office buildings but also multiple apartment buildings.via)
Axios Poisoning and Hollywood-Style Deception
Last week, the well-known software library Axios waspoisonedby attackers. The hackers obtained the release token and directly published a new version containing a trojan.
Software poisoning is not new, what's new is how the release token leaked. The story behind it is simply a Hollywood movie, almost impossible to prevent.
Axios is one of the most widely used JS libraries, with nearly 100 million downloads per week, so the impact of this poisoning is significant.
Moreover, the trojan is highly malicious. According toofficial removal instructionsfor those unfortunate enough to be infected, machine must be revoked . This Trojan will scan all directories, collect keys, and then send them out.
Everyone should know that software libraries like axios, which are extremely popular, have complete protection at every stage, and every line of code is strictly reviewed. This attack was completely a meticulously planned social engineering , breaking through all these protections.
The target of the attack was the chief maintainer, Jason Saayman. According to himself , the process went like this.
They tailored the process to my situation, and the specific actions are as follows:
- They impersonated the founder of a company to contact me, not only cloning the founder's appearance but also cloning the company itself.
- They then invited me to join a real Slack workspace. This workspace used the company's brand identity, and the name was also quite credible. The Slack workspace was very well-designed, with dedicated channels for sharing LinkedIn posts. I guessed these LinkedIn posts would eventually be published on the company's real account, creating a very realistic overall effect. They even created some fake accounts, which I suspected were team members of the company and some other open-source software maintainers.
- They arranged a meeting with me for communication purposes. The meeting was conducted on Microsoft Teams. It seemed like there were multiple participants.
- The meeting pointed out that some things on my system were outdated. I thought it was related to Teams, so I installed the missing components, only to find it was a Remote Access Trojan (RAT).
- Everything was arranged in an orderly manner, looked very professional, and the way they operated was highly professional.
It was clear that this attack was well-scripted, with each step carefully planned, fully prepared, and rehearsed.is completely tailored for you, just waiting for you to fall into the trap.
Scammers are very patient and have invested a huge amount of upfront costs. First, they pose as the founder of a company to contact you, and to enhance credibility, they also create a fake company website; then, they invite you to join their Slack workspace, which contains various discussions, project documents, promotional materials, all looking very real; the most cunning part is that they even let you join company video conferences on the Teams software, a group of scammers appear in person, accompanying you in the meeting.
After the meeting starts, the host suddenly says, "Strange, how is your system different from ours? Is the Microsoft plugin outdated? I'll send you the latest version." And just like that, you receive the transmitted installation package. Seeing that other participants are waiting for you, you don't think much and directly double-click to execute it. Oh oh, that's how you got tricked—the token is leaked in a second.
To fake it to this extent is truly impressive.
This reminds me of a news item I saw recently.Indian newsThe level of fabrication is even more extreme, just like Hollywood movies.
Last Christmas, a 77-year-old woman in New Delhi, India, received a WhatsApp video call from the "police station." There was even an interpreter in sign language in the lower right corner of the video.
The police told her that the bank had discovered money laundering records in her account and that an investigation must be conducted on her. If she did not cooperate, the funds in her account would be seized. She was notified to attend the court's hearing remotely.
Media later revealed the set photos of the "Police Station," everyone take a look how realistic they are.
The first three photos are of an Indian police station, and the last one is of a Pakistani police station. They are in the same building, with rooms adjacent to each other. It is known that these two countries are opposed in reality, but it doesn't stop scammers from deceiving both sides.
Returning to the case itself, a few days later, the elderly woman attended an online hearing held in a court, presided over by a "judge." He reviewed the financial records, heard testimony from the "police," and asked the elderly woman some questions.
Finally, the "judge" told the elderly woman that the authorities needed to verify whether all her assets were legal. She had to connect with the police station every day, answer questions, and continue until the matter was cleared up.
Below is the most精彩 part of this case. For 16 consecutive days, the elderly woman connected via camera every day. Everyone can see to what extent the scammers went.
During these 16 days, the elderly woman gradually grew fond of the officers on duty at the fake police station. She began to call them her own children. And they, in turn, called her "Mother."
In the evening, she read Hindu religious texts with the youngest officer, asking him to send him the passages he found most touching.
"They were like family," the elderly woman recalled. "They said, 'Ma'am, we want to resolve this as soon as possible. We work day and night for you.'"
Goodness, the scammers performed for 16 days from morning to night, having heart-to-heart talks with the elderly woman, reading classics together, and asking life questions until late at night. If this were made into a movie, how touching it would be.
The elderly woman had no slightest suspicion, willingly selling her investments, and transferred a total of $1.6 million to the fake police station's account nine times.
The next day, she couldn't even connect with the "children of the police station."
From these two cases, everyone can see how far internet scams can go now—it's entirely a "scripted murder" with precise targeting, with extremely high success rates. If AI is added to the mix, it would be almost impossible to distinguish between real and fake.
There is a rule in website development: every client request should be untrusted and must be assumed to be malicious. In the future, real life may also be like this: every stranger should be untrusted and assumed to be a malicious scam.
Computing power is still insufficient
Three recent events show that computing power is still very tight right now.
First thing, OpenAI shut down the video generation service Sora, mainly because of insufficient computing power, as the company needs to allocate computing resources to core business.
Second thing, Anthropic has officially banned the use of monthly subscriptions for third-party services (such as OpenClaw, OpenCode, etc.).
The reason is that if the monthly subscription is fully utilized, the computing power consumed will far exceed the subscription fee. The company's computing power is very valuable and must be prioritized to ensure its own products (such as Claude Code), and external products should not increase the burden on the data center.
Third thing, there are articles claiming that GitHub's code submissions in the first three months of this year are 14 times higher than the same period last year!
The reason is obviously the surge in AI programming; there was no Claude Code at the beginning of last year. GitHub's resources were simply insufficient to handle this increase, soConstantly malfunctioning.
The image above shows that GitHub's uptime over the past three months has only been 89.47%, while the acceptable number should be 99.99%.
The above three things indicate that the major AI service companies have very tight computing power resources, and hardware is still insufficient.
This means that the surge in hardware prices is not yet over and will continue to rise, and GitHub is likely to tighten free services and fully shift to a paid model.
Is front-end repetitive work?
I saw a developerSpeak essentially, the work of the front-end is the same: to display some data to the user and let the user process this data.
he felt that there was no need to repeat solving the same problem.
he made an "Adaptive Browser". It automatically generates front-end UI through AI, and the back-end only needs to provide data, as well as a description of the web page's purpose.
it's not known if this is the end of the front-end?
Adobe modified the hosts file
Adobe's main product is the "Creative Cloud" suite, which includes many famous software, such as Photoshop, Illustrator, Premiere.
a netizen installed it and was shocked to find that the installer modified edited his hosts file.
As shown in the image above, Adobe added a local DNS record in the hosts file.
Why would an application modify system files?
According to insiders, this is to test whether users have installed Creative Cloud. When users visit the official website, the webpage sends a request to the domain name shown in the image above. Since the DNS record for this domain name is only available locally, the server receiving the request means the user has installed Creative Cloud.
For such a well-known software, to come up with such a solution similar to "creating a backdoor," and targeting the people who pay them, it's truly frustrating.
Article
1. Underlying Structure of MDN's New Frontend (English)
MDN is the largest document website on the internet, and this article introduces the front-end architecture of this website, which turned out to be so complex.
2、Kill the person who writes code (Chinese)
The author is a front-end programmer from a major tech company, reflecting on the past year, from writing code manually to using AI programming. AI has changed everything, resolving the "35-year-old retirement" issue. (Submitted by @wind-liang)
3、How I Set Up a SMS Gateway Using an Android Phone (English)
The author explains how to install an SMS gateway on a used Android phone and send/receive SMS messages over the internet (using your own mobile plan).
4、Testing Endianness with QEMU(英文)
A beginner's tutorial in C, running a program of less than ten lines on a local QEMU virtual machine to check if a certain architecture is big-endian or little-endian byte order.
6、Python's importtime feature(英文)
Python uses the import command to load modules, which incurs performance overhead. This article introduces the built-in importtime feature, which can display the time consumed by loading each module.
6、The 2000 Kursk nuclear submarine disaster(英文)
In August 2000, the Russian nuclear submarine "Kursk" exploded and sank during an exercise, resulting in the death of all 118 crew members. The accident occurred very slowly, with chaos on the scene and rescue efforts continuously delayed. This article uses numerous photos to recreate the entire process.
Tools
This week, Google officially launched an Apple iPhone app that provides offline access to the Gemma 4 model. Without an internet connection, smartphones can now use large models.
2、apfel
The Mac computer comes with a built-in local large model that can be used offline. However, by default, only Apple's Siri can access it. After installing this tool, you can call it yourself from the command line.
3、Docking
is a program dock for Linux desktops that mimics the Apple desktop.
4、Tantivy
is a full-text search engine library written in Rust, which can replace Apache Lucene, see the introduction article.
is a cross-platform desktop application used for screen recording and creating promotional videos, providing various accompanying editing functions.
6、epub-tts
This open-source tool converts EPUB files into audio files, which means turning e-books into audiobooks.
7,NVTOP
A command-line program for a Linux system, used to monitor the status of a GPU graphics card, equivalent to the graphics card-specific top command.
8,dmcheck
Check the domain occupancy status of a specific keyword.@PlayerYKSubmission)
An open-source animation curve editing website.@AmyangXYZ Submission)
10、gitlogue
This tool can replay the commit history of a Git repository in an animated form in the terminal, and even display it as a screensaver.
Resources
1、Fojin
Global Buddhist ancient books digital aggregation platform. ( @xr843 Submission)
Real-time 3D display of flights around the world.@haojiang99 Submission)
This website uses images to show the development history of GPU graphics cards, from the Voodoo card in 1996 to the RTX 5090 graphics card in 2025.
Image
1、Simple Methods for Afforestation on Barren Mountains
Costa Rica in Central America produces orange juice, generating a large amount of orange peels, which were previously landfill waste.
An environmental organization convinced factories to dump 12,000 tons of orange peels on barren mountains for fertilizer.
The mountain slopes were covered with orange peels, and no further treatment was done besides that.
After six months, the orange peels had completely rotted and turned into black soil, gradually beginning to sprout new growth.
Sixteen years later, when scientists returned to the site, it had become a dense forest.
This is truly the simplest method for greening barren mountains—just pile up orange peels and let them decompose.
2、2025 Global Physical Photography Competition
Sixteen particle physics laboratories in the United States, France, Japan, and others jointly organized a photography competition, inviting photographers to capture images of physical laboratories to promote physics to the public.
The image above shows the cryogenic detector laboratory of the Italian National Institute for Nuclear Physics (INFN), which can cool matter to just slightly above absolute zero.
The location of the photo above is the French Heavy Ion National Accelerator Center, capturing the power supply system of the linear accelerator.
For more photos, see here .
Excerpt
1、Why does sand have stickiness?
When we play at the beach, sand sticks to the skin, shoes, clothes, and hair.
The main component of sand is silica, like rocks.
Rocks have no stickiness, so why does sand have stickiness?
Actually, sand itself doesn't have stickiness, but it is hydrophilic, meaning it absorbs water.
The human body is also hydrophilic, and we sweat profusely under the scorching sun.__JHSNS_SEG_b2c7fe53_203__When sand comes into contact with something wet, stickiness occurs between water molecules.__JHSNS_SEG_b2c7fe53_204__Often, the skin has oils or sunscreen, which also make the sand stick to the skin.__JHSNS_SEG_b2c7fe53_205__Additionally, the skin has some small creases that can trap sand.
In short, to remove sand, you wait for the skin to dry or rinse it with water.
Statements
1、
If you think that the speed of writing code is your problem, then you have a bigger problem.
-- Andrew Murphy, Australian programmer
2、
There is an excitement called the excitement that only those who just started getting into cryptocurrency in 2017 have.
-- Andrew Murphy, Australian programmer
3、
A public opinion poll found that young Americans value marriage, children, and faith far less than their parents, and they are also indifferent to traditional values such as patriotism, religion, community, and family.
Young people treat the market and money as moral principles. In their eyes, the market determines the value of things, the meaning of events, who is right, who is the winner, and who matters.
--Predicting the Worst Consequences of the Market
4,
To me, the future city is actually a place like Amsterdam, with comfortable streets and bike lanes, rather than a place like Dubai, with 16-lane highways, and a group of oppressed working class people working in flashy luxury shopping malls.
5,
Universities all require Ph.D. students to publish papers. Whether you write about what, how you write, or whether the content is related to the research direction, the department actually doesn't care. The department needs papers because papers can prove the rationality of funding, and funding can prove the existence value of the department. Students are just the means to achieve this goal.
--"The machine is fine, the problem is us."
Review of past years
HDMI 2.2 audio-visual might be reaching its limit(#345)
The clever light bulb clock(#295)
Skyscrapers are inhuman.(#245)
Have you ever worked on a project that doesn't care about the results? (#195)
(Finished)