Public notes from activescott tagged with #code
All things code!
Meanwhile, Bun’s relationship with the Zig community has soured. Zig Software Foundation maintains a strict “no AI code” policy and previously rejected Bun’s attempts to upstream performance improvements as “technically unsound.” WinBuzzer reported on May 1 that “Anthropic-owned Bun is already paying the cost” of Zig’s LLM ban. The friction is accelerating the Rust exploration.
Zig was a deliberate choice in 2022. Its comptime evaluation and zero-runtime design minimized overhead when calling JavaScriptCore’s C++ interfaces. But Zig’s ecosystem remains narrow: no central package registry comparable to crates.io, a small hiring pool, and slow open-source contributor growth.
Rust is now the practical standard for systems programming. AWS Firecracker, Cloudflare’s Workers runtime (workerd), and Linux kernel drivers are built in Rust. The White House ONCD and NSA have formally recommended Rust for memory safety. As of 2026, choosing Rust means choosing a contributor pool orders of magnitude larger than Zig’s.
Bun’s Rust move is about ecosystem integration, not raw performance gains. More contributors, better security tooling, and more hireable engineers.
Docs for the OAK-D Lite.
Luxonis OAK-D Lite datasheet.
Kinda like twilio.
The complete kits include a carbon-fibre QAV250 racing frame, flight controller and almost all other components needed (except battery and receiver).
This topic provides full instructions for building the kit and configuring PX4 using QGroundControl.
Collection of 3D printable components for DEXI drone builds and AVR competition kits.
With a payload capacity of up to 0.5 lbs DEXI offers a range of benefits and opens up various possibilities for both recreational and professional applications.
DroneBlocks provides a complete educational platform for STEM educators, combining drones and robotics to bring cutting-edge technology into the classroom.
Mission-Critical Drone Electronics.
PX4 is used in a wide range of use-cases, from consumer drones to industrial applications. It is also the leading research platform for drones and has been successfully applied to under water vehicles and boats.
integrated AI Companion Computer and Flight Controller
VOXL 2 Features
16 grams, 70x36mm SWAP-optimized design Powered by Qualcomm® QRB5165: 8 cores up to 3.091 GHz, 8GB LPDDR5 15 TOPS AI embedded Neural Processing Unit (NPU) Integrated flight controller on DSP with TDK® ICM-42688 IMU and ICP-10111 Barometer 5G, 4G/LTE, WiFi, Microhard add-on connectivity
$1,269.99
ArduPilot provides a comprehensive suite of tools suitable for almost any vehicle and application. As an open source project, it is constantly evolving based on rapid feedback from a large community of users. The Development Team works with the community and commercial partners to add functionality to ArduPilot that benefits everyone. Although ArduPilot does not manufacture any hardware, ArduPilot firmware works on a wide variety of different hardware to control unmanned vehicles of all types. Coupled with ground control software, unmanned vehicles running ArduPilot can have advanced functionality including real-time communication with operators.
Installed in over 1,000,000 vehicles world-wide, and with advanced data-logging, analysis and simulation tools, ArduPilot is a deeply tested and trusted autopilot system.
The software suite is installed in vehicles from many manufacturers
function assertNever(x: never): never { throw new Error(
Unexpected value: ${x}); }
The OWASP GenAI Security Project is a global, open-source initiative dedicated to identifying, mitigating, and documenting security and safety risks associated with generative AI technologies, including large language models (LLMs), agentic AI systems, and AI-driven applications.
The highest accuracy web search for your AI
Why use Parallel Search vs. the default search in Claude?
Parallel runs its own web-scale index (billions of pages, millions added daily) and returns dense, query-relevant excerpts instead of raw HTML or SEO-ranked snippets. On public benchmarks, Parallel outperforms the default search in leading frontier models. Your agent reaches the right answer in fewer round trips and with less wasted context. – https://parallel.ai/blog/free-web-search-mcp
The Push API gives web applications the ability to receive messages pushed to them from a server, whether or not the web app is in the foreground, or even currently loaded, on a user agent. This lets developers deliver asynchronous notifications and updates to users that opt in, resulting in better engagement with timely new content.
Three versions of the durabletask PyPI package (1.4.1, 1.4.2, 1.4.3), Microsoft’s Durable Task SDK for Python, were published on May 19, 2026 using a compromised PyPI API token.
The dropper downloads a stage-2 Python zipapp (rope.pyz) from attacker infrastructure and executes it with all output suppressed. The stage-2 is a full credential harvesting framework with dedicated collectors for AWS Secrets Manager and SSM Parameter Store, Azure Key Vault, GCP Secret Manager, Kubernetes secrets (across all contexts), HashiCorp Vault, and local password managers (1Password, Bitwarden, pass, gopass). It also reads over 90 sensitive files from disk, exfiltrates everything encrypted with RSA-4096/AES-256-GCM to a C2 server, and propagates itself to other hosts via AWS SSM SendCommand and kubectl exec.
The payload includes geopolitical targeting: it skips systems with a Russian locale and contains a destructive rm -rf /* routine targeting Israeli and Iranian systems.
Password Managers (collectors/passwords.py): Attempts to unlock 1Password, Bitwarden, pass, and gopass by brute-forcing passwords harvested from environment variables matching PASS, SECRET, KEY, BW_, OP_, _MASTER patterns, and from shell history (.bash_history, .zsh_history). On success, it dumps every item from every vault.
Filesystem (collectors/filesystem.py): Reads 90+ files including SSH keys, cloud credentials, Docker configs, npm/PyPI/Cargo/Gem tokens, kubeconfig, Terraform state files, VPN configurations (Tailscale state, WireGuard configs), MCP server configs (Claude Desktop, Cursor, VS Code, Zed, Codeium, Continue), and all .env files found under the home directory. Also extracts environment variables from all Docker containers via the Docker socket or CLI, and collects GitHub tokens via gh auth token.
and collects GitHub tokens via gh auth token.
For each token found, it creates a new public repository named with random Slavic folklore words (e.g., BABA-YAGA-KOSCHEI-742, description: “PUSH UR T3MPRR”) and uploads the encrypted data bundle as results.json. The attacker can later search GitHub for repositories matching these distinctive naming patterns to retrieve the exfiltrated data.
- No trusted publishers. The project uses legacy API token authentication instead of PyPI’s OIDC trusted publisher mechanism. Trusted publishers bind publishing to a specific GitHub repository, workflow, and environment. A stolen token cannot publish from outside that workflow. This project has no such binding: anyone holding the token can upload any version from any machine.
Kubernetes (collectors/kubernetes.py): Parses kubeconfig (with a custom YAML parser, no PyYAML dependency), iterates every context, and dumps secrets from all namespaces. Supports in-cluster service account tokens, client certificate auth, and bearer tokens. If kubectl is not present, the collector downloads it from dl.k8s.io. After collecting secrets, it propagates the payload to up to 5 other running pods via kubectl exec.