Mihai Maruseac (@mihaimaruseac) 's Twitter Profile
Mihai Maruseac

@mihaimaruseac

Supply chain security @ Google OSS Security Team. Previously TensorFlow Security & OSS (@ Google); Haskell+differential privacy+ML @ LeapYear.

Views my own

ID: 23897807

linkhttp://mihai.page calendar_today12-03-2009 04:27:52

13,13K Tweet

2,2K Followers

1,1K Following

JounQin (@jounqin) 's Twitter Profile Photo

cc ESLint Prettier Prettier ❤️ ESLint Attention!!! I was tricked by a phishing email and a new npm token was added and leaked then some popular packages I'm maintaining were released with malicious software, I've deleted the leaked token and marked all affected bad

cc <a href="/geteslint/">ESLint</a> <a href="/PrettierCode/">Prettier</a> <a href="/PrettierESLint/">Prettier ❤️ ESLint</a> 

Attention!!!

I was tricked by a phishing email and a new npm token was added and leaked then some popular packages I'm maintaining were released with malicious software, I've deleted the leaked token and marked all affected bad
Alex Matrosov (@matrosov) 's Twitter Profile Photo

All those SDLC trainings and evangelism? Pretty much outdated now. AI’s churning out code faster than we can review, and your outdated SAST/SCAs don’t keep pace with the scale of these problems.

Mario Zechner (@badlogicgames) 's Twitter Profile Photo

Why can't .claude.json be inside .claude/ Please, app devs, don't just shit all over my home directory. It's bad enough you all create a ~/.myapp folder. (You should really use XGD conventions, i.e. ~/.config/your-filthy-app, ~/.cache/your-filthy-app)

Why can't .claude.json be inside .claude/

Please, app devs, don't just shit all over my home directory. It's bad enough you all create a ~/.myapp folder.

(You should really use XGD conventions, i.e. ~/.config/your-filthy-app, ~/.cache/your-filthy-app)
Mihai Maruseac (@mihaimaruseac) 's Twitter Profile Photo

I think that people would hate less the manifest v3 changes (implicitly the removal of ublock, etc) if chrome would have been proactive in blocking all ads that are intrusive, obnoxious, malware, make the web unusable without an ad blocker. Instead, we live in a world where..

Andrew Thompson (@imposecost) 's Twitter Profile Photo

Hardening is not sexy. Some nerds really love it. I specifically picked my path to always be in contact with the opposition. In normal security roles, if you're constantly in incident response, that says something about the state of your security program. However, threat

Adi Polak (@adipolak) 's Twitter Profile Photo

If you’re an AI Engineer and don’t understand these yet, you’re just fine-tuning in the dark: • Event-driven systems • Feature stores • Vector DBs • Model pipelines AI isn’t just models. It’s systems. Learn to build them.

Tracy Lee | ladyleet (@ladyleet) 's Twitter Profile Photo

YouTube ads are now so aggressive they feel less like a revenue stream and more like a loyalty test. Like how bad do you really want to watch this video?

Mick Douglas 🇺🇦🌻 (@bettersafetynet) 's Twitter Profile Photo

What is happening re: Salt Typhoon? It's a gawdamn national embarrassment. US Government: Hey phones are pwned. It's China. citizens: you're fixing it right? Telcos: pweeze dis is so hawd. 🥺👉👈 This is NOT how a serious nation responds to such an incursion.

Mario Zechner (@badlogicgames) 's Twitter Profile Photo

Don't built agents, build assistents. As a second step: try to turn the assistant into a deterministic program. Building the assistant first usually lets you explore the problem space fully, so you understand how the task can be solved deterministically.

Simson Garfinkel (@xchatty) 's Twitter Profile Photo

Just published! How we reconstructed the individual-level records from the 2010 Census tables for tens of millions of people and reidentified millions using only commercially available data. hdsr.mitpress.mit.edu/pub/ntchx9im

Gergely Orosz (@gergelyorosz) 's Twitter Profile Photo

Whoa - Datadog's largest-ever outage in 2023 was caused by the same thing as Heroku's largest-ever one this June. Same OS version (Ubuntu 22.04), same process (sytemd) If Heroku had done the same changes Datadog publicly shared in 2023, Heroku's outage would not have happened.

(((JReuben1))) (@jreuben1) 's Twitter Profile Photo

Google OSS Rebuild, a new project designed to detect supply chain attacks in open source software by independently reproducing and verifying package builds across major repositories tech.slashdot.org/story/25/07/22…

Gergely Orosz (@gergelyorosz) 's Twitter Profile Photo

How it started: "AI vibe coding tools will replace devs!" How it's going: "Do this: - Provide it w a detailed spec - Break down tasks to small ones - Separate dev and prod envs - Do NOT give access to the agent to prod - Never trust the agent; verify every step it takes - ...

Simon Willison (@simonw) 's Twitter Profile Photo

I wrote up some notes on Google Security's new OSS Rebuild project, which increases supply chain security for popular packages on PyPI, NPM and Crates through offering independent build attestations simonwillison.net/2025/Jul/23/os…