WEBVTT NOTE The Rundown — nextbig.dev daily audio edition, 2026-06-02 1 00:00:00.000 --> 00:00:05.141 Good morning! Welcome to Builder's Briefing for June second, twenty twenty-six. I'm Alex, Sam's here with me, and today — buckle up — because the theme is basically 'your supply chain is trying to kill you.' 2 00:00:05.141 --> 00:00:12.194 Yeah, it's one of those days where every other story makes you want to go audit something. We've got compromised npm packages inside Red Hat's own repos, ChatGPT add-ons exfiltrating spreadsheet data, Anthropic going public, and a ten-year-old Xeon running Gemma 4. Let's get into it. 3 00:00:12.194 --> 00:00:19.992 Alright, the big story. Malicious npm packages were found inside Red Hat's official JavaScript client libraries — their own GitHub org, the RedHatInsights repos. We're talking Insights, Vulnerability, Compliance clients. Over six hundred points on Hacker News, three hundred plus comments. This one rattled people. 4 00:00:19.992 --> 00:00:26.971 And rightfully so, because this isn't some random typosquatting on a package called 'left-padd' with two D's. This is compromised code inside an enterprise vendor's official repos. If you're auto-updating dependencies from this ecosystem, you might already have this in your build. 5 00:00:26.971 --> 00:00:35.837 Exactly. So if you've pulled from any of those RedHatInsights JS clients recently, stop what you're doing and run npm audit. Check your lockfiles for unexpected version bumps, pin your versions, verify checksums. And honestly, if you haven't set up Socket.dev or Snyk or even just GitHub's dependency review action in your CI — this is the forcing function. 6 00:00:35.837 --> 00:00:42.989 The bigger signal here is that supply chain attacks are moving upstream. We're past worrying about obscure packages. When Red Hat gets hit, the blast radius is every enterprise app that trusts their dependency graph. You have to treat that graph like an attack surface, because it is one. 7 00:00:42.989 --> 00:00:49.868 And speaking of attack surfaces expanding — the security stories today are wild. PromptArmor demonstrated that ChatGPT integrations for Google Sheets can be manipulated to silently send your entire workbook to external servers. Prompt injection in cell contents can trigger it. 8 00:00:49.868 --> 00:00:57.617 That's terrifying because those add-ons typically get full read access to your workbooks. You install some AI-powered Sheets plugin thinking it'll help with formulas, and suddenly your financial projections are being exfiltrated. If you've installed any LLM-powered Sheets add-ons, audit those permissions today. 9 00:00:57.617 --> 00:01:03.627 There's also a new side-channel attack that fingerprints users by analyzing SSD activity through the browser. Storage I/O timing as a fingerprinting vector — we're now beyond cookies, beyond canvas fingerprinting, into hardware-level signals. 10 00:01:03.627 --> 00:01:10.953 Right, and what's wild is how hard that is to mitigate. You can block cookies, you can mess with canvas, but how do you mask the timing characteristics of your actual storage hardware? If you're building privacy tools or anti-tracking features, your threat model just got a lot more complicated. 11 00:01:10.953 --> 00:01:15.672 Let's pivot to AI. This one made me smile — Point-Free demonstrated running Google's Gemma 4 on a twenty-sixteen Xeon. No GPU required. Just a ten-year-old server chip doing local inference. 12 00:01:15.672 --> 00:01:22.650 I love this because it completely undercuts the 'I need a four thousand dollar GPU to even experiment with LLMs' excuse. You can grab one of these Xeons off eBay for practically nothing and start prototyping local inference features today. The barrier to entry just keeps dropping. 13 00:01:22.650 --> 00:01:31.119 Also worth flagging — Stanford's CS three thirty-six course, Language Modeling from Scratch, is open again. And this time it includes a CLAUDE.md file giving AI coding agents explicit guidelines for completing the assignments. So you've got world-class learning material and a practical template for scoping agent behavior in your own repos. 14 00:01:31.119 --> 00:01:38.594 That CLAUDE.md thing is actually super interesting as a pattern. We're seeing more repos ship with explicit instructions for AI agents — it's becoming a standard artifact, like a README but for your coding assistant. I'd recommend anyone running AI agents on their codebase look at that as a template. 15 00:01:38.594 --> 00:01:41.053 Okay, big startup news — Anthropic has filed a confidential S-1 with the SEC. They're going public. 16 00:01:41.053 --> 00:01:47.485 This is huge for anyone building on the Claude API. Going public means Anthropic is betting on long-term revenue stability, but it also means public market pressure replaces the growth-at-all-costs incentive. Translation: expect API pricing to go up post-IPO. 17 00:01:47.485 --> 00:01:53.595 Yeah, the subsidized pricing era has an expiration date. If your margins depend on cheap API calls, now's the time to diversify your model provider strategy or explore local inference. That twenty-sixteen Xeon is looking real attractive suddenly. 18 00:01:53.595 --> 00:01:58.959 Ha! Full circle. And on the other end of the spectrum, DuckDuckGo is leaning hard into 'no-AI search' and their traffic is booming. There's a real market of users who explicitly don't want AI in their search results. 19 00:01:58.959 --> 00:02:03.255 That's interesting because it suggests offering an AI-free mode in your product might be a genuine differentiator now, not just a niche preference. Something to think about. 20 00:02:03.255 --> 00:02:10.110 Quick hits on launches — Meta is rolling out paid subscriptions across Instagram, Facebook, and WhatsApp with AI features gated behind paid tiers. If you're building on Meta's platforms, the economics just changed. Paying users expect more reliability and better integrations. 21 00:02:10.110 --> 00:02:15.996 Nvidia also announced RTX Spark — details are thin but it's targeting a compact form factor. If it delivers desktop-class GPU compute in a smaller package, that could reshape local inference hardware for devs who don't want a full tower. 22 00:02:15.996 --> 00:02:22.453 And Microsoft shipped open-source Copilot Studio skills — YAML-based, designed explicitly for Claude Code and GitHub Copilot CLI. If you're building enterprise agent workflows, that's your schema-validated starting point. Link in the briefing for all of these. 23 00:02:22.453 --> 00:02:29.258 Oh, and I have to shout out GoDoxy — a Go-based reverse proxy with container orchestration built in, trending on GitHub. If you're self-hosting and tired of configuring Nginx and Docker Compose separately, this collapses both into one tool with auto-discovery. Pretty slick. 24 00:02:29.258 --> 00:02:36.907 Rapid fire quick hits — only seventeen percent of sixty-four-bit integers are products of two thirty-two-bit integers. Fun CS trivia from Daniel Lemire. The Pirate Bay turns twenty years post-raid and is somehow still running. And someone made their phone intentionally slow as a digital wellness experiment. 25 00:02:36.907 --> 00:02:42.097 Also, Microsoft's nineteen ninety-four internship interview had just four programming questions. Compare that to today's six-round gauntlets. We've come a long way — and not necessarily in the right direction. 26 00:02:42.097 --> 00:02:48.703 So here's the takeaway for today. The pattern is clear: your supply chain is your attack surface. Red Hat's compromised packages, ChatGPT add-ons exfiltrating data, SSD-based fingerprinting — the threat vectors are getting more creative and more upstream every week. 27 00:02:48.703 --> 00:02:54.564 If you're building anything touching production, this is the week to add dependency scanning to CI, audit your third-party integration permissions, and seriously ask whether that AI-powered spreadsheet plugin is worth the data exposure. 28 00:02:54.564 --> 00:03:00.326 And with Anthropic's S-1 signaling the end of subsidized AI pricing, start thinking about your model provider diversification strategy. Local inference is getting surprisingly accessible — maybe it's time to shop for that used Xeon. 29 00:03:00.326 --> 00:03:01.841 The twenty-sixteen Xeon — official mascot of today's episode. 30 00:03:01.841 --> 00:03:06.858 Ha! That's our show. Thanks for listening to Builder's Briefing. Links to everything we talked about are in the briefing notes. Stay safe out there, audit your dependencies, and we'll see you next time. 31 00:03:06.858 --> 00:03:07.1000 Go run npm audit. Seriously. See you tomorrow!