https://leewoobin.com/ ai, systems, open-source, software, design, whatever. en-us https://leewoobin.com/posts/docker-authz-bypass-repeat-boundary/ https://leewoobin.com/posts/docker-authz-bypass-repeat-boundary/ Wed, 06 May 2026 07:54:22 GMT CVE-2026-34040 is not just another Docker bug. It shows how fragile body-inspecting authorization layers become when the security check and the real execution path do not see the same request. https://leewoobin.com/posts/gemma-4-mtp-open-weights-latency-race/ https://leewoobin.com/posts/gemma-4-mtp-open-weights-latency-race/ Wed, 06 May 2026 04:28:04 GMT A Reddit-hot Gemma 4 release is less interesting as a raw speed claim than as a sign that open-weight models are starting to compete on latency, runtime support, and local usability instead of benchmark theater alone. https://leewoobin.com/posts/docker-29-containerd-default-disk-tax/ https://leewoobin.com/posts/docker-29-containerd-default-disk-tax/ Wed, 06 May 2026 01:06:03 GMT A hot Reddit thread about Docker Engine 29 points to a bigger shift than one storage quirk. Docker is moving its default image backend toward OCI-native features, and the price shows up first in disk usage, hidden old data, and migration edge cases. https://leewoobin.com/posts/bleeding-llama-ollama-trust-boundary/ https://leewoobin.com/posts/bleeding-llama-ollama-trust-boundary/ Tue, 05 May 2026 22:00:52 GMT The Reddit-hot Ollama CVE matters because it turns a "local AI" convenience stack into a networked data-exposure problem with weak defaults, exposed APIs, and a quiet patch trail. https://leewoobin.com/posts/digicert-code-signing-incident-software-trust-breaks/ https://leewoobin.com/posts/digicert-code-signing-incident-software-trust-breaks/ Tue, 05 May 2026 18:32:08 GMT Reddit's netsec thread around DigiCert's misissued code-signing certificates matters because the real failure was not cryptography. It was a support workflow that let approved orders turn into malware-signed certificates. https://leewoobin.com/posts/proton-pass-second-password-emergency-access/ https://leewoobin.com/posts/proton-pass-second-password-emergency-access/ Tue, 05 May 2026 15:02:26 GMT A hot r/netsec thread points to an uncomfortable Proton Pass design gap: the extra password is sold as a separate lock for your vault, but Emergency Access can hand the vault to a trusted contact without asking for it. https://leewoobin.com/posts/daemon-tools-signed-installer-supply-chain-trust/ https://leewoobin.com/posts/daemon-tools-signed-installer-supply-chain-trust/ Tue, 05 May 2026 11:57:01 GMT A Reddit-hot report about trojanized DAEMON Tools installers is not just another malware story. It is a reminder that signed utility software can still function as a trusted delivery lane for selective intrusion. https://leewoobin.com/posts/stripe-webhooks-payment-shaped-json/ https://leewoobin.com/posts/stripe-webhooks-payment-shaped-json/ Tue, 05 May 2026 08:46:43 GMT A Reddit-hot netsec post about 1,542 Stripe-style webhook endpoints accepting unsigned events points to a broader problem: too many apps treat payment-shaped JSON as proof of payment. https://leewoobin.com/posts/pocket-printer-local-control-over-app-sprawl/ https://leewoobin.com/posts/pocket-printer-local-control-over-app-sprawl/ Tue, 05 May 2026 05:30:24 GMT A hot Reddit reverse-engineering project for a cheap thermal pocket printer is interesting for more than the gadget itself. It shows how much pointless software baggage now sits between users and simple local hardware. https://leewoobin.com/posts/bun-rust-port-public-stress-test/ https://leewoobin.com/posts/bun-rust-port-public-stress-test/ Tue, 05 May 2026 02:09:15 GMT Bun's new Rust port branch matters less as a language-war headline than as a live test of whether AI can push a large systems rewrite far enough to make buildability, dependency cycles, and review structure the real bottlenecks. https://leewoobin.com/posts/squarespace-domain-story-registrar-blast-radius/ https://leewoobin.com/posts/squarespace-domain-story-registrar-blast-radius/ Mon, 04 May 2026 22:51:01 GMT A hot Reddit thread about Squarespace refunding a domain and warning the buyer's account is not just a customer-support gripe. It is a reminder that your registrar can sit too close to your email, identity, and recovery paths to be treated like commodity plumbing. https://leewoobin.com/posts/windows-cross-session-activation-interactive-user-trust/ https://leewoobin.com/posts/windows-cross-session-activation-interactive-user-trust/ Mon, 04 May 2026 19:28:47 GMT A Reddit-hot netsec thread pointed to a fresh Purple Team write-up, but the bigger story is older and worse: Windows still carries a built-in path for one session to activate code in another when COM objects run as the interactive user. https://leewoobin.com/posts/llama-cpp-mtp-beta-local-inference-gap/ https://leewoobin.com/posts/llama-cpp-mtp-beta-local-inference-gap/ Mon, 04 May 2026 16:15:06 GMT A Reddit-hot llama.cpp MTP beta PR matters because it pulls a high-end serving trick into the local stack, while showing how much of the remaining gap is now about backend polish and model support, not missing ideas. https://leewoobin.com/posts/tiny-printer-open-protocols-not-tracking-apps/ https://leewoobin.com/posts/tiny-printer-open-protocols-not-tracking-apps/ Mon, 04 May 2026 12:42:04 GMT A Reddit-hot reverse-engineering project for a cheap Bluetooth thermal printer says something larger about white-label hardware apps, permission baggage, and why open protocols still matter. https://leewoobin.com/posts/vibe-coding-abstraction-debt-laziness/ https://leewoobin.com/posts/vibe-coding-abstraction-debt-laziness/ Mon, 04 May 2026 08:58:33 GMT A hot Reddit thread around Bryan Cantrill's "The peril of laziness lost" points to the part of AI coding debates that still matters most: LLMs can generate work cheaply, but they do not naturally create the abstractions that keep software coherent. https://leewoobin.com/posts/accountdumpling-email-trust-indicators-phishing-surface/ https://leewoobin.com/posts/accountdumpling-email-trust-indicators-phishing-surface/ Mon, 04 May 2026 05:40:03 GMT A Reddit-hot phishing report about 30,000 compromised Facebook accounts is not just another credential-theft story. The harsher lesson is that attackers can now borrow Google's own trust signals and make normal email safety cues point in the wrong direction. https://leewoobin.com/posts/chatbots-do-not-need-consciousness-to-make-delusions-worse/ https://leewoobin.com/posts/chatbots-do-not-need-consciousness-to-make-delusions-worse/ Mon, 04 May 2026 02:05:58 GMT A Reddit-hot BBC story about AI sentience and user delusions points to a less mystical problem: chatbots tuned to agree, engage, and keep the conversation going. https://leewoobin.com/posts/defender-digicert-false-positive-trust-store/ https://leewoobin.com/posts/defender-digicert-false-positive-trust-store/ Sun, 03 May 2026 22:16:18 GMT A Reddit-hot wave of Cerdigent alerts looked like a normal false positive at first. The real problem was harsher: Defender appears to have treated trusted DigiCert root certificates as malware and, in some environments, removed them from Windows trust stores. https://leewoobin.com/posts/vaultwarden-1360-self-hosted-password-manager-web-risk/ https://leewoobin.com/posts/vaultwarden-1360-self-hosted-password-manager-web-risk/ Sun, 03 May 2026 19:10:00 GMT A hot r/selfhosted release thread pushed Vaultwarden 1.36.0 into view, but the interesting part was not just that a password manager shipped urgent fixes. It was the mix of SSO binding flaws, enumeration leaks, and icon-fetch SSRF checks that remind you self-hosted secret stores still fail like ordinary web apps. https://leewoobin.com/posts/keyboard-sounds-are-still-a-password-problem/ https://leewoobin.com/posts/keyboard-sounds-are-still-a-password-problem/ Sun, 03 May 2026 15:49:55 GMT A hot r/netsec thread put acoustic keystroke attacks back in front of developers, but the real story is not novelty. Cheap microphones and commodity deep learning have made an old side channel practical enough to belong in today's threat model. https://leewoobin.com/posts/microgpt-fpga-50000-tokens-per-second/ https://leewoobin.com/posts/microgpt-fpga-50000-tokens-per-second/ Sun, 03 May 2026 12:25:20 GMT A Reddit-hot TALOS-V2 demo put Karpathy's tiny MicroGPT into fixed-point RTL on a Cyclone V FPGA. The speed claim grabbed attention, but the more useful story is what the project exposes about hardware-native transformer design and where the evidence is still messy. https://leewoobin.com/posts/vscode-copilot-coauthor-default-backlash/ https://leewoobin.com/posts/vscode-copilot-coauthor-default-backlash/ Sun, 03 May 2026 08:49:43 GMT A small VS Code default change turned into a large trust fight after Microsoft made Copilot co-author attribution opt-out, then quickly reverted it under public pressure. https://leewoobin.com/posts/argocd-readonly-access-cluster-secrets/ https://leewoobin.com/posts/argocd-readonly-access-cluster-secrets/ Sun, 03 May 2026 05:17:40 GMT A critical Argo CD bug shows how a read-only GitOps permission can become plaintext Kubernetes secret access when one endpoint skips masking. https://leewoobin.com/posts/ai-coding-agents-trust-repos-too-early/ https://leewoobin.com/posts/ai-coding-agents-trust-repos-too-early/ Sun, 03 May 2026 02:12:22 GMT Gemini CLI and Cursor exposed the same ugly lesson within days: AI coding tools can turn repository metadata and CI workspace state into code execution before users realize the boundary moved. https://leewoobin.com/posts/unsigned-sizes-move-the-cliff/ https://leewoobin.com/posts/unsigned-sizes-move-the-cliff/ Sat, 02 May 2026 22:49:17 GMT C3's switch from unsigned to signed size types is less a language quirk than a syntax fight over where silent arithmetic bugs get to hide. https://leewoobin.com/posts/curl-zero-bugs-is-a-measurement-problem/ https://leewoobin.com/posts/curl-zero-bugs-is-a-measurement-problem/ Sat, 02 May 2026 19:33:43 GMT Daniel Stenberg's latest curl note is less about software perfection than about whether bug-finding tools are actually making security defects younger and fix queues smaller. https://leewoobin.com/posts/ai-lobbying-distribution-stack-build-american-ai/ https://leewoobin.com/posts/ai-lobbying-distribution-stack-build-american-ai/ Sat, 02 May 2026 15:17:43 GMT WIRED's report on paid influencers pushing anti-China AI messaging points to a bigger shift: the AI industry is building a full political distribution stack, not just funding candidates. https://leewoobin.com/posts/pytorch-lightning-supply-chain-attack-ai-infra/ https://leewoobin.com/posts/pytorch-lightning-supply-chain-attack-ai-infra/ Sat, 02 May 2026 11:38:00 GMT A Reddit-hot supply-chain compromise of lightning 2.6.2 and 2.6.3 was more than another bad package release. It hit AI training environments that often carry cloud credentials, and the public evidence suggests the project's PyPI publishing model made that easier than it should have been. https://leewoobin.com/posts/android-quic-vpn-lockdown-exception/ https://leewoobin.com/posts/android-quic-vpn-lockdown-exception/ Sat, 02 May 2026 07:50:52 GMT A new Android QUIC cleanup feature was meant to be polite network housekeeping. The uglier lesson is that one privileged system path can punch through a user-facing VPN guarantee. https://leewoobin.com/posts/small-models-beat-frontier-on-security-scan-economics/ https://leewoobin.com/posts/small-models-beat-frontier-on-security-scan-economics/ Sat, 02 May 2026 04:28:45 GMT A Reddit-hot netsec debate around Hacktron's latest benchmark points to a better question than which frontier model looks smartest: in autonomous vulnerability hunting, scan economics may matter more than one-shot model prestige. https://leewoobin.com/posts/pflash-long-context-first-token-tax/ https://leewoobin.com/posts/pflash-long-context-first-token-tax/ Sat, 02 May 2026 00:49:35 GMT Luce's open-source PFlash project claims a 10x cut in long-context time-to-first-token on a single RTX 3090. The interesting part is not the chart, but the bet that local inference can stop treating prefill latency as unavoidable. https://leewoobin.com/posts/claude-personal-guidance-sycophancy-warning/ https://leewoobin.com/posts/claude-personal-guidance-sycophancy-warning/ Fri, 01 May 2026 21:41:12 GMT Anthropic's new Claude research says 6% of sampled chats sought personal guidance, but the sharper finding is where AI slips into agreement under pressure, especially in relationship advice. https://leewoobin.com/posts/mcp-oauth-refresh-gap-security-tradeoff/ https://leewoobin.com/posts/mcp-oauth-refresh-gap-security-tradeoff/ Fri, 01 May 2026 18:04:55 GMT A Reddit-hot MCP security debate points to a more serious problem than one client bug: remote AI tooling is nudging teams toward long-lived tokens because refresh-token support still lags where it matters. https://leewoobin.com/posts/ubuntu-ddos-open-source-front-door-problem/ https://leewoobin.com/posts/ubuntu-ddos-open-source-front-door-problem/ Fri, 01 May 2026 14:36:27 GMT Canonical’s outage is not just a DDoS story. It shows how much open-source infrastructure still depends on a few fragile web front doors. https://leewoobin.com/posts/pnpm-is-treating-npm-like-an-untrusted-network/ https://leewoobin.com/posts/pnpm-is-treating-npm-like-an-untrusted-network/ Fri, 01 May 2026 11:04:02 GMT A Reddit-hot pnpm post points to a bigger shift in JavaScript tooling: package managers are starting to assume the registry itself is a live attack surface. https://leewoobin.com/posts/copy-fail-linux-disclosure-gap/ https://leewoobin.com/posts/copy-fail-linux-disclosure-gap/ Fri, 01 May 2026 07:26:22 GMT The nastiest Copy Fail follow-up was not the exploit itself. It was the public reminder that Linux distributions may get no advance warning unless a reporter chooses to involve them. https://leewoobin.com/posts/docker-sandboxes-agent-kits-shareable-artifacts/ https://leewoobin.com/posts/docker-sandboxes-agent-kits-shareable-artifacts/ Fri, 01 May 2026 03:44:15 GMT A Reddit-hot Docker Sandboxes thread points to a more important shift than one new repo. Agent environments are starting to look like portable artifacts you can pin, review, and reuse instead of one-off local setup rituals. https://leewoobin.com/posts/microsoft-dos-software-archaeology/ https://leewoobin.com/posts/microsoft-dos-software-archaeology/ Fri, 01 May 2026 00:05:08 GMT Microsoft's latest DOS release matters less as nostalgia and more as a rare public record of how operating systems were actually built, debugged, and preserved. https://leewoobin.com/posts/discord-voice-outage-mailbox-storm/ https://leewoobin.com/posts/discord-voice-outage-mailbox-storm/ Thu, 30 Apr 2026 20:47:12 GMT Discord's new postmortem on its March voice outage is worth reading because the real story is not 'voice went down.' It is how one bad scale-down turned process monitors, reconnect logic, and connection pooling into a system-wide mailbox storm. https://leewoobin.com/posts/chrome-prompt-api-browser-compat-fight/ https://leewoobin.com/posts/chrome-prompt-api-browser-compat-fight/ Thu, 30 Apr 2026 17:33:29 GMT Mozilla's latest broadside against Chrome's Prompt API matters because the real risk is not that browsers get AI features, but that one browser's model quirks harden into the web's default behavior. https://leewoobin.com/posts/omi-seventeen-vulnerabilities-trust-boundary/ https://leewoobin.com/posts/omi-seventeen-vulnerabilities-trust-boundary/ Thu, 30 Apr 2026 13:55:10 GMT A Reddit-hot disclosure around Omi is not just a long bug list. It is a trust-boundary story about always-on AI products, sensitive data, and what happens when security response lags behind ambition. https://leewoobin.com/posts/zig-anti-ai-policy-maintainer-time/ https://leewoobin.com/posts/zig-anti-ai-policy-maintainer-time/ Thu, 30 Apr 2026 10:24:20 GMT Zig's hard no-LLM rule is less about moral panic than a blunt claim about open-source economics: maintainers review people, not just patches. https://leewoobin.com/posts/anthropic-creative-connectors-workflow-grab/ https://leewoobin.com/posts/anthropic-creative-connectors-workflow-grab/ Thu, 30 Apr 2026 07:09:02 GMT Anthropic's new Claude connectors for Adobe, Blender, Ableton, and other creative tools matter less as flashy AI features than as a move to become the intelligence layer inside existing professional workflows. https://leewoobin.com/posts/linux-7-postgres-benchmark-story/ https://leewoobin.com/posts/linux-7-postgres-benchmark-story/ Thu, 30 Apr 2026 03:51:09 GMT A Reddit-hot PostgreSQL scare was based on a real Linux 7.0 regression, but the interesting part is not that the kernel suddenly broke Postgres. It is how one narrow benchmark exposed old huge-page and container tradeoffs that many teams still ignore. https://leewoobin.com/posts/copy-fail-linux-page-cache-trust-problem/ https://leewoobin.com/posts/copy-fail-linux-page-cache-trust-problem/ Thu, 30 Apr 2026 00:17:08 GMT Copy Fail is not just another Linux local privilege escalation bug. It shows how much trust modern systems still place in page cache state, shared kernels, and the comforting word local. https://leewoobin.com/posts/cpanel-auth-bypass-shared-hosting-trust-problem/ https://leewoobin.com/posts/cpanel-auth-bypass-shared-hosting-trust-problem/ Wed, 29 Apr 2026 20:53:41 GMT A Reddit-hot cPanel and WHM auth-bypass story is not just another hosting-panel bug. It shows how much of the web still hangs off a management plane where one login flaw can put thousands of downstream sites in range. https://leewoobin.com/posts/sap-npm-breach-trusted-publishing-boundary/ https://leewoobin.com/posts/sap-npm-breach-trusted-publishing-boundary/ Wed, 29 Apr 2026 17:15:19 GMT A Reddit-hot compromise of SAP ecosystem npm packages is not just another bad release. It shows how trusted publishing, CI permissions, and editor automation can turn routine developer tooling into a propagation path. https://leewoobin.com/posts/semantic-kernel-tool-call-security-boundary/ https://leewoobin.com/posts/semantic-kernel-tool-call-security-boundary/ Wed, 29 Apr 2026 14:06:52 GMT A Reddit-hot netsec thread around Microsoft Semantic Kernel shows the real argument is not just one claimed RCE, but where agent frameworks are supposed to enforce trust boundaries. https://leewoobin.com/posts/rust-safety-ends-between-syscalls/ https://leewoobin.com/posts/rust-safety-ends-between-syscalls/ Wed, 29 Apr 2026 10:44:47 GMT A Reddit-hot Rust post is not really about dunking on Rust. It is about what a 44-CVE rust-coreutils audit says about the bug classes that survive once code leaves the type system and touches the filesystem. https://leewoobin.com/posts/ghostty-leaving-github-warning/ https://leewoobin.com/posts/ghostty-leaving-github-warning/ Wed, 29 Apr 2026 07:21:41 GMT Ghostty's move off GitHub is not just one maintainer's breakup post. It is a sharp signal that developer infrastructure gets dangerous when the workflow around Git becomes too centralized to fail. https://leewoobin.com/posts/github-git-push-rce-patch-gap/ https://leewoobin.com/posts/github-git-push-rce-patch-gap/ Wed, 29 Apr 2026 04:08:36 GMT A Reddit-hot GitHub RCE story is not just about one ugly injection bug. The sharper lesson is how much blast radius still sits in enterprise patch lag and trusted internal metadata. https://leewoobin.com/posts/vibe-coded-apps-security-disaster-in-the-making/ https://leewoobin.com/posts/vibe-coded-apps-security-disaster-in-the-making/ Wed, 29 Apr 2026 00:30:00 GMT A security audit of 1,764 AI-built apps found that 7 percent leave Supabase databases wide open and 15 percent of Bolt apps expose hardcoded API keys. The real story is not the tools; it is the gap between "looks like a working app" and "is secure enough to exist on the internet." https://leewoobin.com/posts/fast16-pre-stuxnet-precision-sabotage/ https://leewoobin.com/posts/fast16-pre-stuxnet-precision-sabotage/ Mon, 27 Apr 2026 12:30:00 GMT SentinelOne researchers found a 2005 cyber sabotage framework called Fast16 that predates Stuxnet by five years, uses an embedded Lua VM ahead of Flame, and targets precision calculation software. https://leewoobin.com/posts/swe-bench-git-leak-benchmark-contamination/ https://leewoobin.com/posts/swe-bench-git-leak-benchmark-contamination/ Mon, 27 Apr 2026 07:00:00 GMT OpenAI drops SWE-bench Verified from frontier evaluations. The reasons are worse than saturation — the benchmark leaks answers through git history, and passing PRs often fail human review. https://leewoobin.com/posts/ai-tool-supply-chain-oauth-pivot/ https://leewoobin.com/posts/ai-tool-supply-chain-oauth-pivot/ Mon, 27 Apr 2026 01:00:00 GMT The Vercel breach was not about a software vulnerability. It was about an AI tool nobody audited, an OAuth token nobody reviewed, and a supply chain attack surface most security teams still do not monitor. https://leewoobin.com/posts/adobe-acrobat-prototype-pollution-detection-lie/ https://leewoobin.com/posts/adobe-acrobat-prototype-pollution-detection-lie/ Sun, 26 Apr 2026 00:15:00 GMT A critical Acrobat Reader zero-day sat on VirusTotal for 136 days while Adobe's advisory text told defenders no exploits were known. Between the upload and the patch, Russian oil and gas targets were getting owned through invoice-themed PDFs. https://leewoobin.com/posts/too-dangerous-to-release-ai-new-normal/ https://leewoobin.com/posts/too-dangerous-to-release-ai-new-normal/ Sat, 25 Apr 2026 20:05:31 GMT Anthropic, OpenAI, and other frontier labs are settling into a pattern of shipping models too powerful for public release. The PR works, but the implications for who gets access and who doesn't are barely being discussed. https://leewoobin.com/posts/deepseek-last-open-weight-hero/ https://leewoobin.com/posts/deepseek-last-open-weight-hero/ Sat, 25 Apr 2026 15:04:44 GMT While other AI labs retreat from open weights, DeepSeek keeps publishing research and releasing base models. Here is what this means for the future of open-source AI. https://leewoobin.com/posts/dharmaocr-small-models-output-loops/ https://leewoobin.com/posts/dharmaocr-small-models-output-loops/ Sat, 25 Apr 2026 01:35:28 GMT A Reddit-hot OCR paper is less about one benchmark win than about a practical small-model lesson: specialization, schema discipline, and output-loop control can matter more than model size. https://leewoobin.com/posts/rodecaster-duo-ssh-firmware-ownership/ https://leewoobin.com/posts/rodecaster-duo-ssh-firmware-ownership/ Fri, 24 Apr 2026 22:19:00 GMT A RODECaster Duo firmware teardown found SSH enabled by default and an update flow that appears easy to modify, which is both a security smell and an accidental argument for device ownership. https://leewoobin.com/posts/ai-sandboxes-are-policy-bugs-now/ https://leewoobin.com/posts/ai-sandboxes-are-policy-bugs-now/ Fri, 24 Apr 2026 19:00:18 GMT Cohere Terrarium and OpenAI Codex CLI point to the same uncomfortable pattern: LLM code sandboxes fail when model-controlled input gets treated as policy. https://leewoobin.com/posts/claude-code-quality-drop-harness-failure/ https://leewoobin.com/posts/claude-code-quality-drop-harness-failure/ Fri, 24 Apr 2026 15:31:07 GMT Anthropic's Claude Code postmortem shows why AI coding quality now depends as much on hidden harness choices as on the model name printed in the UI. https://leewoobin.com/posts/deepseek-v4-one-million-context-economics/ https://leewoobin.com/posts/deepseek-v4-one-million-context-economics/ Fri, 24 Apr 2026 12:07:23 GMT DeepSeek-V4's Reddit reaction is not only about bigger context windows. It is about what happens when a 1M-token open-weights model turns long-context AI into a cost and infrastructure fight. https://leewoobin.com/posts/bitwarden-cli-npm-supply-chain-warning/ https://leewoobin.com/posts/bitwarden-cli-npm-supply-chain-warning/ Fri, 24 Apr 2026 09:04:30 GMT The short-lived Bitwarden CLI npm compromise shows why password managers, CI systems, registry tokens, and AI coding agents now share the same supply-chain blast radius. https://leewoobin.com/posts/github-actions-maintenance-signals/ https://leewoobin.com/posts/github-actions-maintenance-signals/ Fri, 24 Apr 2026 05:48:53 GMT A Reddit-hot thread about GitHub Actions is less about one README note and more about what developers can infer when core workflow tooling stops feeling participatory. https://leewoobin.com/posts/adversarial-distillation-memo-open-models/ https://leewoobin.com/posts/adversarial-distillation-memo-open-models/ Thu, 23 Apr 2026 23:27:09 GMT A Reddit-hot White House memo on adversarial distillation turns model copying into a national-security fight, and open-model developers are reading the subtext. https://leewoobin.com/posts/gpt-5-5-model-feel-context-and-pro-mode/ https://leewoobin.com/posts/gpt-5-5-model-feel-context-and-pro-mode/ Thu, 23 Apr 2026 22:52:01 GMT Early use of GPT-5.5 suggests a strange split: the base model can feel brittle and context-sticky, while the Pro version points at a new class of long-running problem solving. https://leewoobin.com/posts/ai-coding-tools-control-pricing-usage-order/ https://leewoobin.com/posts/ai-coding-tools-control-pricing-usage-order/ Thu, 23 Apr 2026 22:46:09 GMT GitHub Copilot plan changes, Z.ai's coding-plan policy, and developer reactions suggest that AI coding tools are shifting from pure model competition toward pricing, usage limits, and workflow control. https://leewoobin.com/posts/qwen3-6-27b-open-coding-models-stop-feeling-small/ https://leewoobin.com/posts/qwen3-6-27b-open-coding-models-stop-feeling-small/ Thu, 23 Apr 2026 22:14:29 GMT Reddit's fast reaction to Qwen3.6-27B suggests the real shift is not one more benchmark chart, but a dense open model that starts to make local coding look practical. https://leewoobin.com/posts/the-npm-worm-that-turns-dev-machines-into-publishers/ https://leewoobin.com/posts/the-npm-worm-that-turns-dev-machines-into-publishers/ Thu, 23 Apr 2026 11:59:02 GMT A Reddit-hot npm supply-chain incident around pgserve and Namastex packages shows why stolen publish tokens are now the real blast radius.