Supply Chain Attacks, Next.js DoS, React Native 0.85, and AI Git Tooling
Published on 10.04.2026
N. Korean Hackers Spread 1,700 Malicious Packages Across npm, PyPI, Go, Rust
TLDR: The Contagious Interview campaign, linked to North Korea, has published over 1,700 malicious packages across five ecosystems since January 2025. These packages impersonate legitimate developer tooling and quietly deliver second-stage malware payloads.
N. Korean Hackers Spread 1,700 Malicious Packages Across npm, PyPI, Go, Rust
CVE-2026-23869: Next.js RSC Deserialization DoS
TLDR: A high-severity vulnerability in Next.js 13.x through 16.x lets attackers craft HTTP requests that trigger excessive CPU usage via RSC deserialization, causing denial of service. Vercel has deployed WAF mitigations, but you should patch.
React Native 0.85: Shared Animation Backend and Flexbox with Native Driver
TLDR: React Native 0.85 introduces a Shared Animation Backend co-built with Software Mansion that unifies Animated and Reanimated, and finally allows animating Flexbox layout props via the native driver. TextInput also now surfaces selection data in onChange events.
New Animation Backend, TextInput Selection Data, New Jest Preset Package — React Native
gitpack: AI-Powered Git Packaging From the Terminal
TLDR: gitpack is an open-source CLI that takes the full Git workflow beyond commit message generation — it groups related changes into logical commits, flags risky areas, drafts PR summaries, and tracks review progress.
Handling Unreasonable AI Productivity Expectations
TLDR: A CTO consultant breaks down why comparing established engineering teams to small greenfield startups on AI productivity metrics is fundamentally flawed, and offers three frameworks for managing those conversations with leadership.