GitHub

amid-a-flurry-of-hype,-microsoft-reorganizes-entire-dev-team-around-ai

Amid a flurry of hype, Microsoft reorganizes entire dev team around AI

agentic AI, AI, copilot, deep learning, GitHub, llm, machine learning, microsoft, Satya Nadella, software development, Tech, visual studio / /

Microsoft CEO Satya Nadella has announced a dramatic restructuring of the company’s engineering organization, which is pivoting the company’s focus to developing the tools that will underpin agentic AI.

Dubbed “CoreAI – Platform and Tools,” the new division rolls the existing AI platform team and the previous developer division (responsible for everything from .NET to Visual Studio) along with some other teams into one big group.

As for what this group will be doing specifically, it’s basically everything that’s mission-critical to Microsoft in 2025, as Nadella tells it:

This new division will bring together Dev Div, AI Platform, and some key teams from the Office of the CTO (AI Supercomputer, AI Agentic Runtimes, and Engineering Thrive), with the mission to build the end-to-end Copilot & AI stack for both our first-party and third-party customers to build and run AI apps and agents. This group will also build out GitHub Copilot, thus having a tight feedback loop between the leading AI-first product and the AI platform to motivate the stack and its roadmap.

To accomplish all that, “Jay Parikh will lead this group as EVP.” Parikh was hired by Microsoft in October; he previously worked as the VP and global head of engineering at Meta.

The fact that the blog post doesn’t say anything about .NET or Visual Studio, instead emphasizing GitHub Copilot and anything and everything related to agentic AI, says a lot about how Nadella sees Microsoft’s future priorities.

So-called AI agents are applications that are given specified boundaries (action spaces) and a large memory capacity to independently do subsets of the kinds of work that human office workers do today. Some company leaders and AI commentators believe these agents will outright replace jobs, while others are more conservative, suggesting they’ll simply be powerful tools to streamline the jobs people already have.

Amid a flurry of hype, Microsoft reorganizes entire dev team around AI Read More »

yearlong-supply-chain-attack-targeting-security-pros-steals-390k-credentials

Yearlong supply-chain attack targeting security pros steals 390K credentials

Biz & IT, credential theft, cryptomining, GitHub, npm, Security, supply chain attacks / /

Screenshot showing a graph tracking mining activity. Credit: Checkmarx

But wait, there’s more

On Friday, Datadog revealed that MUT-1244 employed additional means for installing its second-stage malware. One was through a collection of at least 49 malicious entries posted to GitHub that contained Trojanized proof-of-concept exploits for security vulnerabilities. These packages help malicious and benevolent security personnel better understand the extent of vulnerabilities, including how they can be exploited or patched in real-life environments.

A second major vector for spreading @0xengine/xmlrpc was through phishing emails. Datadog discovered MUT-1244 had left a phishing template, accompanied by 2,758 email addresses scraped from arXiv, a site frequented by professional and academic researchers.

A phishing email used in the campaign. Credit: Datadog

The email, directed to people who develop or research software for high-performance computing, encouraged them to install a CPU microcode update available that would significantly improve performance. Datadog later determined that the emails had been sent from October 5 through October 21.

Additional vectors discovered by Datadog. Credit: Datadog

Further adding to the impression of legitimacy, several of the malicious packages are automatically included in legitimate sources, such as Feedly Threat Intelligence and Vulnmon. These sites included the malicious packages in proof-of-concept repositories for the vulnerabilities the packages claimed to exploit.

“This increases their look of legitimacy and the likelihood that someone will run them,” Datadog said.

The attackers’ use of @0xengine/xmlrpc allowed them to steal some 390,000 credentials from infected machines. Datadog has determined the credentials were for use in logging into administrative accounts for websites that run the WordPress content management system.

Taken together, the many facets of the campaign—its longevity, its precision, the professional quality of the backdoor, and its multiple infection vectors—indicate that MUT-1244 was a skilled and determined threat actor. The group did, however, err by leaving the phishing email template and addresses in a publicly available account.

The ultimate motives of the attackers remain unclear. If the goal were to mine cryptocurrency, there would likely be better populations than security personnel to target. And if the objective was targeting researchers—as other recently discovered campaigns have done—it’s unclear why MUT-1244 would also employ cryptocurrency mining, an activity that’s often easy to detect.

Reports from both Checkmarx and Datadog include indicators people can use to check if they’ve been targeted.

Yearlong supply-chain attack targeting security pros steals 390K credentials Read More »

github-copilot-moves-beyond-openai-models-to-support-claude-3.5,-gemini

GitHub Copilot moves beyond OpenAI models to support Claude 3.5, Gemini

AI, Anthropic, Claude 3.5 Sonnet, coding, developer, Gemini 1.5 Pro, GitHub, GitHub Copilot, Google, GPT o1-mini, GPT o1-preview, GPT-4o, microsoft, openai, Programming, Tech, VS Code / /

The large language model-based coding assistant GitHub Copilot will switch from using exclusively OpenAI’s GPT models to a multi-model approach over the coming weeks, GitHub CEO Thomas Dohmke announced in a post on GitHub’s blog.

First, Anthropic’s Claude 3.5 Sonnet will roll out to Copilot Chat’s web and VS Code interfaces over the next few weeks. Google’s Gemini 1.5 Pro will come a bit later.

Additionally, GitHub will soon add support for a wider range of OpenAI models, including GPT o1-preview and o1-mini, which are intended to be stronger at advanced reasoning than GPT-4, which Copilot has used until now. Developers will be able to switch between the models (even mid-conversation) to tailor the model to fit their needs—and organizations will be able to choose which models will be usable by team members.

The new approach makes sense for users, as certain models are better at certain languages or types of tasks.

“There is no one model to rule every scenario,” wrote Dohmke. “It is clear the next phase of AI code generation will not only be defined by multi-model functionality, but by multi-model choice.”

It starts with the web-based and VS Code Copilot Chat interfaces, but it won’t stop there. “From Copilot Workspace to multi-file editing to code review, security autofix, and the CLI, we will bring multi-model choice across many of GitHub Copilot’s surface areas and functions soon,” Dohmke wrote.

There are a handful of additional changes coming to GitHub Copilot, too, including extensions, the ability to manipulate multiple files at once from a chat with VS Code, and a preview of Xcode support.

GitHub Spark promises natural language app development

In addition to the Copilot changes, GitHub announced Spark, a natural language tool for developing apps. Non-coders will be able to use a series of natural language prompts to create simple apps, while coders will be able to tweak more precisely as they go. In either use case, you’ll be able to take a conversational approach, requesting changes and iterating as you go, and comparing different iterations.

GitHub Copilot moves beyond OpenAI models to support Claude 3.5, Gemini Read More »

winamp-really-whips-open-source-coders-into-frenzy-with-its-source-release

Winamp really whips open source coders into frenzy with its source release

git, GitHub, GPL, GPL infringement, llama group, shoutcast, source code, Tech, winamp / /

As people in the many, many busy GitHub issue threads are suggesting, coding has come a long way since the heyday of the Windows-98-era Winamp player, and Winamp seems to have rushed its code onto a platform it does not really understand.

Winamp flourished around the same time as illegal MP3 networks such as Napster, Limewire, and Kazaa, providing a more capable means of organizing and playing deeply compressed music with incorrect metadata. After a web shutdown in 2013 that seemed inevitable in hindsight, Winamp’s assets were purchased by a company named Radionomy in 2014, and a new version was due out in 2019, one that aimed to combine local music libraries with web streaming of podcasts and radio.

Winamp did get that big update in 2022, though the app was “still in many ways an ancient app,” Ars’ Andrew Cunningham wrote then. There was support for music NFTs added at the end of 2022.

In its press release for the code availability, the Brussels-based Llama Group SA, with roughly 100 employees, says that “Tens of millions of users still use Winamp for Windows every month.” It plans to release “two major official versions per year with new features,” as well as offering Winamp for Creators, intended for artists or labels to manage their music, licensing, distribution, and monetization on various platforms.

Winamp really whips open source coders into frenzy with its source release Read More »

behold,-diablo-is-fully-playable-in-your-browser

Behold, Diablo is fully playable in your browser

Blizzard, Diablo, gaming, GitHub / /

Stay a while and compile —

It controls and looks great, though the game was outshined by its sequels.

A browser window shows an old PC game

Enlarge / Diablo running in Firefox on macOS.

Samuel Axon

You can now play the original Diablo (and its expansion, Hellfire) in virtually any web browser on any computer with generally excellent performance and operating-as-expected controls. It’s all thanks to an open source project published on GitHub called Diabloweb that’s now being circulated by game developers on X.

In the README file in the project’s GitHub repository, the project’s developer (d07RiV) notes that it is based on DevilutionX, another open source project that did a lot of legwork to make Diablo run well on modern operating systems.

“I’ve modified the code to remove all dependencies and exposed the minimal required interface with JS, allowing the game to be compiled into WebAssembly,” writes d07RiV. “Event handling (especially in the menus) had to be modified significantly to fit the JS model.”

It’s pretty easy to set up; you just visit the website, upload a file, and get going.

You have to upload a file because the project doesn’t include the Diablo game files—you’ll have to provide those in the form of the DIABDAT.MPQ file in the Diablo install directory.

There are three above-board ways to source this MPQ file. First, you can, of course, own a physical copy of the original game. Alternatively, you can purchase the game on GOG and install it, then pull the file from the installation directory.

There’s also a shareware release of Diablo, and you can pull the SPAWN.MPQ file from that, and it works just fine. That’s not the full game, though, so that’s more for if you just want to try it.

  • This is the Diabloweb site, which offers brief instructions and prompts on how to get started.

    Samuel Axon

  • I downloaded the Diablo installer from GOG and ran it in a Windows VM on my Mac…

  • Here’s the file we’re looking for.

  • It was just a click on the website to upload that file and behold, Diablo in a browser.

    Samuel Axon

I played the game for about half an hour using the MPQ from the GOG version without any issues on Firefox on a Mac. (There’s no Mac version of the GOG installer, though, so I had to run the installer in a virtual Windows machine to get at the file.) The game is obviously primitive compared to more recent entries in the series (or even Diablo II), but it is an addictive blast to play regardless.

Behold, Diablo is fully playable in your browser Read More »

how-i-upgraded-my-water-heater-and-discovered-how-bad-smart-home-security-can-be

How I upgraded my water heater and discovered how bad smart home security can be

esp32, Features, GitHub, home assistant, home automation, iot, journalism, rinnai, Smart Home, tankless water heater, Tech, Zigbee / /
The bottom half of a tankless water heater, with lots of pipes connected, in a tight space

Enlarge / This is essentially the kind of water heater the author has hooked up, minus the Wi-Fi module that led him down a rabbit hole. Also, not 140-degrees F—yikes.

Getty Images

The hot water took too long to come out of the tap. That is what I was trying to solve. I did not intend to discover that, for a while there, water heaters like mine may have been open to anybody. That, with some API tinkering and an email address, a bad actor could possibly set its temperature or make it run constantly. That’s just how it happened.

Let’s take a step back. My wife and I moved into a new home last year. It had a Rinnai tankless water heater tucked into a utility closet in the garage. The builder and home inspector didn’t say much about it, just to run a yearly cleaning cycle on it.

Because it doesn’t keep a big tank of water heated and ready to be delivered to any house tap, tankless water heaters save energy—up to 34 percent, according to the Department of Energy. But they’re also, by default, slower. Opening a tap triggers the exchanger, heats up the water (with natural gas, in my case), and the device has to push it through the line to where it’s needed.

That led to me routinely holding my hand under cold water in the sink or shower, waiting longer than felt right for reasonably warm water to appear. I understood the water-for-energy trade-off I was making. But the setup wasted time, in addition to potable water, however plentiful and relatively cheap it was. It just irked me.

Little did I know the solution was just around the corner.

Hot water hotspot

  • Attention!

    Kevin Purdy

  • Nothing’ll happen. Just touch it. It’s what you wanna do. It’s there for you to touch.

    Kevin Purdy

  • The Rinnai Central app. It does this “Control failed” bit quite often.

    Rinnai

I mean that literally. When I went into the utility closet to shut off the hose bibbs for winter, I noticed a plastic bag magnetically stuck to the back side of the water heater. “Attention! The Control-R Wi-Fi Module must be installed for recirculation to operate,” read the intense yellow warning label. The water heater would not “recirculate” without it, it noted.

The Rinnai Control-R module, out of bag.

Enlarge / The Rinnai Control-R module, out of bag.

Rinnai

Recirculation means that the heater would start pulling water and heating it on demand, rather than waiting for enough negative pressure from the pipes. To trigger this, Rinnai offered smartphone apps that could connect through its servers to the module.

I found the manual, unplugged the water heater, and opened it up. The tone of the language inside (“DO NOT TOUCH,” unless you are “a properly trained technician”) did not match that of the can-do manual (“get the most from your new module”). But, having read the manual and slotted little beige nubs before, I felt trained and technical. I installed the device, went through the typical “Connect your phone to this weirdly named hotspot” process, and—it worked.

I now had an app that could start recirculation. I could get my shower hot while still in bed, or get started on the dinner dishes from the couch. And yet pulling out my phone whenever I wanted hot water felt like trading one inconvenience for another.

How I upgraded my water heater and discovered how bad smart home security can be Read More »

github-besieged-by-millions-of-malicious-repositories-in-ongoing-attack

GitHub besieged by millions of malicious repositories in ongoing attack

Biz & IT, GitHub, repositories, Security, supply chain attack / /
GitHub besieged by millions of malicious repositories in ongoing attack

Getty Images

GitHub is struggling to contain an ongoing attack that’s flooding the site with millions of code repositories. These repositories contain obfuscated malware that steals passwords and cryptocurrency from developer devices, researchers said.

The malicious repositories are clones of legitimate ones, making them hard to distinguish to the casual eye. An unknown party has automated a process that forks legitimate repositories, meaning the source code is copied so developers can use it in an independent project that builds on the original one. The result is millions of forks with names identical to the original one that add a payload that’s wrapped under seven layers of obfuscation. To make matters worse, some people, unaware of the malice of these imitators, are forking the forks, which adds to the flood.

Whack-a-mole

“Most of the forked repos are quickly removed by GitHub, which identifies the automation,” Matan Giladi and Gil David, researchers at security firm Apiiro, wrote Wednesday. “However, the automation detection seems to miss many repos, and the ones that were uploaded manually survive. Because the whole attack chain seems to be mostly automated on a large scale, the 1% that survive still amount to thousands of malicious repos.”

Given the constant churn of new repos being uploaded and GitHub’s removal, it’s hard to estimate precisely how many of each there are. The researchers said the number of repos uploaded or forked before GitHub removes them is likely in the millions. They said the attack “impacts more than 100,000 GitHub repositories.”

GitHub officials didn’t dispute Apiiro’s estimates and didn’t answer other questions sent by email. Instead, they issued the following statement:

GitHub hosts over 100M developers building across over 420M repositories, and is committed to providing a safe and secure platform for developers. We have teams dedicated to detecting, analyzing, and removing content and accounts that violate our Acceptable Use Policies. We employ manual reviews and at-scale detections that use machine learning and constantly evolve and adapt to adversarial tactics. We also encourage customers and community members to report abuse and spam.

Supply-chain attacks that target users of developer platforms have existed since at least 2016, when a college student uploaded custom scripts to RubyGems, PyPi, and NPM. The scripts bore names similar to widely used legitimate packages but otherwise had no connection to them. A phone-home feature in the student’s scripts showed that the imposter code was executed more than 45,000 times on more than 17,000 separate domains, and more than half the time his code was given all-powerful administrative rights. Two of the affected domains ended in .mil, an indication that people inside the US military had run his script. This form of supply-chain attack is often referred to as typosquatting, because it relies on users making small errors when choosing the name of a package they want to use.

In 2021, a researcher used a similar technique to successfully execute counterfeit code on networks belonging to Apple, Microsoft, Tesla, and dozens of other companies. The technique—known as a dependency confusion or namespace confusion attack—started by placing malicious code packages in an official public repository and giving them the same name as dependency packages Apple and the other targeted companies use in their products. Automated scripts inside the package managers used by the companies then automatically downloaded and installed the counterfeit dependency code.

The technique observed by Apiiro is known as repo confusion.

“Similar to dependency confusion attacks, malicious actors get their target to download their malicious version instead of the real one,” Wednesday’s post explained. “But dependency confusion attacks take advantage of how package managers work, while repo confusion attacks simply rely on humans to mistakenly pick the malicious version over the real one, sometimes employing social engineering techniques as well.”

GitHub besieged by millions of malicious repositories in ongoing attack Read More »