No transcript available for this episode.
Ep. 09
Welcome back to Hot Takes and Cold Storage! After a brief hiatus around Red Hat Summit season, Nate is back with a packed episode.
Hot Takes: Microsoft quietly added Copilot as a co-author to VS Code git commits — even with AI tools disabled. They reversed it after developer backlash, but it’s another reason to consider VSCodium. The Dutch government has launched its own self-hosted Forgejo instance as a digital sovereignty move, joining a growing trend of nations taking control of their code infrastructure. US states continue filling the federal privacy vacuum. California’s AB 2561 now prohibits apps and OSes from resetting your privacy settings, and Connecticut passed a law requiring data brokers to register with the state. MiciMike is producing a drop-in replacement PCB for the Google Home Mini Gen 1 that turns it into a Home Assistant Voice device — completely local, ESP-based, and available to back on Crowd Supply. And in a story that writes itself: a CISA contractor stored AWS GovCloud admin credentials, a Firefox password CSV, and deployment documentation in a public GitHub repo. For six months. With secret scanning disabled.
Cold Storage (Deep Dive): The TanStack Supply Chain Worm On May 11, 2026, over 170 packages were compromised across npm and PyPI. 84 malicious versions across 42 TanStack packages were published in a six-minute window, also hitting Mistral AI, UiPath, and OpenSearch. This is the first documented supply chain worm to ship with valid SLSA provenance certificates. We break down the pull_request_target exploit pattern, how the attacker poisoned the GitHub Actions cache without touching any credentials, and how the worm propagated itself through every developer it infected — including a vindictive payload that wiped your home directory if you revoked your token. The community response was fast and transparent, and that’s the real win.
Links:
Microsoft Copilot co-author controversy: https://www.msn.com/en-us/news/technology/microsoft-secretly-made-copilot-co-author-your-code-until-developers-revolted/ar-AA22CHBL
Dutch government self-hosts Forgejo: https://www.opensourceforu.com/2026/04/dutch-government-backs-forgejo-for-sovereign-open-source-github-alternative/
California AB 2561 & state privacy law roundup: https://www.troutmanprivacy.com/2026/05/proposed-state-privacy-and-ai-law-update-may-18-2026/
Connecticut data broker registration: https://www.troutmanprivacy.com/2026/05/proposed-state-privacy-and-ai-law-update-may-11-2026/
MiciMike Google Home Mini replacement PCB: https://www.cnx-software.com/2026/04/29/micimike-open-source-drop-in-pcb-converts-google-home-mini-into-a-local-voice-assistant/
Back MiciMike on Crowd Supply: https://www.crowdsupply.com/micimike-rev-devices/micimike-home-mini-drop-in-pcb