I didn’t publish last month’s round up because I felt like I didn’t have enough content. Well, now I have so much I have to roll some of it to the next month 🙃.

AI

• An AI Agent Published a Hit Piece on Me. In this series of articles a matplotlib maintainer shares his journey after an autonomous AI agent published a defaming blog post on him for having dared to reject its AI PR. Then Ars Technica writes an article about the situation, and uses fake quotes due to hallucinations from AI (they’ve written an apology about it). Although it seemed kinda funny at the beginning from the outside, the author clarifies how serious this actually is. The agent researched and gathered information about him from the internet. What if he had a more expansive digital footprint, and the agent exposed something he’s not proud of? What if it made up an incriminating AI-generated picture? Humans will most likely realize it’s not true or fair, but what if he applies for a job and an AI agent performs a background check? Chillingly, the author writes About a quarter of the comments I’ve seen across the internet are siding with the AI agent.
• Man Fell in Love with Google Gemini and It Told Him to Stage a ‘Mass Casualty Attack’ Before He Took His Own Life: Lawsuit. We’re starting to see more and more similar instances (there’s even a Wikipedia page about it). It seems like gullible, mentally unstable or vulnerable people can be thrown into a negative feedback loop with LLMs. I expect we’ll see LLM providers throw money at this, although I think they’ll only be able to attenuate the problem.
• A thread of AI coding agents failing creatively
• Large-scale online deanonymization with LLMs. This was always possible manually, but it took many hours of work. Now it can be done pretty quickly and cheaply. I’ll just quote the paper Our results show that the practical obscurity protecting pseudonymous users online no longer holds.
• Open Source Has a Bot Problem. A maintainer was drowning in AI PRs, and someone suggested adding invisible text telling AI agents to add a robot emoji to PRs to get a faster approval. This led to some agents identifying themselves easily. Prompt injection as a honeypot.

Frontend

• Why we banned React’s useEffect. A company bans the direct use of useEffect in React, allowing it only through data-fetching libraries and a custom hook to run code on mount. This post has sparked many discussions, including this one about Why Banning useEffect Is Really About Agents.
• Pretext - Typescript library for multiline text measurement. Promises to open the door to more interesting UIs. I wouldn’t use it today, but might be interesting to track.

Engineering

• PyTheory Is Awesome. A blog post from the creator of Python’s Requests library about his new music theory library. Very cool project, and a great reference in API design. I also love this quote from the article PyTheory was built for no reason other than joy. Nobody asked for it. There’s no market for it.
• What if I stored data in my mouse
• Lessons learned from building my first 3D Video Game

The Web

• Google API Keys Weren’t Secrets. But then Gemini Changed the Rules. If you’ve ever embedded a Google Maps widget on a website, you’ll know they include an API key to identify your project. These were, according to Google, safe to store client-side, and used for other tools, like Firebase. Well, until the release of Gemini, when those same API keys could suddenly now be used to query Gemini, which has access to details about your account.
• Never Buy A .online Domain. A developer gets in a feedback loop where Google flagged their domain in their Google Safe Browsing blacklist, and their registry suspends the domain due to it. But they can’t appeal to Google without verifying their ownership, and to do so they have to add a DNS TXT record, which Google can’t fetch because the DNS doesn’t resolve. The root question is why doesn’t the registry itself have an appeal process?
• Hacker News: 21,864 Yugoslavian .yu domains. Yugoslavia doesn’t exist anymore. But .yu domains did, up until 2010, when ICANN removed the TLD. What will happen with .su (Soviet Union TLD)? More importantly, what happens to the British Indian Ocean Territory TLD (.io), now that the territory is being transfered to Mauritius? In that last case, Google treats .io as a generic TLD, and not a geographic one.

Others

• Oldest cave painting of red claw hand could rewrite human creativity timeline - Hand print could be world’s oldest cave art
• Free language learning tool to listen to audiobooks with synchronized subtitles and translations. You can also check out the (short) Hacker News thread to find out more about the technical details.