Everything is pwn’d now

Security Armageddon, Delivered Rapid-Fire

Theo opens with a wall of recent disasters — Copyfail, Dirty Frag, a curl bug, GitHub RCE via a single git push, and compromised TanStack packages — to make one point: this isn’t a normal bad week. He says he warned about a security “Armageddon,” but even he didn’t expect it to get this brutal this fast.

Copyfail and Why 732 Bytes Matters

He zooms in on Copyfail as the nightmare example: a broadly relevant Linux kernel bug that can lead to trivial root escalation, even from a tiny Python payload. The detail that sticks is his warning that “732 bytes” hidden in a popular Python library could have pwned huge numbers of machines, especially because distros often lag kernel updates.

The Three Security Truths That No Longer Hold

Theo lays out the old model software relied on: only well-paid experts could find exploits, 90-day disclosure gave enough time, and patch-to-exploit was hard. His core argument is that AI blows up all three, because anything that once required careful human attention can now be run “in a for loop” if you have enough tokens.

Jeff Kaufman’s Copyfail Story Changes the Stakes

Using Kaufman’s writeup, Theo explains how Copyfail 2 surfaced when someone noticed a fix and inferred its security impact, effectively ending the embargo. The part that freaks him out most: a second party independently reported the same major exploit just 9 hours later, which he treats as evidence that the timeline has collapsed from months to hours.

A Bot Can Read Your Commits Now

Then comes the footnote that really sets him off: Kaufman tested Gemini 3.1 Pro, GPT-5.5 Thinking, and Claude Opus 4.7 on the Copyfail fix, and all three recognized the full commit as security-relevant. Theo’s conclusion is blunt — if models can flag likely security patches from diffs, they can be wired into bots that monitor Linux commits and start generating exploit paths immediately.

Linux Distros, npm, and the Expanding Blast Radius

He argues distro maintainers are stuck in an absurd position because they’re responsible for shipping safety to users without necessarily being in the disclosure loop. Then he broadens out to JavaScript: Socket found 84 compromised TanStack packages, later expanding that to another 121 packages across 84 names, which Theo uses as proof that AI-fueled supply-chain automation is hitting every ecosystem at once.

His Big Fix: Trusted Actors and Semi-Private Open Source

Theo’s most controversial proposal is a new disclosure tier between maintainers and the general public: “trusted actors” who are verified and can get advance warning. From there he goes further, arguing open source may need staging branches, delayed code visibility, or private security rollouts — essentially a more granular GitHub where patches can ship before every exploit clue is public.

Negative-One Trust: How He’s Living Now

On the personal side, Theo says he’s moved past trying to prevent leaks and is now focused on surviving ransomware and destructive loss. That means assuming compromise, doing offline backups, considering extra Synology or air-gapped storage, being careful with tools like npx, helping family set up safe words and document backups, and patching core systems fast even while being wary of package-level supply-chain poison.