Articles

Before	After
📚 Articles remain exclusive for 6 months	Early access (couple weeks) for Silver tier
🎞️ No early access for video

crates.io phishing attempt

Sep 12, 2025

1 min #rust · #security

Earlier this week, an npm supply chain attack.

It’s turn for crates.io, the main public repository for Rust crates (packages).

The phishing e-mail looks like this:

A phishing e-mail: Important: Breach notification regarding crates.io Hi, BurntSushi! We recently discovered that an unauthorized actor had compromised the crates.io infrastructure and accessed a limited amount of user information. The attacker's access was revoked, and we are currently reviewing our security posture. We are currently drafting a blog post to outline the timeline and the steps we took to mitigate this. In the meantime, we strongly suggest you to rotate your login info by signing in here to our internal SSO, which is a temporary fix to ensure that the attacker cannot modify any packages published by you. — Andrew Gallant on BlueSky

And it leads to a GitHub login page that looks like this:

A fake GitHub sign-in page. — Barre on GitHub

Several maintainers received it — the issue is being discussed on GitHub.

The crates.io team has acknowledged the attack and said they’d see if they can do something about it.

color npm package compromised

Sep 08, 2025

4 min #npm

On September 8 2025, around 13:00 UTC, someone compromised Josh Junon’s npm account (qix) and started publishing backdoored versions of his package.

Someone noticed and let Josh know:

Hey. Your npm account seems to have been compromised. 1 hour ago it started posting packages with backdoors to all your popular packages. — Charlie Eriksen on BlueSky

Josh confirmed he’d gotten pwned by a fake 2FA (two-factor authentication) reset e-mail:

Yep, I've been pwned. 2FA reset email, looked very legitimate. Only NPM affected. I've sent an email off to @npmjs.bsky.social to see if I can get access again. Sorry everyone, I should have paid more attention. Not like me; have had a stressful week. Will work to get this cleaned up. — Josh Junon on BlueSky

The phishing e-mail came from npmsj.help (registered 3 days prior) and claimed users had to reset their 2FA:

The science of loudness

Aug 22, 2025

13 min #audio · #maths · #physics

My watch has a “Noise” app: it shows $d B$ , for decibels.

My amp has a volume knob, which also shows decibels, although.. negative ones, this time.

And finally, my video editing software has a ton of meters — which are all in decibel or decibel-adjacent units.

All color is best-effort

Jun 27, 2025

23 min #color · #video · #dsp

I do not come to you with answers today, but rather some observations and a lot of questions.

The weird glitch

Recently I was editing some video and I noticed this:

A screenshot of the video, there are visible circles at various places in the image. Some of them are black, some of them are white. The image itself shows some blue and white text composited on some blurry background, which doesn’t really matter for this, and there’s a red line horizontal up in the image. It’s very confusing.

Not what the finger is pointing at — the dots.

Here are the separate layers this image is made up of: the background is a stock image I’ve licensed from Envato Elements:

A picture of a canyon, darker than you’d expect.

Because I use it as a background image, I’ve cranked down the exposition in the Color tab:

Introducing facet: Reflection for Rust

Jun 05, 2025

20 min #rust · #reflection · #facet

I have long been at war against Rust compile times.

Part of the solution for me was to buy my way into Apple Silicon dreamland, where builds are, like… faster. I remember every time I SSH into an x86_64 server, even the nice 64-core ones.

And another part was, of course, to get dirty with Rust itself.

I wrote Why is my Rust build so slow?, which goes in-depth into rust build performance, down to rustc self-profiling even!

The virtue of unsynn

May 29, 2025

21 min #rust

Addressing the rumors

There have been rumors going around, in the Reddit thread for facet, my take on reflection in Rust, which happened a bit too early, but here we are, cat’s out of the bag, let’s talk about it!

Rumors that I, podcaster/youtuber fasterthanlime, want to kill serde, serialization / deserialization framework loved by many and which contributed greatly to Rust’s success, and I just wanted to address those rumors and say that…

Open sourcing the home CMS

Apr 22, 2025

7 min #oss · #rust · #ftl-infra

I’ve been bragging about my website software for years! For… whew, it’s been 5 years!

A screenshot of github commits for the beginning of my website. It has commit messages like 'learning rusqlite', 'walk stuff', 'import input files', 'parse frontmatter and stuff', and 'do stuff in parallel'. — I didn't want to make a CMS! I did it out of spite!

I’ve been teasing folks about the cool things I did from the beginning — here are all the articles and series I’ve written that mention it: