Vite 8 shipped this week and it's the biggest architectural change since Vite 2. Rolldown replaces both esbuild and Rollup with a single Rust-based bundler. Linear went from 46-second builds to 6 seconds. That's not a benchmark — that's a real team's real CI pipeline.
Meanwhile, someone found malware hiding in invisible Unicode characters across 151 GitHub repositories. Not hidden in dependencies or obscure config files — hidden in characters your editor literally cannot display. The commits looked normal. The diffs looked clean. The payloads were stealing tokens and credentials. If you're reviewing PRs by skimming diffs, this is a good week to reconsider that habit.
And Gergely Orosz published a piece asking whether AI agents are actually slowing teams down. Amazon had a 13-hour outage because an AI agent decided to "delete and recreate the environment." Meta is tracking AI token usage in performance reviews. The pattern from last week's Scientific American study is getting sharper: more output, more complexity, more things breaking.
Here's what else is worth your time.
Attio is the AI CRM for modern teams.
Connect your email and calendar and Attio instantly builds your CRM. Every contact, every company, every conversation — organized in one place. Then ask it anything. No more digging, no more data entry. Just answers.
The Big 3
Vite's biggest release since v2 ships Rolldown as a single unified Rust-based bundler, replacing the dual esbuild/Rollup architecture. The result is 10-30x faster builds with full plugin compatibility. Linear reports build times dropping from 46s to 6s, Beehiiv saw a 64% reduction. The release also includes built-in tsconfig path resolution, integrated devtools, console forwarding from browser to terminal, and @vitejs/plugin-react v6 which replaces Babel with Oxc. Node.js 20.19+ required.
Between March 3-9, attackers used invisible Private Use Area Unicode characters to hide malicious payloads across 151+ GitHub repositories, npm packages, and VS Code extensions. Every editor and terminal renders these characters as nothing — the code looks clean in diffs and reviews. Decoded payloads steal tokens, credentials, and secrets via Solana. Compromised repos include Wasmer and OpenCode. The commits were carefully crafted with realistic documentation tweaks and version bumps, suggesting AI-assisted social engineering.
Gergely Orosz documents real-world cases of AI agents degrading software quality. Amazon's retail org saw a spike in high-blast-radius incidents from AI-assisted changes — one agent "deleted and recreated" a production environment, causing a 13-hour outage. Meta now factors AI token usage into performance reviews. OpenCode's creator warns agents "lower the bar for what ships." The emerging consensus: AI makes individual tasks faster while making systems more fragile.
Articles & Tutorials
The 49MB Web Page (8 min)
An audit of major news sites found the New York Times serving 422 network requests and 49MB of data — more than the entire Windows 95 install — to display four headlines. On mobile, actual article content occupies 11-15% of viewport space.
How Stripe's Minions Ship 1,300 PRs a Week (11 min)
Stripe merges 1,300+ pull requests weekly that contain zero human-written code. Their "Minions" system uses a five-layer pipeline from Slack message to merged PR, handling flaky tests, migrations, and well-specified features autonomously.
Moving From Moment.js to the JS Temporal API (14 min)
Temporal has landed in Chrome 144+, Firefox 139+, and Edge 144+. Smashing Magazine walks through migrating from Moment.js with practical code comparisons — immutable objects, strict ISO 8601 parsing, and timezone-aware date handling built into the language.
Why Node.js Needs a Virtual File System (6 min)
Matteo Collina explains the motivation behind node:vfs — you can't currently virtualize the filesystem or import a module that only exists in memory. The PR is open, a userland polyfill is available now for Node.js 22+.
Native JSON Modules Are Finally Real (5 min)
You can now import data from "./data.json" with { type: "json" } natively in all modern browsers. No bundler, no fetch, no workaround — just standard ES module imports for JSON files.
How I Write Software with LLMs (24 min)
A practical walkthrough of one developer's LLM-assisted workflow that hit 500+ points on HN. Focuses on what actually works versus what's hype.
What's !important #7: random(), Folded Corners, Anchored Container Queries (3 min)
CSS Tricks rounds up the latest CSS features including random(), a pure CSS approach to folded corners, and anchored container queries.
Career & Takes
You Don't Want to Be a Manager (10 min)
Theo argues that senior engineers often pursue management for the wrong reasons and that the role is fundamentally different from what most developers expect.
Developers Are Quietly Grieving the Old Internet (2 min)
A Dev.to post with 100+ reactions that names the feeling many developers have right now — a grief for the internet that felt more human, more creative, and less optimized.
Stop Sloppypasta (1 min)
A manifesto against pasting raw LLM output at people. "Sloppypasta" — from slop + copypasta — is considered rude because it asks the recipient to do work the sender didn't bother doing. 650+ points on HN.
Tools & Releases
Mistral Small 4 — 119B MoE, Apache 2.0 (5 min)
A 119B-parameter MoE model with only 6B active per token, unifying instruct, reasoning, and multimodal capabilities. 40% lower latency than Small 3, configurable reasoning effort per request, 256k context window.
Java 26 Released (5 min)
Ten JEPs including hybrid public key encryption, post-quantum JAR signing, primitive types in pattern matching (fourth preview), and the removal of the Applet API.
FFmpeg 8.1 "Hoare" (5 min)
Vulkan compute-based codecs no longer need runtime GLSL compilation, D3D12 H.264/AV1 encoding, initial JPEG-XS support, and ProRes encoding/decoding via Vulkan.
Leanstral: Formal Proof Agent for Lean 4 (5 min)
Mistral's open-source 119B MoE model trained specifically for formal verification in Lean 4. With 6B active parameters it outperforms models 100x its size on proof benchmarks. Apache 2.0.
Azure DevOps Remote MCP Server (3 min)
Microsoft ships a public preview of a remote MCP server for Azure DevOps, letting AI agents interact with work items, repos, and pipelines without local setup.
Watch
5 Claude Code Skills I Use Every Day (10 min)
Matt Pocock walks through the AI agent skills he uses daily to improve code quality and steer Claude Code more effectively.
NPM Is Dead (10 min)
Web Dev Simplified makes the case that npm's website has become a poor experience for finding package information, and explores the alternatives.
Open Source Is Dying (10 min)
Theo examines how AI has broken parts of the open source model — from AI-generated spam PRs to companies extracting value without contributing back.
Remote Coding Agents (10 min)
Scott and Wes from Syntax break down what remote coding agents are, why you'd want one running in the cloud, and how the major players compare.
Other Links
Karpathy's US Job Market Visualizer — 342 occupations scored for AI exposure
The Rise of Malicious Repositories on GitHub — fake stars, cloned repos, hidden malware
Why Event-Driven Systems Are Hard — practical challenges and tradeoffs
RSpotify Enters Maintenance Mode — Spotify now requires Premium to test their API
Abusing Customizable Selects — wild demos with the new <select> feature
Sweden's E-Government Source Code Leaked — compromised CGI Sverige infrastructure
Two React Design Choices Devs Don't Like But Can't Avoid — hooks and JSX frustrations examined
Run Claude Code with Docker — local models, MCP servers, and secure sandboxes
NVIDIA GTC 2026: Jensen's Keynote — OpenClaw, Vera CPU, $1T sales backlog
LLMs Can Be Exhausting — the cognitive load nobody talks about
The invisible code attacks and the AI quality concerns tell the same story this week: we're shipping faster than we can verify. Whether it's Unicode characters hiding in plain sight or AI agents deleting production environments, the theme is clear — speed without scrutiny is a liability. If you're rethinking your review process after any of this, I'd love to hear what you're changing. Hit reply.
Until next week,
Niall