Sponsored by
Your Vercel environment variables might have leaked this week. The entry point wasn't a zero-day. It was a Roblox cheat.
An employee at an AI tool provider that one Vercel employee trusted downloaded a bundled Roblox hack, which turned out to be malware. That malware pivoted through Google Workspace, used an OAuth grant to reach Vercel's internal systems, and exfiltrated a subset of customer environment variables. Vercel's public postmortem says the attack was "significantly accelerated by AI." Translation: this pattern is going to keep happening.
Meanwhile, TypeScript 7.0 entered beta — the first public build of the Go-powered compiler that Microsoft has been quietly rebuilding for two years. Early benchmarks are showing 10x compile speeds on real monorepos. And Anthropic had the kind of week that defines a quarter: Claude Opus 4.7 shipped, Claude Design launched, and by Wednesday developers were asking if Claude Code is about to jump to $100/month.
Three different kinds of seismic: your language is faster, your deployment platform is bleeding keys, and the AI tools half the industry now depends on just got significantly more powerful and significantly more expensive. Here's everything else worth your time.
Join 2M+ Professionals Getting Ahead on AI
Keeping up with AI shouldn't feel like a second job.
But between the new tools, viral posts, and endless hot takes, most people spend hours every week trying to figure out what actually matters.
The Rundown AI fixes that.
It's a free newsletter that gives you the AI news, tools, and tutorials you actually need to know. All in just 5 minutes a day.
Over 2M professionals at companies like Apple, Google, and NASA already read it every morning to stay ahead.
Plus, if you complete the quiz after signing up, they'll recommend the best tools, guides, and courses for your specific job and needs.
The Big 3
Microsoft announced the public beta of TypeScript 7.0, the long-awaited native port of the compiler from JavaScript to Go. Early benchmarks on large codebases show roughly 10x faster type-checking and dramatically lower memory usage — the kind of gain that changes how you work, not just how long CI takes. The API surface is identical; migration is meant to be drop-in for most projects. The same team that spent 2023-2024 insisting "we're not rewriting TypeScript in another language" quietly did exactly that, and the beta is now the headline feature of every TS-heavy toolchain planning its 2026 upgrades. If you maintain a large TS monorepo, this is the release to start testing.
Vercel confirmed that attackers accessed a subset of customer environment variables after compromising an employee's account via a third-party AI tool. The initial vector, per Webmatrices' reporting, was a Roblox cheat bundled with malware installed by an employee at the AI vendor. From there, attackers pivoted through Google Workspace and an OAuth grant into Vercel's environment. Non-sensitive env vars were exposed for affected customers, and Vercel is notifying those impacted directly. Guillermo Rauch said the attack was "significantly accelerated by AI." The uncomfortable lesson: every OAuth grant you've made to an AI tool is now your supply chain, and supply chains fail at the weakest vendor's weakest employee.
Anthropic released Claude Opus 4.7 with stronger coding, better vision, and more reliable long-running tasks — then followed it with Claude Design, which generates full landing pages, prototypes, and slides from a prompt (Theo calls it a credible Figma killer). Then on Wednesday, Anthropic quietly — no announcement, no blog post — updated the Claude Code docs in a way that suggested a new $100/month tier. Simon Willison's breakdown is the clearest read on what's actually happening: Pro users aren't losing Claude Code, but usage is being metered more aggressively, and the confusion is very much Anthropic's doing. The broader signal: the honeymoon pricing on AI coding tools is ending, and the industry is about to find out how much it's actually worth to each of us.
Articles & Tutorials
The Vertical Codebase (8 min)
TkDodo (TanStack Query maintainer) makes the case for structuring apps by domain rather than by file type — arguing that components/, hooks/, and utils/ folders feel tidy at first but become unmaintainable at scale.
How I Resolved 15,000 Circular Dependencies (12 min)
A senior Microsoft engineer's retrospective on clearing ~15,000 project-level circular deps from a 7-million-line TypeScript monorepo. Reusable ideas for anyone wrangling a large TS workspace.
Bloom Filters: The Niche Trick Behind a 16× Faster API (7 min)
Incident.io walks through how they used a Bloom filter to cut API latency 16x on a hot path. A practical primer on a data structure most devs only see in interview prep.
Why I Don't Chain Everything in JavaScript Anymore (5 min)
Matt Smith argues that long .filter().map().reduce() chains look elegant but cost you debuggability and readability. A case for breaking them up.
PSA: Copying Your SQLite .db File Isn't a Valid Backup in WAL Mode (5 min)
If you're running SQLite in WAL mode (which is the default in most modern runtimes), a straight file copy will miss uncommitted data in the -wal file. This thread explains what to do instead.
A Well-Designed JavaScript Module System Is Your First Architecture Decision (13 min)
A deep walkthrough of what a disciplined module system actually buys you — and how ignoring it quietly locks in every other architectural choice downstream.
Moving Past Bots vs. Humans (19 min)
Cloudflare's deep dive on why the "block all bots" model breaks down when users run browser agents and AI assistants on their own behalf — and what detection looks like in an agentic web.
How We Made the Angular Compiler Faster Using AI (10 min)
VoidZero's OXC team used Claude Code and Codex to port and tune the Angular compiler at speed — and documented what kinds of tasks AI did well on versus where humans had to take over.
Career & Takes
AI Doesn't Fix Weak Engineering. It Just Speeds It Up. (5 min)
A sharp argument that AI multiplies whatever engineering practices you already have — good or bad — and that teams shipping AI-accelerated slop are just now realizing they always shipped slop.
Learnings From ~1,000 Amazon Interviews (30 min)
A former Amazon Principal Engineer distills a decade of interviewing into what actually predicts performance versus what just correlates with passing a bar-raiser.
Everyone Is Busy Using AI. Very Few Are Thinking. (2 min)
A short piece on the quiet cost of reaching for an LLM before you've framed the problem — and the muscles that are atrophying in the industry as a result.
$30/hr for "Highly Skilled" Devs — Am I Missing Something? (5 min)
A candid r/webdev discussion on the collapse of freelance rates, whether AI is the cause, and what's realistic to quote in 2026.
Tools & Releases
Git 2.54 (12 min)
Two headline features: git history — a cleaner way to edit or split commits interactively — and hooks defined in config files (repo, user, or system level) with support for running multiple hooks per event. Worth upgrading for both.
Bun 1.3.13 (5 min)bun test gains --isolate, --parallel, --shard, and --changed flags for real test parallelization. The runtime also uses 5% less memory and installs ship faster via streaming.
Node.js 24.15.0 LTS (3 min)require(esm) and the module compile cache are now stable, and --max-heap-size is a new flag. Separately, Node.js is set to ship the Temporal API by default in v26 next week.
pnpm 11 RC (4 min)
A new SQLite-backed store index, and supply-chain protection (install-time lockfile verification and trusted-publisher checks) is turned on by default. The one opinionated default this cycle that probably makes sense.
Rust 1.95.0 (5 min)
Stabilizes a clutch of long-awaited features and includes a new diagnostic for externally implementable items. Worth a read even if you only touch Rust occasionally.
Grafana 13 (6 min)
Announced at GrafanaCON Barcelona — suggested dashboards with compatibility scoring for Prometheus users, and a stack of Grafana AI features around auto-diagnosis of alerts.
Watch
Did Anthropic Just Kill Figma? (10 min)
Theo on Claude Design — what it actually does well, where it falls down, and why he thinks this one is genuinely a threat to incumbent design tools rather than another AI demo.
You Need to Use This TSConfig Setting (10 min)
Web Dev Simplified on a small TSConfig flag that changes how strict-mode TypeScript actually behaves — the kind of 30-second change that quietly fixes a category of bugs.
I 3D Coded a Car (10 min)
Ania Kubow builds a 3D car entirely in code with Three.js — a fun, practical intro to WebGL that doubles as a decent starting point for anyone who's been meaning to learn it.
How to Fix Vibe Coding (10 min)
Wes and Scott on Syntax discuss making AI-assisted coding more reliable by pairing it with deterministic tools — linters, type checkers, Knip, and friends.
Other Links
GitHub's Fake Star Economy — the industry no one talks about
SpaceX Says It Has Agreement to Acquire Cursor for $60B — $10B now, right to buy later
HyperFrames: Create Videos With HTML and JavaScript — open-source Remotion alternative
Changes to GitHub Copilot Individual Plans — new limits roll out next month
Crates.io Migrating From Ember to Svelte 5 — public testing is open
Salesforce Multi-Framework: Build With React, Run on Salesforce — walled garden opens up
OpenCode Desktop Migrated From Tauri to Electron — Rust-maxxers, deep breath
Meta Will Capture Employee Keystrokes and Mouse Movements for AI Training — internal, but a preview of what's coming
DigitalOcean → Hetzner, 84% Cheaper — detailed migration writeup
OWASP npm Security Cheat Sheet — recently updated, worth bookmarking
Animata: 100+ Animated React Components — animated beams, spread cards, Slack-style intros
Systemic Flaw in MCP Protocol Could Expose 150M Downloads — MCP's first real security audit
Three stories this week that don't fit together neatly: a language gets 10x faster, a platform gets breached through a bundled Roblox cheat, and the industry's most-used AI coding tool may be about to cost what a junior engineer's Netflix, Spotify, and gym memberships cost combined. All three are going to shape your 2026 whether you opt in or not. If you've already started testing the TypeScript 7.0 beta or you've been affected by the Vercel thing, hit reply — I'd like to hear what you're seeing.
Until next week,
Niall