Plus Deno's desktop apps, the coming loop, and the libssh2 flaw in your toolchain.
A logging bug in OpenAI's Codex CLI was quietly writing terabytes to developers' SSDs. Also: Deno's new desktop apps, Armin Ronacher on the coming loop, npm malware hiding in blockchain transactions, and the critical libssh2 flaw inside curl and Git.

View in browser | Past Issue | Subscribe / Unsubscribe

SitePoint Source

Welcome, Developers! 👋

This week opens with a cautionary tale: OpenAI's Codex CLI was quietly writing terabytes to developers' SSDs, a reminder that an agent on your machine needs a budget for what it writes. Then Deno's new desktop apps, Armin Ronacher on the coming loop, npm malware hiding in blockchain transactions, and the libssh2 flaw buried in your toolchain. Let's get into it.

From our sponsor: ManageEngine

Prevent DBA burnout with database observability

Prevent DBA burnout with database observability

DBAs spend most of their work week troubleshooting database issues. Learn how to replace reactive firefighting with proactive observability that helps detect issues early, accelerate root-cause analysis, and optimize performance across hybrid environments. Join this free live webinar on July 15 and discover practical strategies, a live product demo, and expert insights to help your team spend less time troubleshooting and more time driving improvements.

Reserve your spot

🔖 The Reading Room

Articles we have hand-picked for you:

OpenAI's Codex CLI was quietly writing terabytes to developers' SSDs

A developer traced 37 terabytes of writes on his SSD in three weeks to one culprit: Codex CLI's debug logger, stuck at its most verbose setting, ignoring the usual controls, and running at a pace near 640 terabytes a year. That is enough to spend a 1TB drive's rated endurance in under a year, and because the log file prunes itself, no disk-usage tool shows a thing. The report walks through why it stays invisible and gives the one-line command to check whether your own drive is affected.

Via GitHub →

Deno 2.9 ships deno desktop: native apps from your web stack

Deno 2.9 adds deno desktop: point it at a Next.js, Astro, Vite, or SvelteKit project and it builds a single native binary for macOS, Windows, and Linux, no Electron required. The same release reads npm, pnpm, Yarn, and Bun lockfiles directly, starts up about twice as fast, and adds CSS module imports. It is still experimental, but it is the most interesting take on desktop-from-web in a long while.

Via the Deno Blog →

Armin Ronacher: the coming loop

The creator of Flask splits the coding agent into two loops: the one inside the tool, and the harness around it that queues work, decides when it is done, and keeps it running. He is candid that he has not made this work for code he cares about, because today's models write over-defensive code and looping only amplifies it, yet he argues you may not get to opt out anyway. Where he thinks loops genuinely belong, and where they quietly wreck a codebase, is the part worth reading.

By Armin Ronacher →

The npm packages hiding malware in blockchain transactions

Two malicious npm packages planted a hidden VS Code task that runs the moment you open the project folder, no build and no script. The payload masqueraded as an empty font file and pulled its next stage from data buried in blockchain transactions, so there is nothing to take down. Worth two minutes today: check the .vscode/tasks.json in any repo you open, especially anything set to run on folder open.

Via JFrog Security Research →

The libssh2 flaw hiding in curl, Git, and PHP

A critical libssh2 flaw (CVSS 9.2) flips the SSH threat model: a malicious server can corrupt memory on the connecting client and reach remote code execution, with no credentials and no interaction. It matters because libssh2 hides inside curl, Git clients, PHP, and backup tools, often statically linked, so a routine update may never touch the copy that bites you. A patch is merged but unreleased and a public proof-of-concept is already out, so the job this week is to inventory everything that links it.

Via Arctic Wolf →

⏳ Back in Time

Most clicks from last newsletter:

🔗 The Link Lounge 

Unordered finds from around the web:

Find something cool? You can send us links to feature here via email.

🧰 The Toolbox

Tools and products we're excited about today:

Oak

A version control system built for coding agents: a Rust core, the usual branch-and-merge model, and an oak mount that makes a repo usable without a full clone, since files hydrate on first read. Every task gets its own mount, and the team reports up to 95 percent lower latency and about half the version-control tokens versus git. Still early, with no Windows build yet.

Learn more →

PMB

Persistent memory for MCP-aware coding agents that survives restarts and model switches: decisions, lessons, and project facts live in one local SQLite file, with no cloud and no API keys. One connect wires up Claude Code, Cursor, Codex, Zed, and VS Code, and a local dashboard shows which lessons actually changed outcomes. Apache-2.0 and pip-installable.

Learn more →

fgj

What gh is for GitHub, fgj is for Forgejo and Codeberg: create and review pull requests, manage issues, and drive Actions without leaving the shell. It auto-detects the instance from your git remote and is built to play nicely with AI coding agents.

Learn more →

Forge

A Python framework for self-hosted LLM tool-calling that slots under a harness you already use, opencode, Continue, aider, Cline, or Claude Code, with no rewrite. It speaks both the OpenAI and Anthropic schemas and is deliberate about reasoning, keeping it out of backend history by default to save tokens.

Learn more →

Prevent DBA burnout with database observability

DBAs spend most of their work week troubleshooting database issues. Learn how to replace reactive firefighting with proactive observability that helps detect issues early, accelerate root-cause analysis, and optimize performance across hybrid environments. Join this free live webinar on July 15 and discover practical strategies, a live product demo, and expert insights to help your team spend less time troubleshooting and more time driving improvements.

Reserve your spot →

🎤 Your Voice

Your feedback shapes what comes next! We read every email, so simply hit reply and tell us what's on your mind.