Pi-Agent

Last week, Microsoft’s Defender research team published details of an attack campaign they’re calling Mini Shai Hulud. A threat actor compromised maintainer accounts for the @antv npm organisation - the team behind popular charting libraries like G2 and G6 - and published malicious versions containing a 499 KB obfuscated payload that ran automatically during npm install. The blast radius was significant: echarts-for-react, one of the downstream dependents, has over a million weekly downloads. GitHub pulled 640 package versions and invalidated 61,274 npm tokens before it was contained. ...

If like me, you’re spending an increasing amount of time learning Pi Agent - the minimal terminal coding harness - you’ll quickly hit the point where you want to bend it to your workflow. There are four different mechanisms for doing that: context files, prompt templates, skills, and TypeScript extensions. They look similar on the surface but they operate at completely different layers, and picking the wrong one means either burning context unnecessarily or writing TypeScript when a Markdown file would have done the job. ...