And even in the case those what ifs some true, it’s not spyware. It’s straight up malware.

It overstates the issue, not understates. It’s built up entirely on a bunch of “but what if the right series of events japans in the future and multiple parts of Anthropic are hacked.”

Is it not great in a few ways? Sure, Anthropic can do better. Is it spyware as defined? Not at all.

I did…

This article is specifically titled to get more clicks. From someone who claims to be a privacy and security focused person as this author, they should know better than to explicitly inflame a situation just for that purpose.

That have no local access. The hack scenario would also involve needing to infiltrate the desktop app and push a malicious deployment of that. A double whammy.

The threat isn’t what it is made out to be. Should better be done? Yes, especially with surfacing what is going on. Is it spyware? No.

If we are going to hold up the “what if the developer is attacked and a malicious extension is published” as valid, then take the entire extension ecosystem offline. That’s a problem for everything. And what this native extension does, while bad in that condition, is still not much worse then ones

By specifically crafting an extension with a colliding ID and getting users to install that. Which involves going into developer areas and passing a warning or two about it.

It’s a very difficult thing to do on the colliding identifier side. Unless there is a proof of concept on how to do that.

And every browser engine has this. This happens to all known browsers that are supported

Not “keys to the castle”. It literally does nothing but allow the defined extensions to communicate with the local app. If this were a huge issue, Chrome would not have the API to begin with.

Such a clickbait title. Along with someone semi uniformed on how these extension pieces work.

This isn’t “spyware”. It does literally nothing without the extensions installed to trigger it. So what is spying on people by just installing the desktop app?

Also, I’m pretty sure this is exactly how these are supposed to behave. Extension install can’t set this up. It has to be from the native app side. Claude is just setting it up automatically on install, just like 1Password does, instead of by making a person manually trigger it.

It is not an extension. It is a JSON file that facilitates one of 3 explicitly defined extensions in being able to communicate with the local desktop app. Far different story.

This photo is AI generated/manipulated. The real colors don’t look like that.

All I can say is… this kind of exploitative engineering is why NASA exists. You’re literally complaining about the people who have repeatedly done what has felt impossible being asked to do it yet again. First goal is a small reactor for it on the Moon to test, part of base power.

2026 Webb Images/Science Explore this photo album by NASA's James Webb Space Telescope on Flickr!

This doesn't explain where this image came from. It does not match with _any_ of the colors of the recent releases: www.flickr.com/photos/nasaw...

If it came from NASA, it can be traced to them. The point isn't how NASA does it. It is why this account is spamming fake photos with fake attribution.

I don't know. I just talked with people at the Kennedy Space Center the other week and got some highlight details. But the idea of Helium 3 for Fusion power is, not new. Been around since at least 1988. Reference: ntrs.nasa.gov/api/citation...

Nuclear reactor fuel. But first we are sending more machines to scout Mars before humans. Since the return trip from Mars isn’t figured out yet either.

Yes. To get Helium 3 from the ice caps.

The plan is still a moon base. But that isn’t until Artemis 4 to start happening. They need to test things before Lunar Landings.

They are not exhausted. You can watch them work live most of the day on the NASA stream. When they were doing interviews yesterday for news channels, one I saw asked about sleep. Christina said they are getting plenty of deep sleep and in fact she prefers sleeping in space.

It is hard to just shift all that off given other work. For these two reasons, axios can still be heavily used. Ideally places should look to migrate off, especially since Node 24 Fetch has native proxy handling, finally. But, the argument of security tends to fall flat to shipping features. :(

Two big parts of the equation, Node support older than 18 and momentum internally with larger projects. Some places still need to support older Node and moving to fetch is a breaking change. Also, if a company has a system setup around axios wrapping their API calls that measures into thousands.

Sure go for it. Which ones do you need?

Exactly, but it the devil we have for now that works across engines. And it needs to run in-page. Not from an external system. So unless we get a full accessibility tree, that assistive technology uses too, exposed in page context… it is what can do the job.

“Shouldn’t be working based on the DOM”, then how do you accurately know what accessibility systems will see? The accessibility tree APIs aren’t yet comprehensive or available. So there isn’t any other real option currently that also covers everything fully. DOM is one of the biggest aspects.

Ah, yea page DOM would be needed for that. So it’s a dud in that use case if this is just about accessing a parallel clean environment.

This could help tools like Axe-core run in a worker instead of the main thread. Not entirely sure of all the intricacies and if we could do it without more surface area. That way we don’t run in the main thread to scan.

Seriously, on the Firefox AI commit controversy. I don’t see the point in complaining. Anyone threatening to move to another browser over it isn’t escaping anything. Every major company is using AI heavily. Even in ways you don’t see through code. It’s just something we need to accept. AI is a tool.

Lit is better than React: Signals in Lit I once asked Gemini about the performance between React and Lit. It led me down a path to...

A new blog. Lit is better than React. dev.to/hasanirogers...

For search, @kagi.com is really good. I didn’t see any mention of this aspect in the post.