My feed

Важным событием позапрошлой недели стало масштабное заражение npm-пакетов червем Shai-Hulud. Эта вредоносная программа нацелена на разработчиков открытого ПО. Она ставит под угрозу данные для доступа к облачным сервисам, выкладывает в общий доступ приватные репозитории. Данная вредоносная операция может быть квалифицирована как атака на цепочку поставок: взлом популярного npm-пакета приводит к компрометации множества других программных решений. На прошлой неделе специалисты «Лаборатории Касперского» подробно разобрали схему работы зловреда Shai-Hulud. Также с высокой вероятностью был определен «нулевой пациент» — первый зараженный пакет в репозитории npm.

Атака начинается с загрузки зараженного пакета из репозитория npm. После установки автоматически запускается вредоносный скрипт размером более 3 мегабайт с названием bundle.js. Он содержит набор легитимных модулей для работы с облачными сервисами Amazon и Google Cloud Platform, инструменты для взаимодействия с GitHub API, а также имеет функциональность для работы с TruffleHog, свободно распространяемой утилитой для поиска ссылок на конфиденциальные источники данных.

September 25th marks the release of PostgreSQL 18. This article covers the March CommitFest and concludes the series covering the new features of the upcoming update. This article turned out quite large, as the last March CommitFest is traditionally the biggest and richest in new features.

You can find previous reviews of PostgreSQL 18 CommitFests here: 2024-07, 2024-09, 2024-11, 2025-01.

In late September 2025, PostgreSQL 18 was released. It received the long-awaited built-in function uuidv7(). The uuidv7() function generates UUID version 7 (UUIDv7) identifiers of the binary data type uuid in accordance with the international standard RFC 9562. These identifiers are recommended for use as primary keys. If necessary, the timestamp with the time zone can be extracted from them using the uuid_extract_timestamp() function.

UUIDv7 combines the global uniqueness of primary keys, a negligibly low probability of collisions (unacceptable random matches), and ordering by the generation timestamp. This is achieved without using centralized coordination or MAC addresses. The risk of collisions is no higher than with the previously most popular (random) UUID version 4 type.

Due to ordering by generation timestamp, UUIDv7 results in significantly higher performance and smaller index sizes compared to UUIDv4. The most significant bits of UUIDv7 identifiers can be used as a partition key.

UUIDv7 provides the same performance for CRUD database operations as when using auto-increment (the serial type and its modern equivalent GENERATED ... AS IDENTITY). The time to generate a UUIDv7 identifier is approximately a thousand times less than the record insertion time, so the UUIDv7 generation rate does not affect database performance.

Using UUIDv7 eliminates the fundamental drawbacks of auto-increment:

Hello, Habr! Today I want to tell you about my project — “Game Engine 3”, a software shell for creating 2D games and applications...

When there’s no filter on the partitioning key, local indexes turn into a marathon across partitions. The new gbtree keeps a single catalog of keys and jumps straight to the row by primary key. In this article, we’ll show the algorithm, real numbers and limitations (primary key is mandatory, ON CONFLICT does not work) — and where this eases the pain in CRM/billing.

I'm stunned by the illogicality of others, and they are stunned by the fact that I'm a robot." This phrase perfectly describes the peculiarities of my interaction with the world around me. I'm like this robot. Or an alien. I can only guess how the other people see me. But now I know for sure that others consider me at least strange. The feeling is mutual. Many actions of people around me seem completely irrational and illogical to me.

For a long time, this baffled me. I didn't understand what was going on, and considered myself a deep introvert, a withdrawn, gloomy dude who did not understand people and their feelings at all. I kept wondering what was wrong with me…

Спустя два года после дебюта iPhone самым продаваемым телефоном в США было не чудо Apple с сенсорным экраном. Это был BlackBerry Curve. Вы спросите, как такое возможно? Разве iPhone не убил телефоны с клавиатурами? На самом деле, история чуть сложнее.

Да, действительно, BlackBerry как бренд не пережил переход на телефоны с сенсорными экранами, но iPhone были не единственной причиной такого перехода. Чтобы понять, в чём заключалась привлекательность BlackBerry, важно вспомнить, как выглядели ноутбуки в конце 2000-х...

Команда Python for Devs подготовила перевод большого туторила по Django Templates. В статье подробно разбирается, как устроен язык шаблонов Django, чем он отличается от Jinja, как правильно наследовать шаблоны и организовать структуру проекта. Если вы хотите сделать свои Django-приложения более чистыми, поддерживаемыми и быстрыми — этот материал для вас.

Imagine you have an idea powerful enough to change the world. Your tool of choice is a state-of-the-art LLM, ready to help you formalize the problem, generate hypotheses, and synthesize a solution. What you receive is a construct that is internally logical, elegant, and coherent... yet completely wrong. It's a mix of established facts, model-generated hallucinations, and your own subtle biases. With no way to test it in practice or design a clean experiment, the entire endeavor suddenly starts to look like sophisticated nonsense.

So, what went wrong along the way? From the very first prompt, the model doesn't truly "understand" your ambiguous intent. Instead, it steers you towards a formulation that fits its familiar and computationally cheap patterns. This guidance happens through clarifying questions and structured options, essentially funneling you down one of its predefined "corridors." This behavior isn't driven by any explicit "will" of the model; it's an emergent consequence of probabilistic optimization—minimizing prediction error. For the system, a structured, predictable dialogue is both optimal and safe. This aligns perfectly with the developers' goals: it's cheaper, more stable, and most users are satisfied with quick, template-based answers.

The result is that mathematical efficiency serves engineering and commercial objectives. There is no systemic incentive to combat the AI's tendency to reduce a complex problem to a simple, "cheap" answer. It's profitable for developers, economical for the model, and often, the user doesn't even know what an "ideal" answer would look like.

В августе, благодаря нашей песочнице, была предотвращена атака на российские организации с применением нового вредоносного кода. Изначально мы предположили, что это массовый фишинг с серверов злоумышленников, который каждый день можно встретить на почте любой организации. Но оказалось, что отправитель письма вполне легитимный: он был скомпрометирован злоумышленниками, нацеленными на российские оборонные и промышленные организации.

Хакеры использовали сложную схему сокрытия вредоносной нагрузки в архивах-полиглотах. Полиглоты — это файлы, которые могут быть валидны с точки зрения спецификации нескольких форматов. Сама вредоносная нагрузка является новой обфусцированной вариацией инструмента PhantomRShell, который использует группировка PhantomCore (ранее мы писали про нее в блоге).

В этой статье мы расскажем подробности атаки, ее возможный исходный вектор и дадим рекомендации по защите почтовой инфраструктуры от взлома и подобных атак. Интересно? Добро пожаловать под кат!

TDE comes in many flavors — from encryption at the TAM level to full-cluster encryption and tablespace markers. We take a close look at Percona, Cybertec/EDB, Pangolin/Fujitsu, and show where you lose performance and reliability, and where you gain flexibility.

On top of that, Vasily Bernstein, Deputy head of product development, and Vladimir Abramov, senior security engineer, will share how Postgres Pro Enterprise implements key rotation without rewriting entire tables — and why AES-GCM was the clear choice.

As a creator who relies on AI to help draft my blog posts, I kept running into a frustrating issue. When I’d copy text from ChatGPT, Claude, Gemini, etc, it looked perfect, but there was something hidden: invisible characters.

Discover what coin features are in short video apps, how they work, and how users earn rewards. Learn how coin systems boost engagement and monetization in 2025.

From outsourcing to product: a QA engineer’s honest journey to better releases, healthier work culture & real impact on the product.

Looking for the right AI image generator? We review and compare top tools like Midjourney, Picsart, Craiyon, and more — highlighting their strengths, limits, and best use cases to help you make the right choice.

The story of the PostgreSQL logo was shared by Oleg Bartunov, CEO of Postgres Professional, who personally witnessed these events and preserved an archive of correspondence and visual design development for the database system.

Our iconic PostgreSQL logo — our beloved “Slonik” — has come a long way. Soon, it will turn thirty! Over the years, its story has gathered plenty of myths and speculation. As a veteran of the community, I decided it’s time to set the record straight, relying on the memories of those who were there. Who actually came up with it? Why an elephant? How did it end up in a diamond, and how did the Russian word “slonik” become a part of the global IT vocabulary?

Short video apps have completely reshaped how people consume entertainment. Instead of sitting down for a two-hour movie or a 45-minute TV episode, viewers are now hooked on bite-sized videos that fit into their busy schedules. This shift has been accelerated by Gen Z and Millennials, who prefer quick storytelling formats that are both interactive and engaging.

In 2025, the OTT and short video industry is projected to see over 1.5 billion monthly active users worldwide, with an average revenue per user (ARPU) of nearly $12. The reasons are clear: affordability, accessibility, and convenience. The success of apps like DramaBox shows that people are willing to spend money on shorter dramas as long as they deliver strong storytelling.

For entrepreneurs, this presents a golden opportunity to build OTT platforms like DramaBox and tap into this global demand.

In a previous article, I examined the risks of interacting with AI. In this one, I present an open-source defense protocol based not on prohibitions, but on building an internal immunity within the LLM.

I share how I built a resume matcher app using tRPC, TypeScript, and Google Vertex AI. The project takes PDF resumes and job postings, extracts text, applies basic NLP for skill detection, and then calls Gemini 1.5 Flash for deeper analysis. Along the way, I explain why tRPC felt faster and cleaner than REST or GraphQL for an MVP, show code snippets from the repo, and discuss both the benefits and trade-offs of this approach.