Kissaki

s&box, from the creator of the popular Source Engine sandbox Garry's Mod, released three days ago. s&box is based on the Source 2 engine, and not only a sandbox but a game development and publishing platform, including publishing on Steam.

The news post one day after release openly covers the mixed ratings, public finances, doubling their play fund that pays creators, and public roadmap.

I was surprised to see they openly and transparently publish day-by-day finances.

The public performance stats are interesting too.

Refreshing. I wish more publishers would do these kinds of things with deliberate open communication and transparency.

Their metrics pages:

• Startup Times
• Backend Services
• Game Performance
• Benchmarks
• Stability
• Finance
• Play Fund
• Skins

Syntax Highlighting

Edit v2 adds the Lightweight Syntax Highlighter. It has a ~40kB footprint for a dozen languages plus runtime, barely grows with each language added, and runs at >100MB/s.

The highlighter is based on a simple programming language that combines regular expressions with explicit control flow. It's designed such that the runtime can be easily ported to other languages, including JavaScript.

From 1.2.1 to 2.0.0, the edit binary size increased from 267 to 330 kB for win exe and 217 to 300 kB for linux binary.

What is edit? README intro:

A simple editor for simple needs.

This editor pays homage to the classic MS-DOS Editor, but with a modern interface and input controls similar to VS Code. The goal is to provide an accessible editor that even users largely unfamiliar with terminals can easily use.

• CorridorKey-Engine on GitHub
• EZ-CorridorKey on GitHub
• CorridorKey-Runtime on GitHub, DaVinci Resolve plugin

Corridor Digital released an open-source greenscreen keyer/extractor, powered by AI, usable on consumer GPUs.

The video covers what happened after their initial release, community and professional responses, interviews with professionals about what can be improved, and finally a practical test/example in Davinci (Video Editor).

The Ergonomic, Safe and Familiar Evolution of C

C3 is a programming language that builds on the syntax and semantics of the C language, with the goal of evolving it while still retaining familiarity for C programmers.

Thanks to full ABI compatibility with C, it's possible to mix C and C3 in the same project with no effort. As a demonstration, vkQuake was compiled with a small portion of the code converted to C3 and compiled with the c3c compiler.

A simple and straightforward module system that doesn't get in the way, with defaults that makes sense.

EYG's type system builds upon a proven mathematical foundation by using row typing.

EYG programs are all independent of the machine they run on. Any interaction with the world outside your program is accomplished via an effect.

Any effect can be intercepted using a handler. This allows the response from the outside world to be replaced.

Other languages have the possiblity of closure serialisation, but EYG's runtime is designed to make them efficient.

Hot code reloading – If you change the code the behaviour will update immediatly if safe.

EYG has a prototyped strongly typed shell environment.

EYG is built to support multiple runtimes. […] In the future EYG will be available in many more places, e.g. arduino, CLI's and IPaaS. EYG makes this easy by having a carefully designed minimal AST.

Code example (from landing page):

let initial = 10
let handle = (state, message) -> !int_add(state, 1)
let render = (count) -> {
  let count = !int_to_string(count)
  !string_append("the total is ", count)
}
{render: render, handle: handle, init: initial}

GitHub Repository, Apache 2.0

Attackers compromised Trivy GitHub Actions by force-updating tags to deliver malware, exposing CI/CD secrets across affected pipelines.

Recent updates from the Trivy maintainers confirm that this attack was enabled by a compromised credential with write access to the repository. The incident is a continuation of the earlier March breach, during which credentials were exfiltrated from Trivy’s CI environment. Although secrets and tokens were rotated in response, the rotation process was not fully atomic, and the attacker may have retained access to newly issued credentials. This allowed the threat actor to perform authenticated operations, including force-updating tags, without needing to exploit GitHub itself. While the exact credential used in this phase has not been publicly specified, the root cause is now understood to be residual access from the earlier credential compromise.

trivy.dev:

[Trivy –] The All-in-One Security Scanner

Use Trivy to find vulnerabilities (CVE) & misconfigurations (IaC) across code repositories, binary artifacts, container images, and Kubernetes clusters.

Two versions of telnyx (4.87.1 and 4.87.2) published to PyPI on March 27, 2026 contain malicious code injected into telnyx/_client.py. The telnyx package averages over 1 million downloads per month (~30,000/day), making this a high-impact supply chain compromise. The payload downloads a second-stage binary hidden inside WAV audio files from a remote server, then either drops a persistent executable on Windows or harvests credentials on Linux/macOS. Stolen data is encrypted with AES-256-CBC and a hardcoded RSA-4096 public key before exfiltration. The RSA key and operational patterns are identical to the litellm PyPI compromise, attributing this attack to TeamPCP with high confidence.

No PyPI trusted publisher (OIDC) is configured. Trusted publishers bind PyPI uploads to a specific GitHub repository and workflow, making stolen tokens useless outside that context. Without this protection, anyone with the API token can upload any version from any machine.

The most likely scenario is that the PYPI_TOKEN was obtained through a prior credential harvesting operation.

About Deno:

Deno is an open-source JavaScript runtime for the modern web. Built on web standards with zero-config TypeScript, unmatched security, and a complete built-in toolchain.

Uiua () is a general-purpose array-oriented programming language with a focus on simplicity, beauty, and tacit code.

Uiua lets you write code that is as short as possible while remaining readable, so you can focus on problems rather than ceremony.

The language is not yet stable, as its design space is still being explored. However, it is already quite powerful and fun to use!

Uiua uses special characters for built-in functions that remind you what they do!

⚂ # Random number
⇡8 # Range up to
⇌ 1_2_3_4 # Reverse

cross-posted from: https://programming.dev/post/46403010

Sample with fibonacci:

Commenter maegul writes on the Programming community post:

I tried to go through the tutorial a year or so ago.

I can’t recall when, but there’s a point at which doing something normal/trivial in an imperative language requires all sorts of weirdness in Uiua. But they try to sell it as especially logical while to me they came off as completely in a cult.

It’s this section, IIRC: https://www.uiua.org/tutorial/More%20Argument%20Manipulation#-planet-notation-

When they declare

And there you have it! A readable syntax juggling lots of values without any names!

For

×⊃(+⊙⋅⋅∘|-⊃⋅⋅∘(×⋅⊙⋅∘)) 1 2 3 4

Which, if you can’t tell, is equivalent to

f(a,b,c,x) = (a+x)(bx-c)

With arguments 1, 2, 3, 4.

I wanted to like this, and have always wanted to learn APL or J (clear influences). But I couldn’t take them seriously after that.