r/programming

CVE-2026-33579 is actively exploitable and hits hard.

What happened: The /pair approve command doesn't check who is approving. So someone with basic pairing access (the lowest permission tier) can approve themselves for admin. That's it. Full instance takeover, no secondary exploit needed. CVSS 8.6 HIGH.

Why this matters right now:

• Patch dropped March 29, NVD listing March 31. Two-day window for the vulns to spread before anyone saw it on NVD
• 135k+ OpenClaw instances are publicly exposed
• 63% of those run zero authentication. Meaning the "low privilege required" in the CVE = literally anyone on the internet can request pairing access and start the exploit chain

The attack is trivial:

1. Connect to an unauthenticated OpenClaw instance → get pairing access (no credentials needed)
2. Register a fake device asking for operator.admin scope
3. Approve your own request with /pair approve [request-id]
4. System grants admin because it never checks if you are authorized to grant admin
5. You now control the entire instance — all data, all connected services, all credentials

Takes maybe 30 seconds once you know the gap exists.

What you need to do:

1. Check your version: openclaw --version. If it's anything before 2026.3.28, stop what you're doing
2. Upgrade (one command: npm install openclaw@2026.3.28)
3. Run forensics if you've been running vulnerable versions:
   • List admin devices: openclaw devices list --format json and look for admins approved by pairing-only users
   • Check audit logs for /pair approve events in the last week
   • If registration and approval timestamps are seconds apart and approver isn't a known admin = you got hit

strapi-plugin-events dropped on npm today. Three files. Looks like a legitimate community Strapi plugin - version 3.6.8, named to blend in with real plugins like strapi-plugin-comments and strapi-plugin-upload.

On npm install it runs an 11-phase attack with zero user interaction:

• Steals all .env files, JWT secrets, database credentials
• Dumps Redis keys, Docker and Kubernetes secrets, private keys
• Opens a 5-minute live C2 session for arbitrary shell command execution

The publisher account kekylf12 on npm is actively pushing multiple malicious packages right now and all targeting the Strapi ecosystem.

Check the account: npmjs.com/~kekylf12

If you work with Strapi or have any community plugins installed that aren't scoped under strapi/ - audit your dependencies now. Legitimate Strapi plugins are always scoped. Anything unscoped claiming to be a Strapi plugin is a red flag.

Full technical breakdown with IoCs is in the blog.

Supply chain attacks often rely on speed that is publish a malicious version, let automated builds pull it before detection catches up.

One defense is a cooldown period : refuse any dependency published within the last N hours.

CEL (Common Expression Language) doesn't expose now() by default since it's designed to be hermetic. This article actually walks through registering a custom now() function binding that returns the current UTC timestamp, using duration arithmetic to compare against package_published_at, and using the has() macro to handle packages so new they haven't been indexed yet - which is the edge case that will bite you if you miss it.

From u/sooodooo's comment in a past post we did, we got the idea about adding native support for new Bun SQL, so you don't need to install any additional dependencies when using UQL on Bun.

What we shipped:

• One native Bun path across SQL engines: Bun SQL unifies PostgreSQL/MySQL/SQLite under one API
  • UQL makes it cleaner because we abstract the SQL dialects with our Universal API so your app code stays consistent as you switch engines (Bun SQL docs).
• Same entity-first API/migrations flow as the rest of UQL
• No extra pg / mysql2 / better-sqlite3 install for Bun SQL usage
• Operational simplicity: one runtime, one SQL client model, one ORM API means less cognitive load for full-stack teams.

The hard part wasn't "connecting"; it was making behavior consistent across drivers (JSON, arrays, result normalization, migration safety, etc.) so the apps code stays portable across all the drivers and DBs.

Bun SQL guide: uql-orm.dev/bun-sql
Changelog details: GitHub changelog

On Spring Middleware 1.4.0

I recently completed the labs from MIT 6.5840 Distributed Systems and implemented everything in Go, including:

• Raft consensus algorithm
• A replicated Key/Value store
• A sharded KV system with dynamic reconfiguration

The implementation focuses a lot on concurrency and failure handling:

• goroutines for RPC handling and background tasks
• channels for coordination between Raft and the state machine
• dealing with unreliable networks (dropped / delayed / out-of-order RPCs)

Some interesting challenges:

• ensuring commitIndex never goes backward under out-of-order RPC responses
• handling retries safely with client/request IDs (idempotency)
• keeping deduplication state consistent across snapshots and shard transfers

I wrote a detailed README explaining both the design and the tricky edge cases I encountered.

The Machine Payments Protocol (MPP) is an open standard that lets AI agents pay for API calls over HTTP, co-authored by Stripe and Tempo Labs and launched on March 18, 2026. It uses HTTP's 402 status code to enable challenge-response payments in stablecoins or cards, with a native session primitive for sub-cent streaming micropayments. Tempo's team describes sessions as "OAuth for money": authorize once, then let payments execute programmatically within defined limits.

AI agents are increasingly autonomous. They browse the web, call APIs, book services, and execute transactions on behalf of users. But until recently, there was no standard way for a machine to pay another machine over HTTP.

HTTP actually anticipated this problem decades ago. The 402 status code ("Payment Required") was reserved in the original HTTP/1.1 spec (RFC 9110) but never formally standardized. For 27 years, it sat unused.

The problem is not a lack of payment methods. As the MPP documentation puts it: there is no shortage of ways to pay for things on the internet. The real gap exists at the interface level. The things that make checkout flows fast and familiar for humans (optimized payment forms, visual CAPTCHAs, one-click buttons) are structural headwinds for agents. Browser automation pipelines are brittle, slow, and expensive to maintain.

MPP addresses this by defining a payment interface built for agents. It strips away the complexity of rich checkout flows while providing robust security and reliability. Three parties interact through the protocol: developers who build apps and agents that consume paid services, agents that autonomously call APIs and pay on behalf of users, and services that operate APIs charging for access.

Soy un programador principiante y oigo a muchos seniors hablar de Stack Overflow. Hoy probé a entrar y, sinceramente, la interfaz me parece horrenda. Yo sigo prefiriendo buscar las cosas en Google o consultar wikis oficiales. ¿Que opinais?