Microsoft-owned GitHub published a blog post asking "Does GitHub Copilot improve code quality? Here's what the data says."

Its first paragraph includes statistics from past studies — that GitHub Copilot has helped developers code up to 55% faster, leaving 88% of developers feeling more "in the flow" and 85% feeling more confident in their code.

But does it improve code quality? [W]e recruited 202 [Python] developers with at least five years of experience. Half were randomly assigned GitHub Copilot access and the other half were instructed not to use any AI tools... We then evaluated the code with unit tests and with an expert review conducted by developers.

Our findings overall show that code authored with GitHub Copilot has increased functionality and improved readability, is of better quality, and receives higher approval rates... Developers with GitHub Copilot access had a 56% greater likelihood of passing all 10 unit tests in the study, indicating that GitHub Copilot helps developers write more functional code by a wide margin. In blind reviews, code written with GitHub Copilot had significantly fewer code readability errors, allowing developers to write 13.6% more lines of code, on average, without encountering readability problems. Readability improved by 3.62%, reliability by 2.94%, maintainability by 2.47%, and conciseness by 4.16%. All numbers were statistically significant... Developers were 5% more likely to approve code written with GitHub Copilot, meaning that such code is ready to be merged sooner, speeding up the time to fix bugs or deploy new features.
"While GitHub's reports have been positive, a few others haven't," reports Visual Studio magazine: For example, a recent study from Uplevel Data Labs said, "Developers with Copilot access saw a significantly higher bug rate while their issue throughput remained consistent."

And earlier this year a "Coding on Copilot" whitepaper from GitClear said, "We find disconcerting trends for maintainability. Code churn — the percentage of lines that are reverted or updated less than two weeks after being authored — is projected to double in 2024 compared to its 2021, pre-AI baseline. We further find that the percentage of 'added code' and 'copy/pasted code' is increasing in proportion to 'updated,' 'deleted,' and 'moved 'code. In this regard, AI-generated code resembles an itinerant contributor, prone to violate the DRY-ness [don't repeat yourself] of the repos visited."

Five local privilege escalation (LPE) vulnerabilities in the Linux utility "needrestart" -- widely used on Ubuntu to manage service updates -- allow attackers with local access to escalate privileges to root. The flaws were discovered by Qualys in needrestart version 0.8, and fixed in version 3.8. BleepingComputer reports: Complete information about the flaws was made available in a separate text file, but a summary can be found below:

- CVE-2024-48990: Needrestart executes the Python interpreter with a PYTHONPATH environment variable extracted from running processes. If a local attacker controls this variable, they can execute arbitrary code as root during Python initialization by planting a malicious shared library.
- CVE-2024-48992: The Ruby interpreter used by needrestart is vulnerable when processing an attacker-controlled RUBYLIB environment variable. This allows local attackers to execute arbitrary Ruby code as root by injecting malicious libraries into the process.
- CVE-2024-48991: A race condition in needrestart allows a local attacker to replace the Python interpreter binary being validated with a malicious executable. By timing the replacement carefully, they can trick needrestart into running their code as root.
- CVE-2024-10224: Perl's ScanDeps module, used by needrestart, improperly handles filenames provided by the attacker. An attacker can craft filenames resembling shell commands (e.g., command|) to execute arbitrary commands as root when the file is opened.
- CVE-2024-11003: Needrestart's reliance on Perl's ScanDeps module exposes it to vulnerabilities in ScanDeps itself, where insecure use of eval() functions can lead to arbitrary code execution when processing attacker-controlled input. The report notes that attackers would need to have local access to the operation system through malware or a compromised account in order to exploit these flaws. "Apart from upgrading to version 3.8 or later, which includes patches for all the identified vulnerabilities, it is recommended to modify the needrestart.conf file to disable the interpreter scanning feature, which prevents the vulnerabilities from being exploited," adds BleepingComputer.

The Tiobe index tries to track the popularity of programming languages by counting the number of search results for the language's name followed by the word "programming" (on 25 different search engines). And this month there were some surprises...

By TIOBE's reckoning, compared to a year ago PHP has now fallen from #7 to #12, while Delphi/Object Pascal shot up five spots from #16 to #11. In that same year, Fortran jumped from #12 to #8 — while both Visual Basic and SQL dropped down a single rank. Toward the top of the list, C actually fell from the #2 spot over the last 12 months to the #4 spot.

And Go just reached the #7 rank on the TIOBE's ranking of programming language popularity — "an all time high for Go," according to TIOBE CEO Paul Jansen. In this month's note, he explains what he thinks is unusual about this — starting by saying that Go programs are both fast, and easy in many ways — easy to deploy, easy to learn, and easy to understand. Python for instance is easy to learn but not fast, and deployment for larger Python programs is fragile due to dependencies on all kind of versioned libraries in the environment.

If compared to Rust for instance (another contender for a top position), Go is a tiny bit slower, but the Go programs are much easier to understand. The next hurdle for Go in the TIOBE index is JavaScript at position #6. That will be a tough one to pass. JavaScript is ubiquitous in software development, although for larger JavaScript systems we see a shift to TypeScript nowadays.
"If annual trends continue this way, Go will bypass JavaScript within 3 years," TIOBE's CEO predicts. (Adding "Let's see what the future has in store for Go...") Although the Go team actually has specific plans for the future, according to a blog post this week celebrating Go's 15th anniversary: We're working on making Go better for AI — and AI better for Go — by enhancing Go's capabilities in AI infrastructure, applications, and developer assistance. Go is a great language for building production systems, and we want it to be a great language for building production AI systems, too... For AI applications, we will continue building out first-class support for Go in popular AI SDKs, including LangChainGo and Genkit. And from its very beginning, Go aimed to improve the end-to-end software engineering process, so naturally we're looking at bringing the latest tools and techniques from AI to bear on reducing developer toil, leaving more time for the fun stuff — like actually programming!
TIOBE's top 10 programming language rankings for the month of November:

1. Python
2. C++
3. Java
4. C
5. C#
6. JavaScript
7. Go
8. Fortran
9. Visual Basic
10. SQL

Francois Chollet, an AI pioneer and creator of the Keras framework, announced that he's leaving Google to co-found a new company. Neowin reports: In his parting message, Chollet assured that he would still be active with Keras and participate in its development on GitHub. His successor, Jeff Carpenter, will now lead Keras at Google, and Chollet expressed his full confidence in the team's future direction.

Keras has come a long way since Chollet released it in 2015, initially as a high-level neural network API meant for simplicity and accessibility. Keras quickly gained traction in the AI community for its user-friendly Python interface and compatibility with frameworks like TensorFlow, simplifying machine learning model building for developers across various levels. Google published a blog post praising Chollet and reaffirming their commitment to Keras.

Last year, Google lost the "Godfather of AI," Geoffrey Hinton, who left the company after nearly a decade. He said he quit his job at Google so he can freely speak out about the risks of AI.

spatwei writes: Google has used a large language model (LLM) agent called "Big Sleep" to discover a previously unknown, exploitable memory flaw in a widely used software for the first time, the company announced Friday.

The stack buffer underflow vulnerability in a development version of the popular open-source database engine SQLite was found through variant analysis by Big Sleep, which is a collaboration between Google Project Zero and Google DeepMind.

Big Sleep is an evolution of Project Zero's Naptime project, which is a framework announced in June that enables LLMs to autonomously perform basic vulnerability research. The framework provides LLMs with tools to test software for potential flaws in a human-like workflow, including a code browser, debugger, reporter tool and sandbox environment for running Python scripts and recording outputs.

The researchers provided the Gemini 1.5 Pro-driven AI agent with the starting point of a previous SQLIte vulnerability, providing context for Big Sleep to search for potential similar vulnerabilities in newer versions of the software. The agent was presented with recent commit messages and diff changes and asked to review the SQLite repository for unresolved issues.

Google's Big Sleep ultimately identified a flaw involving the function "seriesBestIndex" mishandling the use of the special sentinel value -1 in the iColumn field. Since this field would typically be non-negative, all code that interacts with this field must be designed to handle this unique case properly, which seriesBestIndex fails to do, leading to a stack buffer underflow.

GitHub released its annual "State of the Octoverse" report this week. And while "Systems programming languages, like Rust, are also on the rise... Python, JavaScript, TypeScript, and Java remain the most widely used languages on GitHub."

In fact, "In 2024, Python overtook JavaScript as the most popular language on GitHub." They also report usage of Jupyter Notebooks "skyrocketed" with a 92% jump in usage, which along with Python's rise seems to underscore "the surge in data science and machine learning on GitHub..." We're also seeing increased interest in AI agents and smaller models that require less computational power, reflecting a shift across the industry as more people focus on new use cases for AI... While the United States leads in contributions to generative AI projects on GitHub, we see more absolute activity outside the United States. In 2024, there was a 59% surge in the number of contributions to generative AI projects on GitHub and a 98% increase in the number of projects overall — and many of those contributions came from places like India, Germany, Japan, and Singapore...

Notable growth is occurring in India, which is expected to have the world's largest developer population on GitHub by 2028, as well as across Africa and Latin America... [W]e have seen greater growth outside the United States every year since 2013 — and that trend has sped up over the past few years.
Last year they'd projected India would have the most developers on GitHub #1 by 2027, but now believe it will happen a year later. This year's top 10?

1. United States
2. India
3. China
4. Brazil
5. United Kingdom
6. Russia
7. Germany
8. Indonesia
9. Japan
10. Canada

Interestingly, the UK's population ranks #21 among countries of the world, while Germany ranks #19, and Canada ranks #36.)

GitHub's announcement argues the rise of non-English, high-population regions "is notable given that it is happening at the same time as the proliferation of generative AI tools, which are increasingly enabling developers to engage with code in their natural language." And they offer one more data point: GitHub's For Good First Issue is a curated list of Digital Public Goods that need contributors, connecting those projects with people who want to address a societal challenge and promote sustainable development...

Significantly, 34% of contributors to the top 10 For Good Issue projects... made their first contribution after signing up for GitHub Copilot.
There's now 518 million projects on GitHub — with a year-over-year growth of 25%...

An anonymous reader quotes a report from InfoWorld: Select developers now are getting free access to JetBrains' WebStorm and Rider IDEs. The company on October 24 announced it has launched non-commercial licenses for its WebStorm JavaScript and TypeScript IDE and the Rider cross-platform .NET and game development IDE. As of now, developers using these IDEs for non-commercial purposes, such as open source project development or content creation, can use them for free. JetBrains views the move as expanding the availability of these IDEs to a broader swath of developer roles. More than two-thirds of developers code outside of work as a hobby and nearly 40% code for educational and learning purposes outside of work, the company said."Previously this year, JetBrains released other products under the same terms for non-commercial use, including RustRover, an IDE for Rust development, and Aqua, an IDE designed for test automation," notes InfoWorld. "JetBrains also provides community editions of IntelliJ and PyCharm, IDEs for Java and Python, respectively, which can be used to build proprietary and commercial software."

JetBrains has an FAQ section with additional details about the change.

theodp writes: "Computer science education is a necessity for all students," argues tech-backed nonprofit Code.org in its newly-published 2024 State of Computer Science Education (Understanding Our National Imperative) report. "Students of all identities and chosen career paths need quality computer science education to become informed citizens and confident creators of content and digital tools."

In the 200-page report, Code.org pays special attention to participation in "foundational computer science courses" in high school. "Across the country, 60% of public high schools offer at least one foundational computer science course," laments Code.org (curiously promoting a metric that ignores school size which nonetheless was embraced by Education Week and others).

"A course that teaches foundational computer science includes a minimum amount of time applying learned concepts through programming (at least 20 hours of programming/coding for grades 9-12 high schools)," Code.org explains in a separate 13-page Defining Foundational Computer Science document. Interestingly, Code.org argues that Data and Informatics courses -- in which "students may use Oracle WebDB, SQL, PL/SQL, SPSS, and SAS" to learn "the K-12 CS Framework concepts about data and analytics" -- do not count, because "the course content focuses on querying using a scripting language rather than creating programs [the IEEE's Top Programming Languages 2024 begs to differ]." Code.org similarly dissed the use of the Wolfram Language for broad educational use back in 2016.

With its insistence on the importance of kids taking Code.org-defined 'programming' courses in K-12 to promote computational thinking, it's probably no surprise to see that the data behind the 2024 State of Computer Science Education report was prepared using Python (the IEEE's top programming language) and presented to the public in a Jupyter notebook. Just kidding. Ironically, the data behind the 2024 State of Computer Science Education analysis is prepared and presented by Code.org in a no-code Tableau workbook.

Though native Linux game servers have been scarce over the last two decades, "I've seen people using the Box64 emulator to play x86_64 games on ARM devices," writes Slashdot reader VennStone. "It got me thinking: why not apply this to game servers...?

"I thought it would be fun to see if I could build a super low-power Trackmania 2 server using a Raspberry Pi Zero 2 W."

They dubbed the experiment "Trackberry", and shared all the technical details in a blog post at Interfacing Linux (includinga video). For example, they installed PyEnv so it could create a virtual environment for the PyPlanet server controller. ("That's right, your little Pi Zero 2 W is about to compile some software, slowly....")

But ultimately "it turns out that the A53 can run not only the server but also the server controller, with minimal effort. Five players push one core to around 50% load, while the others handle the database and controller." WHY STOP THERE? There are a gang of x86 Linux servers that could potentially run with Box64. Imagine playing Pirraria, 7 Days to Pi, Counter-Pi 2, Pitorio, and countless others! Granted, you may need a more powerful device than a Raspberry Pi Zero 2 W. I'll leave that research up to you.

My main takeaway from this experiment? Box64 is straight-up Scandinavian witchcraft and is not to be trifled with. Not even a little bit.

That said, it introduces a compelling option for those of us looking to run dedicated game servers that don't require much in the way of system resources. Under load, TrackBerry averages 2.8 watts and, according to the scientific number digits below, ends up running just under $3.00 a year or $0.25 a month. I find the concept of having a stack of microSD cards, each holding a different game server, neat....

You can see TrackBerry in action every Tuesday and Friday on Twitch...

Last month C dropped from 3rd to 4th in TIOBE's ranking of programming language popularity (which tries to calculate each language's share of search engine results). Java moved up into the #3 position in September, reports TechRepublic, which notes that by comparison October "saw relatively little change" — though percentages of search results increased slightly. "At number one, Python jumped from 20.17% in September to 21.9% in October. In second place, C++ rose from 10.75% in September to 11.6%. In third, Java ascended from 9.45% to 10.51%..."

Is there a larger trend? TIOBE CEO Paul Jansen writes that the need to harvest more data increases demand for fast data manipulation languages. But they also need to be easy to learn ("because the resource pool of skilled software engineers is drying up") and secure ("because of continuous cyber threats.") King of all, Python, is easy to learn and secure, but not fast. Hence, engineers are frantically looking for fast alternatives for Python. C++ is an obvious candidate, but it is considered "not secure" because of its explicit memory management. Rust is another candidate, although not easy to learn. Rust is, thanks to its emphasis on security and speed, making its way to the TIOBE index top 10 now. [It's #13 — up from #20 a year ago]

The cry for fast, data crunching languages is also visible elsewhere in the TIOBE index. The language Mojo [a faster superset of Python designed for accelerated hardware like GPUs]... enters the top 50 for the first time. The fact that this language is only 1 year old and already showing up, makes it a very promising language.
In the last 12 months three languages also fell from the top ten:

• PHP (dropping from #8 to #15)

• SQL (dropping from #9 to #11)

• Assembly language (dropping from #10 to #16)

This week (MIT-licensed) WebAssembly runtime Wasmer announced "a major milestone in making any software run with WebAssembly."

The announcement's headline? Running Clang in the browser using WebAssembly... Thanks to the newest release of Wasmer (4.4) and the Wasmer JS SDK (0.8.0) you can now run [compiler front-end] clang anywhere Wasmer runs! This allows compiling C programs from virtually anywhere. Including Javascript and your preferred browser! (we tested Chrome, Safari and Firefox and everything is working like a charm)...

- You can compile C code to WebAssembly easily just using the Wasmer CLI: no toolchains or complex installations needed, install Wasmer and you are ready to go...!

- You can compile C projects directly from JavaScript...!

- We expect online IDEs to start adopting the SDK to allow their users compile and run C programs in the browser....

Do you want to use clang in your Javascript project? Thanks to our newly released Wasmer JS SDK you can do it easily, in both the browser and Node.js/Bun etc... Wasmer's clang can even optimize the file for you automatically using wasm-opt under the hood (Clang automatically detects if wasm-opt is used, and it will be automatically called when optimizing the file). Imagine using Emscripten without needing its toolchain installed — or even better, imagine running Emscripten in the browser.
The announcement looks to a future of compiling native Python libraries, when "any project depending on LLVM can now be easily compiled to WebAssembly..."

"This is the beginning of an awesome journey, we can't wait to see what you create next with this."

TechCrunch's Paul Sawers reports: Fledgling fintech startup OpenBB is revealing the next step in its plans to take on the heavyweights of the investment research world. The company is launching a new, free version of a product that will open its arsenal of data and financial tooling to more users. OpenBB is the handiwork of software engineer Didier Lopes, who launched the Python-based platform back in 2021 as a way for amateur investors and enthusiasts to do investment research using different datasets for free, via a command line interface (CLI). The company went on to raise $8.5 million in seed funding from OSS Capital and angel investors such as Ram Shriram, an early backer of Google. While the community-based, open source project has amassed some 50,000 users, OpenBB has also been building an enterprise incarnation called Terminal Pro. This paid version gives teams access to an interface, pre-built database integrations, an Excel add-in, and various security and support bolt-ons that would appeal to larger businesses. [...]

The all-new OpenBB Terminal -- not to be confused with the previous CLI-based OpenBB Terminal that the startup sunsetted in March -- is a full-fledged web app, though it strips out many of the premium features of Terminal Pro. It's fully customizable, can run on any operating system or platform, and provides access to an AI-enabled OpenBB copilot. Like the previous OpenBB Terminal, the all-new web app is also free to use. OpenBB Terminal is perhaps something of a middle ground between the CLI centricity of the open source project and the bells-and-whistles feature set of the enterprise product.

The OpenBB Terminal serves as a single end point for accessing financial information from some 100 data sources, spanning equity, options, forex, the macro economy, and more. Users can also throw all their new data into the mix -- the community has previously contributed financial datasets such as historical currency exchange rates and crypto pricing data. There are also a slew of extensions and toolkits to bring more functionality to OpenBB -- such as an AI stock analysis agent. Users are free to incorporate their own AI systems and large language models (LLMs), which might be particularly important for security and compliance use cases. But with the OpenBB Copilot, categorized as a "compound AI system," users can run natural-language queries about their data out of the box. While OpenBB has been likened to an "open-source Bloomberg," TechCrunch notes that it's not a direct competitor due to Bloomberg's massive data resources and built-in chat functionality. OpenBB, however, offers flexibility with its open-source platform and customization options.

OpenBB filed for a trademark, but Bloomberg has requested an extension to potentially oppose it, despite the company asserting there's no link between OpenBB and Bloomberg's abbreviation "BBG". Lopes says the name originates from BlackBerry stock, where the founders had lost money during the meme stock craze.

Long-time Slashdot reader Bismillah writes: Python New Zealand has gone through some rough times lately, with its then-treasurer stealing money from the society.. Things were looking really serious for a while, with Python NZ looking at being liquidated due to the theft of funds.

However, there is a silver lining to the story, as the free and open source movement rallied behind Python NZ and got them out of a serious pickle.
"Our friends at Linux Australia and at the Python Software Foundation went well above and beyond to support us, and save us," says Tom Eastman president of Python New Zealand, in an article from interest.co.nz.

He also says he hopes the treasure is ordered by the court to pay restitution. (In the article the treasurer confirms that he's pleaded guilty to the theft, which took place between February 2019 and October 2023 — leaving Python NZ owing conference supplies around $55,000.) "We had $26 in the bank accounts," Eastman tells the site.

The group now has new transparency and accountability measures...

The Register's Thomas Claburn reports: Buck Shlegeris, CEO at Redwood Research, a nonprofit that explores the risks posed by AI, recently learned an amusing but hard lesson in automation when he asked his LLM-powered agent to open a secure connection from his laptop to his desktop machine. "I expected the model would scan the network and find the desktop computer, then stop," Shlegeris explained to The Register via email. "I was surprised that after it found the computer, it decided to continue taking actions, first examining the system and then deciding to do a software update, which it then botched." Shlegeris documented the incident in a social media post.

He created his AI agent himself. It's a Python wrapper consisting of a few hundred lines of code that allows Anthropic's powerful large language model Claude to generate some commands to run in bash based on an input prompt, run those commands on Shlegeris' laptop, and then access, analyze, and act on the output with more commands. Shlegeris directed his AI agent to try to SSH from his laptop to his desktop Ubuntu Linux machine, without knowing the IP address [...]. As a log of the incident indicates, the agent tried to open an SSH connection, and failed. So Shlegeris tried to correct the bot. [...]

The AI agent responded it needed to know the IP address of the device, so it then turned to the network mapping tool nmap on the laptop to find the desktop box. Unable to identify devices running SSH servers on the network, the bot tried other commands such as "arp" and "ping" before finally establishing an SSH connection. No password was needed due to the use of SSH keys; the user buck was also a sudoer, granting the bot full access to the system. Shlegeris's AI agent, once it was able to establish a secure shell connection to the Linux desktop, then decided to play sysadmin and install a series of updates using the package manager Apt. Then things went off the rails.

"It looked around at the system info, decided to upgrade a bunch of stuff including the Linux kernel, got impatient with Apt and so investigated why it was taking so long, then eventually the update succeeded but the machine doesn't have the new kernel so edited my Grub [bootloader] config," Buck explained in his post. "At this point I was amused enough to just let it continue. Unfortunately, the computer no longer boots." Indeed, the bot got as far as messing up the boot configuration, so that following a reboot by the agent for updates and changes to take effect, the desktop machine wouldn't successfully start.

OpenAI has introduced "canvas," a new interface for ChatGPT that provides a separate workspace for writing and coding projects. "Canvas is rolling out in beta to ChatGPT Plus and Teams users on Thursday, and Enterprise and Edu users next week," reports TechCrunch. "Once canvas is out of beta, OpenAI says it plans to offer the feature to free users as well." From the report: In our demo, [OpenAI product manager Daniel Levine] had to select "GPT-4o with canvas" from ChatGPT's model picker drop down window. However, OpenAI says canvas windows will just pop out when ChatGPT detects a separate workspace could be helpful, say for longer outputs or complex coding tasks. You can also just write "use canvas" to automatically open a project window. Levine showed TechCrunch how ChatGPT's new features could help write an email. Users can prompt ChatGPT to generate an email, which will then pop out in the canvas window. Then users can toggle a slider to adjust the length of the writing to be shorter or longer. You can also highlight specific sentences, and ask ChatGPT to make changes such as "make this sound friendlier," or add emojis. Users can also ask ChatGPT to rewrite the whole email as-is in another language.

The features for the coding canvas are slightly different. Levine prompted ChatGPT to create an API web server in Python, which spawned in the canvas window. By pressing an "add comments" button, ChatGPT will add in-line documentation to explain the code in plain English. Further, if you highlight a section of code that ChatGPT created, you can ask the chatbot to explain it to you, or ask questions about it. ChatGPT is also getting a new "review code" button, which will suggest specific edits for the code in the window, whether generated or user-written, for them to approve, edit themselves, or decline. If they press approve, ChatGPT will take a stab at fixing the bugs itself.

Longtime Slashdot reader theodp writes: Python in Excel is now generally available for Windows users of Microsoft 365 Business and Enterprise," Microsoft announced in a Monday blog post. "Last August, in partnership with Anaconda, we introduced an exciting new addition to Excel by integrating Python, making it possible to seamlessly combine Python and Excel analytics within the same workbook, no setup required. Since then, we've brought the power of popular Python analytics libraries such as pandas, Matplotlib, and NLTK to countless Excel users." Microsoft also announced the public preview of Copilot in Excel with Python, which will take users' natural language requests for analysis and automatically generate, explain, and insert Python code into Excel spreadsheets.

While drawing criticism for limiting Python execution to locked-down Azure cloud containers, Python in Excel has also earned accolades from the likes of Python creator Guido van Rossum, now a Microsoft Distinguished Engineer, as well as Pandas creator Wes McKinney.

Left unmentioned in Monday's announcement is that Microsoft managed to convince the USPTO to issue it a patent in July 2024 on the Enhanced Integration of Spreadsheets With External Environments (alt. source), which Microsoft explains covers the "implementation of enhanced integrations of native spreadsheet environments with external resources such as-but not limited to-Python." All of which may come as a surprise to software vendors and individuals that were integrating Excel and external programming environments years before Microsoft filed its patent application in September 2022.

"New malicious software packages tied to the North Korean Lazarus Group were observed posing as a Python coding skills test for developers seeking a new job at Capital One, but were tracked to GitHub projects with embedded malware," reports SC magazine: Researchers at ReversingLabs explained in a September 10 blog post that the scheme was a follow-on to the VMConnect campaign that they first identified in August 2023 in which developers were lured into downloading malicious code via fake job interviews.
More details from The Hacker News These packages, for their part, have been published directly on public repositories like npm and PyPI, or hosted on GitHub repositories under their control. ReversingLabs said it identified malicious code embedded within modified versions of legitimate PyPI libraries such as pyperclip and pyrebase... It's implemented in the form of a Base64-encoded string that obscures a downloader function, which establishes contact with a command-and-control server in order to execute commands received as a response.

In one instance of the coding assignment identified by the software supply chain firm, the threat actors sought to create a false sense of urgency by requiring job seekers to build a Python project shared in the form of a ZIP file within five minutes and find and fix a coding flaw in the next 15 minutes. This makes it "more likely that he or she would execute the package without performing any type of security or even source code review first," Zanki said, adding "that ensures the malicious actors behind this campaign that the embedded malware would be executed on the developer's system."
Tom's Hardware reports that "The capacity for exploitation at that point is pretty much unlimited, due to the flexibility of Python and how it interacts with the underlying OS. This is a good time to refer to PEP 668 which enforces virtual environments for non-system wide Python installs."

More from The Hacker News Some of the aforementioned tests claimed to be a technical interview for financial institutions like Capital One and Rookery Capital Limited, underscoring how the threat actors are impersonating legitimate companies in the sector to pull off the operation. It's currently not clear how widespread these campaigns are, although prospective targets are scouted and contacted using LinkedIn, as recently also highlighted by Google-owned Mandiant.

Redmonk's latest programming language ranking (attempting to gauge "potential future adoption trends") has found evidence of "a landscape resistant to change." Outside of CSS moving down a spot and C++ moving up one, the Top 10 was unchanged. And even in the back half of the rankings, where languages tend to be less entrenched and movement is more common, only three languages moved at all... There are a few signs of languages following in TypeScript's footsteps and working their way up the path, both in the Top 20 and at the back end of the Top 100 as we'll discuss shortly, but they're the exception that proves the rule.

It's possible that we'll see more fluid usage of languages, and increased usage of code assistants would theoretically make that much more likely, but at this point it's a fairly static status quo. With that, some results of note:

- TypeScript (#6): technically TypeScript didn't move, as it was ranked sixth in our last run, but this is the first quarter in which is has been the sole occupant of that spot. CSS, in this case, dropped one place to seven leaving TypeScript just outside the Top 5. It will be interesting to see whether or not it has more momentum to expend or whether it's topped out for the time being.

- Kotlin (#14) / Scala (#14): both of these JVM-based languages jumped up a couple of spots — two spots in Scala's case and three for Kotlin. Scala's rise is notable because it had been on something of a downward trajectory from a one time high of 12th, and Kotlin's placement is a mild surprise because it had spent three consecutive runs not budging from 17, only to make the jump now. The tie here, meanwhile, is interesting because Scala's long history gives it an accretive advantage over Kotlin's more recent development, but in any case the combination is evidence of the continued staying power of the JVM.

- Objective C (#17): speaking of downward trajectories and the 17th placement on this list, Objective C's slide that began in mid-2018 continued and left the language with its lowest placement in these rankings to date at #17. That's still an enormously impressive achievement, of course, and there are dozens of languages that would trade their usage for Objective C's, but the direction of travel seems clear.

- Dart (#19) / Rust (#19): while once grouped with Kotlin as up and coming languages driven by differing incentives and trends, Dart and Rust have not been able to match the ascent of their counterpart with five straight quarters of no movement. That's not necessarily a negative; as with Objective C, these are still highly popular languages and communities, but it's worth questioning whether new momentum will arrive and from where, particularly because the communities are experiencing some friction in growing their usage.
It's important to remember Redmonk's methodology. "We extract language rankings from GitHub and Stack Overflow, and combine them for a ranking that attempts to reflect both code (GitHub) and discussion (Stack Overflow) traction. The idea is not to offer a statistically valid representation of current usage, but rather to correlate language discussion and usage in an effort to extract insights into potential future adoption trends."

Having said that, here's the current top ten in Redmonk's ranking:

1. JavaScript
2. Python
3. Java
4. PHP
5. C#
6. TypeScript
7. CSS
8. C++
9. Ruby
10. C

Their announcement also notes that at the other end of the list, the programming language Bicep "jumped eight spots to #78 and Zig 10 to #87. That progress pales next to Ballerina, however, which jumped from #80 to #61 this quarter. The general purpose language from WS02, thus, is added to the list of potential up and comers we're keeping an eye on."

Pundits aggregate results from multiple pollsters to minimize biases. So ZDNet tried the same approach, but aggregating rankings for the popularity of 19 top programming languages. Senior contributing editor David Gewirtz combined results from nine popularity rankings, including PYPL, the Tiobe index, GitHub's Usage 2023 summary report, and several rankings from Stack Overflow and from IEEE Spectrum.

The results? The top cluster contains Python, JavaScript, and Java. These are all very representative in the world of AI coding...

The next cluster contains the classic C-based languages [C++, C#, C], plus TypeScript (which is a more robust JavaScript variant) and SQL.

Below that are languages that were dominant a while ago, the web languages used to build and operate websites [HTML/CSS, PHP, Shell], followed by a range of other languages that are either growing in popularity (R, Dart) or dropping in popularity (Ruby). [Just above Ruby are Go, Rust, Kotlin, and Lua.]

Finally, at the bottom is Swift, Apple's language of choice. Objective-C, the previous language of Apple programming, has all but dropped off the list since Apple launched Swift. But while Apple boasts many developers, Swift is clearly not a standout in programmer interest... [T]here aren't a huge number of companies hiring Apple app developers, at least primarily. That's why Swift is relatively far down the chart. Objective-C is being replaced by Swift, and we can see it dropping right before our eyes.
"With the exception of Java, the C-family of languages still dominates," the article concludes, before adding that if you're only going to learn one language, "I'd recommend Python, Java, and JavaScript instead." But it also advises aspiring programmers to learn "multiple languages and multiple frameworks. Build things in the languages. Programming is not just an intellectual exercise. You have to actually make stuff....

"[L]earning how to learn languages is as important as learning a language — and the best way to do that is to learn more than one."

"Sometimes an artificial intelligence tool comes out of nowhere and dominates the conversation on social media," writes Tom's Guide.

"This week that app is Cursor, an AI coding tool that uses models like Claude 3.5 Sonnet and GPT-4o to make it easier than ever to build your own apps," with the ability to "write, predict and manipulate code using nothing but a text prompt." Cursor is part development environment, part AI chatbot and unlike tools like GitHub Copilot it can more or less do all of the work for you, transforming a simple idea into functional code in minutes... Built on the same system as the popular Microsoft Visual Studio Code, Cursor has already found a fanbase among novice coders and experienced engineers...

Cursor's simplicity, working from a chat window, means even someone completely new to code could get a functional app running in minutes and keep building on it to add new features... The startup has raised over $400 million since it was founded in 2022 and works with various models including those from Anthropic and OpenAI... In my view, its true power is in the democratization of coding. It would also allow someone without much coding experience to build the tools they need by typing a few lines of text.
More from ReadWrite: Cursor, an AI firm that is attempting to build a "magical tool that will one day write all the world's code," has announced it has raised $60 million in its Series A funding round... As of August 22, the company had a valuation of $400 million, according to sources cited by TechCrunch...

Anysphere is the two-year-old startup that developed the app. Its co-founders are Michael Truell, Sualeh Asif, Arvid Lunnemark and Aman Sanger, who started the company while they were students at MIT... Using advanced AI capabilities, it is said to be able to finish, correct, and change AI code through natural language commands. It currently works with JavaScript, Python, and TypeScript, and is free for most uses. The pro plan will set you back $20 per month.
But how well does it work? Tom's Guide notes that after requesting a test app, "It generated the necessary code in the sidebar chat window and all I had to do was click Apply and then Accept. This added the code to a new Python file including all the necessary imports. It also gave me instructions on how to add modules to my machine to make the code work.

"As the chat is powered by Claude 3.5 Sonnet, you can just have it explain in more detail any element of the code or any task required to make it run..."

Andreessen Horowitz explains why they invested in the company: It's very clear that LLMs are a powerful tool for programmers, and that their coding abilities will improve over time. But it's also clear that for most coding tasks, the problem to solve is not how to make LLMs perform well in isolation, but how to make them perform well alongside a human developer. We believe, therefore, the interface between programmers and AI models will soon become one of the most important pieces of the dev stack. And we're thrilled to announce our series A investment...

Cursor is a fork of VS Code that's heavily customized for AI-assisted programming. It works with all the latest LLMs and supports the full VS Code plugin ecosystem. What makes Cursor special are the features designed to integrate AI into developer workflows — including next action prediction, natural language edits, chatting with your codebase, and a bunch of new ones to come... Our belief is that Cursor, distinctly among AI coding tools, has simply gotten it right. That's why, in a little over a year, thousands of users have signed up for Cursor, including at companies like OpenAI, Midjourney, Perplexity, Replicate, Shopify, Instacart, and many others. Users give glowing reviews of the product, many of them have started to pay for it, and they rarely switch back to other IDEs. Most of the a16z Infra team have also become avid Cursor users!
One site even argues that Cursor's coding and AI capabilities "should be a wake up call for Microsoft to make VS Code integration with GitHub Copilot a lot easier."

Thanks to Slashdot reader joshuark for sharing the article.