Hello everyone. It seems that we cannot go one week without Cloudflare having an incident or a malicious actor adding a back door to a popular NPM package.

But first, a recent Stanford study has found out that AI is already impacting jobs, especially for college graduates:

“Canaries in the Coal Mine? Six Facts about the Recent Employment Effects of Artificial Intelligence” study available here

Stanford researchers Erik Brynjolfsson, Bharat Chandar, and Ruyu Chen have released groundbreaking findings about artificial intelligence's impact on American employment, analyzing data from millions of workers through July 2025. Their research provides the first large-scale, real-time evidence of AI's employment effects using administrative payroll records from ADP, the largest payroll software provider in the United States.

The Stanford study focuses on changes in the labor market, particularly how widespread adoption of generative AI has impacted jobs for early career workers (ages 22 - 25), causing a 13 percent relative decline in employment.

This contrasts sharply with more experienced workers in the same occupations, whose employment has remained stable or continued growing. Software developers aged 22-25 saw employment decline by nearly 20% from late 2022 to July 2025, while older workers in the same field experienced growth.

The research identifies a critical distinction between AI applications: employment declines occur primarily in occupations where AI automates tasks rather than augments human work. Using data from Anthropic's Claude AI model, researchers found that occupations with high automation potential have shown significant job losses for young workers, while those with augmentative AI uses actually experienced employment growth.

The researchers analyzed monthly payroll records for 3.5 to 5 million workers, linking employment data to established AI exposure measures from multiple sources. They employed sophisticated statistical controls to rule out alternative explanations such as industry-specific shocks or interest rate changes. The findings remained robust across various sample constructions, excluding technology firms, remote-work occupations, and different demographic groups.

While overall employment continues growing robustly, the stagnation in young worker employment growth since late 2022 appears driven by declines in AI-exposed positions. The researchers observe that labor market adjustments occur primarily through employment changes rather than wage adjustments, suggesting potential wage stickiness in the short term.

The study's "canaries in the coal mine" metaphor suggests these early effects on specific occupations may herald broader labor market transformations. The researchers theorize that AI primarily replaces codified knowledge—the "book learning" central to formal education—while being less capable of replacing the tacit knowledge accumulated through experience. This explains why younger workers, who rely more heavily on recently acquired formal skills, face greater vulnerability to AI displacement.

Multiple attacks happened lately, thankfully with minimal impact

The first attack happened on 8th September and impacted 18 NPM packages with 2 BILLION weekly downloads. These include chalk, strip ansi and debug, not random libraries. These packages are in pretty much everything.

The malware was a crypto clipper built to steal funds, which hijacked destination addresses of transactions, replacing them with an attacker’s wallet. Thankfully they "only" stole about $20 in crypto. But this shows that maybe it wasn’t an attack but instead a proof of concept.

As I highlighted in my X thread, the problem might not be on the packages themselves, but the fact that Node apps have thousands of dependencies and no one knows what 80% of them do.

Then on 16th September, the @​ctrl/tinycolor package was compromised to include a trojan malware, which affected 40+ other packages. Then another wave of supply chain attack hit targeting Crowdstrike packages.

Tough past couple of weeks for the infrastructure giant + other companies mishaps

First, there was an issue with unauthorized issuance of TLS certificates for their 1.1.1.1 IP address.

Then they ended up DDoSing themselves because of a React useEffect hook bug.

Hopefully they will sort this out soon since people are starting to have doubts in their ecosystem. It also doesn’t help that they have a monopoly on CDNs, with a market share of over 16% of all websites globally using the service, and with a stagering 82.16% share of the DDoS and bot protection market.

Ubuntu, the most popular Linux distro, wanted to replace some of their code base from C/C++ with Rust. Turns out some code does not work as expected.

The Rust version of cksum is up to 17x slower than the GNU version for some large files. And the sort utility does not finish for large one line files. Turns out that Rust isn’t great for everything.

Anthropic has identified three issues from August to early September that affected the performance of it’s models. Turns out AI can get dumb.

Luckily, a Redditor created a this AI Benchmark tool scans models every hour to check if they are getting “dumber”. It is open source too!

Nuxt UI 4, the intuitive Vue UI library, has recently added an MCP server which will help AI tools like Cursor and Claude Code better understand the library and create user interfaces more easily.

Laravel, the popular PHP framework, also introduced Laravel Boost, which is an MCP server that runs in your project and that provides AI agents with Laravel-specific tools, documentation, and guidelines, enabling them to behave like experienced Laravel developers rather than generic search engines.

Not to be left behind, Symfony also released their MCP SDK in collaboration with the PHP Foundation and Anthropic. They also previously released the AI Bundle, which integrates various Symfony AI components such as the Symfony AI Platform component.

Till next time,
Rares.