What's up, friends? Adam here. This is Chiseled News for the week of March 23rd, 2026. Friends, I'm hot off an epic spring break, you know, I've never taken a true spring break vacation.
Sure, I've done some things, but never an epic trip to South Florida that we did this year. He was much needed time away, the family, friends, and good sleep. Sadly, while away, Chuck Norris passed away, he was a high-achieving person in life and someone worth emulating. He has 10 principles to live by.
Here are two of my favorites. Number one, I will forget the mistakes of the past and press on to greater achievements. And number two, I will always remain loyal to my God, my family, and friends, and my country. Okay.
Let's get into the news. Astro has been acquired by OpenAI. This is a big one, y'all. Astro, the company behind at UV, rough, anti-Y, says it has entered into an agreement to join OpenAI as part of the COLEX team.
Another reason why this hits so hard for me is that Astro is not some random AI, sort of getting aqua-hired. These are already some of the most important tools in modern Python development. So the obvious first question is, what happens to the tools? Astro says the open source work continues after the deal closes, and that matters a lot because UV and rough, in particular, are not side-products anymore.
These are foundational pieces of a lot of Python workflows right now. If you zoom out, the bigger revelation is the center of gravity for developer tools keeps moving toward the coding agent stack. Astro started out making Python development dramatically faster, and now the same team is heading into codecs. That tells you where they think the highest leverage work is next.
And if you're a Python developer, or honestly, any developer paying attention to tools, this is one of those moments worth clocking because it suggests the future is not just better linters, better package managers, better type checkers, and separate things. The future is those tools getting pulled closer and closer into the agent itself. Light LMM compromised by a supply chain attack. Light LMM 1.82.8 was reported to include a malicious.ph file that could execute on Python startup and potentially steal secrets from machines and install it.
Attackers published a fake Light LMM 1.82.8 release, directly to PyPy, outside Light LMM's normal GitHub release flow. The current explanation for how it got there is the real story. Light LMM says a publishing token was exposed through an unpinned, trippy security scan NCI. This was not just one bad package upload, it was a supply chain, chain reaction, compromised security tooling, stolen published credentials, then poisoned releases pushed straight to PyPy.
Light LMM is not some random edge dependency though. For a lot of teams, it sits right in the middle of their AI stack, writing model calls, living right next to API keys, cloud credentials, and internal config. And the .pth file is a nasty delivery mechanism because it can execute when Python starts before anybody even imports the library. So if you're out there and you install the affected versions, treat this as an incident, not an upgrade bug.
Check where it ran, rotate anything exposed, and look at CI and developer machines first. The takeaway is the AI middleware layer now belongs inside your real supply chain threat model. Open code tops hacker news. Open code blew up this week as the highest traction new coding agent launched on hacker news.
Open code is an open source attempt to build the full coding agent surface area, terminal, IDE, desktop, multi-session workflows, LSP support with bring your own model flexibility. The uncomfortable signal is in the timing. Right before open code hit number one hacker news, the project had a strip of anthropic OAuth and anthropic references after legal pressure. And if you've been on X lately, you've likely heard about the cloud open code drama.
This should tell us the open agent race is real, but it's still happening inside ecosystems controlled by model vendors. So my reason on this is that open code matters less because it's definitively the best agent today and more because it shows where this market is going next. The next fight is not just over model quality. It is over who owns the interface, the workflow, and the default home for coding with agents.
Rust has challenges, but here's how we can address them. The Rust project published a reality check. This is not a rust is doomed post. It is not a victory lap either more like we talked a bunch of people and yes, the problems you already think rust has are in fact the problems people keep running into.
The interesting part is the shape of those problems. Compile times are still a thing, but they're not really blockers for most people. The borrowed checker is still brutal for beginners, but it bothers experts a lot less, which tells you some of that pain is onboarding pain, not necessarily evidence the language is broken. Async is still messy and the way rust async has been messy for a while, except in this post, they're pretty explicit.
They're actual next steps, they think and help. And then you get to the ecosystem story, which is maybe the most important one. A healthy crate ecosystem is rust largest strength, but people do not always know which crates to trust, which ones are effectively standard or whether the thing that they need exists yet in their domain. In worlds like embedded, gooey and safety critical work, the maturity gap gets a lot more obvious.
I applaud this post because the intent behind it is awesome. I use rust daily. I feel this pain every single day. Sure, rust can be improved, but this shows the project is listening and it shows they have clear pain points to smooth out where there's friction.
And now time for some sponsor news. Well friends, I'm here with Michael Greenwich, founder and CEO of WorkOS. Michael, if you didn't know, CLIs are back, they're all the rage and a major problem I personally have with my CLIs is authorization, authentication. What do you say about WorkOS and offer CLI?
Long live the CLI. We've had a resurgence of it, which I'm so thrilled about. We have actually have supported CLI off for many years at WorkOS. This is something called the device grant flow.
It lets you have that really smooth experience where from your CLI off your building, you can link out to the browser and have the user authenticate through whatever system they have in your app and then bounce back into the browser. So nobody is pasting their credentials or their secrets into the shell itself. Kind of zero knowledge, zero trust way of building a lot of authorization. It works great for existing CLIs.
It also works super great if you're building a CLI specifically for agents, which is kind of all the rage now as people are expanding upon that. So WorkOS that we think is the fastest way to do it. And you can actually do it without migrating your entire user base. You can just layer on the CLI off because WorkOS is a modular.
You can just add that in front. We have people doing this for MCP as well, where they just use WorkOS for the MCP authentication gateway and not for the primary identity stack. So it's totally possible today. And I think WorkOS is the fastest way to ship off in your CLI app.
You're building. Well, friends go to WorkOS.com, try today again, WorkOS.com. Learning to code by building TurboTax. Ryan Lee's got enough with TurboTax and the larger tax filing mess that he used AI coding tools to build a free, open source alternative and then put it in the public.
So tech professionals and quote actual programmers and quote, can inspect it. The question is not whether AI can spit out code anymore. We are past that. The better question is whether these tools are good enough to help somebody take a real run at expensive, boring, and common software that normal people actually depend on.
Tax software is a great test because it is high stakes, full of edge cases, and usually not something you could fake your way through with a polished demo. Ryan is not asking for your trust. He's doing the exact opposite. He's saying, Hey, here's the app I made.
It is open source, vet it. If you're pro, if you're a programmer, vet it, please. This isn't about a journalist suddenly becoming a 10x software tax engineer is whether or not AI lowers the cost enough for we the people to build credible public interest software in markets that used to belong entirely to incumbents. Why I forked HTTPX.
This is one of those open source stories that sounds niche and to realize how much code quietly depends on it. HTTPX is a very popular HTTP client and Michael Bayon has now forked it into HTTPX YZ. And the reason is there hasn't been a release of HTTPX since November, 24 fixes were sitting around unreleased and upstream trust has been a roading. The real story is not just that somebody got frustrated and made a fork.
The issue is project maintenance risk eventually turns into dependency risk. In this case, the fork author points to hidden issues, discussions being turned off years of talk about a future 1.0 and a growing sense that a widely used package did not have a stable maintenance path anymore. HTTPX is not some obscure utility. It sits underneath a lot of Python software and even high profile packages like open the eyes and anthropics, Python SDKs, they've already begun guarding against a future 1.0 release.
The forks pitch is the interesting part. It is not a rewrite. It is not a revolution. Just a stable fork with a motto, quote, move a little faster and not break things, end quote.
That is a pretty good summary of what a lot of developers actually want from infrastructure dependencies. Not novelty, just a maintainer story they can trust.