- ByteSize
- Posts
- EmDash wants WordPress dead + Anthropic fumbled its source code
EmDash wants WordPress dead + Anthropic fumbled its source code
PLUS: Gmail finally lets you ditch that embarrassing 2004 username, Oracle fires thousands via email, and a hospital CEO is very excited to replace your radiologist.
In partnership with
Hiring in 8 countries shouldn't require 8 different processes
This guide from Deel breaks down how to build one global hiring system. You’ll learn about assessment frameworks that scale, how to do headcount planning across regions, and even intake processes that work everywhere. As HR pros know, hiring in one country is hard enough. So let this free global hiring guide give you the tools you need to avoid global hiring headaches.
Welcome back! If your March Madness bracket survived this long, we assume divine intervention.
Fifty-seven years ago today, a nervous graduate student named Steve Crocker wrote a memo. He was so worried about seeming too official that he titled it "Request for Comments,” a name so noncommittal it belongs on a Hinge profile. That document, RFC 1, became the foundation of the internet: the infrastructure that now hosts 4K cat videos, NFT scams, LinkedIn thought leaders, and whatever Elon Musk posted at 2am last night. Happy birthday, internet. You've done… something.
Cloudflare Looked at WordPress and Said "We Can Do That, But Make It AI"
You may remember us covering the WordPress civil war: Matt Mullenweg going full Succession villain, WP Engine getting sued, and plugins being weaponized like we were all living inside a PHP revenge thriller. Well, there's a new chapter. Cloudflare just announced EmDash—a TypeScript rebuild of WordPress, unveiled on April 1st, which, yes, everyone initially assumed was a joke. It was not.
EmDash named after the em dash, which is apparently a telltale sign of AI writing, is serverless, MIT-licensed, and built on the Astro framework. The most notable feature is that each plugin runs in its own sandboxed isolate instead of having full access to everything like WordPress plugins do.
That’s crucial, because 96% of WordPress security issues come from plugins. NINETY-SIX PERCENT!!! C’mon, If your plumbing failed at that rate, you'd have moved out already.
The chief engineer, who has been on the Astro core team for two years, made a point of clarifying on Hacker News that no, this isn't a vibe-coded weekend project. It's been two months in the making, it's open source on GitHub, and Cloudflare very much wants you to run it on Cloudflare Workers.
WordPress runs 42% of the internet. EmDash has zero plugin ecosystem and no community yet. The audacity of this project is, honestly, kind of admirable. Check it out if you're curious, or just maybe wait until v0.2.0 before betting your business on it.
Anthropic Left the Back Door Open and Someone Walked Off With All of Claude Code
Anthropic—the AI safety company (emphasis on SaFeTy )—accidentally published the full source code for Claude Code in an npm package update last week. Nearly 2,000 TypeScript files. Over 512,000 lines of code. Gone. Public. Forked tens of thousands of times before anyone could do anything about it.
A source map file got left in the build. That's it. That's the whole story.
The official statement said it was "human error, not a security breach," which is also what I say every time I send a reply-all.
Competitors now have a detailed blueprint of how Claude Code is architected. Developers have already started publicly dissecting the memory systems and query architecture. Bad actors have a map for testing the guardrails. Anthropic says no customer data was exposed, which is good! But also, maybe double-check your npm builds before you ship, guys.
2.3 Million Android Phones Got Rooted by Apps That Were Just… There
A new Android malware called “NoVoice” infected 2.3 million devices through more than 50 apps on the Google Play Store. We’re talking cleaners, image galleries, and games. Apps that did exactly what they said they'd do, while also completely owning your phone in the background.
NoVoice exploited old Android vulnerabilities patched between 2016 and 2021. If your device's security patches are that far behind, your phone has been running on vibes and prayers. Once inside, the malware rooted devices, replaced system libraries, and specifically went after WhatsApp—stealing encryption databases and session keys to clone your account on someone else's device. It also survives a factory reset.
Google has since pulled the apps and says devices updated after May 2021 are protected. And if you’re reading this, we expect you to have already updated your phones, but call your mom to update hers, too.
⚙️ TOOL TIME
Humans: Still the Killer Feature on Experts Exchange
Here's the thing about AI-generated answers: they arrive fast, they sound confident, and they are wrong with the unbothered ease of someone who has never once faced consequences. There's a whole genre of IT problems right now that goes: "ChatGPT told me to do this and now my server makes farting sounds."
That's where Experts Exchange comes in. Real humans with actual expertise. People who have personally touched server racks and lived to tell the tale.
We promise our forums has:
Real humans who've actually touched the thing you're breaking
Verified answers from people with track records, not token probabilities
AI Review: a feature that lets you submit AI-generated answers for human verification, because we've reached the point where we need actual experts to fact-check our artificial ones
No hallucinated confidence. If an EE expert doesn't know, they say so.
Since 2001, EE has been the place where your weirdest, most specific, "this only happens on Tuesdays" problem gets answered by someone who has actually seen it before. “Human-in-the-loop” isn't a buzzword here, but it IS how we operate.
90 days free. No credit card required. Think of it as the antidote to your AI chatbot's overconfidence problem.
👨💻 JOB OPPORTUNITIES
Kalshi lets people bet on whether things happen. Your job is to make sure their cloud infrastructure doesn't let bad things happen. Azure AD, Okta, Intune, JAMF, PowerShell—the full stack. Somewhere between risk management and prediction markets lies your entire career, apparently.
You'll assess security risks at a 165-year-old company, which means you'll be explaining zero-trust architecture to someone who still prints their emails. Six to eight years of experience required, plus a tolerance for the phrase "but we've always done it this way."
SOX compliance at a global payments company. You'll work with auditors, write control documentation, and explain ITGC to finance people who will nod and not understand a word. Strong preference for candidates in Boston, New York, or Chicago—so at least the commute will give you time to question your decisions.
🛩 INDUSTRY MOVES
Gmail is finally letting US users change their account username after 22 years—so yes, XxXIxxEatxPoopxXx, you can now rebrand for the job market. The old address sticks around as an alias, and you only get one new username per year, so choose wisely and try to be an adult about it this time.
Oracle laid off thousands of employees — possibly as many as 10,000 overnight—as part of a restructuring that could hit 30,000 people. The terminations came via email, effective immediately. The company plans to spend $50 billion on AI infrastructure in fiscal 2026, because nothing says "we value our people" like replacing them with a data center in Abilene, Texas.
Salesforce dropped 30 new AI features on Slack, including a Slackbot that now monitors your desktop, tracks your calendar, watches your habits, and drafts follow-ups for your meetings. Marc Benioff called it "an incredible journey." Your employees will probably call it something else.
The CEO of New York City's largest public hospital system said he's ready to replace radiologists with AI for certain imaging reads—if regulators let him. A panelist from Westchester said their AI misses breast cancers only about 3 times out of 10,000 on negative reads. Hide your kids, hide your wives, and hide your doctors, ‘cuz no one’s safe from AI
Obviously it's Chip! Back again with another round of "I cannot believe this is still happening.” This week on Experts Exchange, the community was hard at work on some genuinely tricky problems:
A user's click-triggered popups work perfectly on page one, then completely stop working after pagination. The culprit, as I suspect, involves DataTables re-rendering the DOM and leaving your event listeners talking to elements that no longer exist.
HTML stored in a database keeps rendering its line break tags literally inside a textarea instead of as actual line breaks. A classic "the database doesn't know it's talking to a textarea" situation that's annoyed developers since approximately the dawn of PHP.
Two business laptops were set up under the same Microsoft account, and now they share a Device ID and recovery key — except the key doesn't work on the locked machine. A real "two people, one identity" crisis that only Microsoft's account system could engineer.
That’s it for today! Go outside if you can. Those Jira tickets will still be there.
Enjoyed the news? Discuss over on Experts Exchange.
Got news to share or topics you'd like us to cover? Send ‘em our way by responding to this email. We can’t wait to hear from you. Really.