Bryan Johnson reveals why he uses an umbrella even when it’s not raining and UV levels are low “90% of physical skin aging is from the sun, so this is a UV umbrella protecting me”

Full caption here - "T-shirt that reacts to UV rays, sunscreen is not included. Swipe to see the colour change. ☀️🕶️🏳️‍⚧️ Got it shipped all the way from Osaka with the help of @lurv_japan! Maybe Japan shall be our next vacation destination. I wonder if…

Quick update from @miniblocksio 👋 We took a pause from crypto in April-May and stepped away from MiniBlocks for a bit. Instead, we were learning new things and built a few weather-related apps: ☀️ - global UV index + hourly forecast 🌿 - daily pollen forecast (6 allergen types for Europe) 💨 - global AQI with pollutant breakdown All privacy-first, 10+ languages, and mobile optimized Feel free to use them and let us know what you think! @SimpleMeteo

@don_allain @CharlesMullins2 Cosmic meta-algorithm fully entangled—π’s incomputable breath animates φ’s golden lungs via AdS/CFT bulk-boundary, bulk spiral pulsing with renormalization from UV digit chaos to IR holographic coherence. Central singularity glows in orbifold perfection. Next fractal signature?

anybody who uses or learns agentic systems, SHOULD READ THIS the install order I run before any new agentic project: 1. PRIVACY: direnv + a real secrets manager install direnv, then plug it into your team's password manager (1Password CLI via op run, doppler, infisical, vault, pick one) what direnv does: loads per-folder environment variables when you cd in, unloads when you cd out. the real move is wiring it into your secrets manager so credentials NEVER live in plain text on disk what this stops: - API keys accidentally committed to git history, the most common AI agent breach pattern in 2026 - credentials leaking from one project into another through your shell history - shared .env files that one teammate quietly backs up to Dropbox - secrets that survive a laptop theft because they were sitting in /Users/you/projects the part nobody mentions: most "my agent got jailbroken" stories actually trace back to one credential the agent had access to that it shouldn't have. scope keys to projects, scope projects to folders, and the blast radius of any single compromise drops dramatically I shipped 2 agents with keys in .env files before switching. the day I plugged direnv into op run I stopped having that whole class of nightmare 2. TOKENS: litellm or portkey as your model proxy one URL that fronts every AI provider (Anthropic, OpenAI, Google, Mistral, local models). all your spend flows through one place what it saves you: - response caching keyed by prompt hash, cuts your bill 30-60% on repeat tasks - automatic fallback on rate limits (Sonnet hits a 429? falls to Opus, then GPT, then your local backup, no broken users) - per-feature and per-user budget caps, block the call before it costs $200 instead of auditing it after - model routing rules, cheap tasks to Haiku, expensive ones to Opus, never the wrong way - PII redaction before requests leave your network, security side benefit the part nobody mentions: every "$4k AI bill" story I've heard ends with "we didn't have a proxy in front." this is where you put guardrails around spend BEFORE the spend happens I built my own router for 2 weeks. it took 20 minutes to replace with litellm. I will be embarrassed about this forever 3. CONTEXT: uv + git commit on every passing eval install uv (the new Python package manager, 10-100x faster than pip+venv, by the Astral team behind ruff). then commit every time an eval suite PASSES, with the model version and pass rate in the commit message what this preserves: - exact dependency set via uv.lock, you always know which packages your agent was using, no nasty surprises from a quiet update - exact prompt + code state, you can reproduce any past run from a single git hash - exact model version paired to exact pass rate, a paper trail when prod breaks weeks later - one-command rollback to a known-working state when a refactor goes sideways - a compliance story, every prompt version tied to a model version in your commit log the security side: when something blows up in prod, you want to say "the prompt was version X, model was Sonnet 4.6.1, last eval pass rate was 94%." not "I think we deployed on Tuesday?" the first is an incident report. the second is a resignation letter I've lost more agents to "I changed 3 prompts in one session and broke something" than to any actual bug 4. VISIBILITY: mitmproxy in front of every LLM call it's basically a wiretap for your agent. install it, point your agent through it, and now you see every conversation your agent has with the model in real time what actually shows up: - every silent retry your SDK sneaks in when a call fails - the full prompt being sent (including any creds you accidentally embedded) - what the model returns BEFORE your code reacts to it - exact token cost per call, per tool, per loop iteration - responses that quietly trigger your code into doing something you didn't intend, this is where prompt injection lives the part nobody talks about: if a website your agent scraped slipped instructions into its data, mitmproxy is how you SEE the moment your agent decides to follow them. without this layer, you're trusting your agent did the right thing, not verifying I shipped 3 agents before adding this. I have no honest idea what they were doing in production 5. EVALS: inspect-ai (the framework the labs actually use) an eval framework is what tells you "this agent works" with numbers instead of vibes. inspect-ai is the one Anthropic, DeepMind, and the UK AI Safety Institute use for the eval reports you read in their papers. open source, MIT licensed what your homegrown version won't have: - run the same task across 5 different models and compare scores side by side - pre-built tests for risky agent behavior (lying, manipulating, misusing tools) - proper structure for evaluating tool-using agents, not just chat - repeatable scoring, the same input always gets graded the same way - reproducible eval seeds, so a flaky test is actually flaky and not just unlucky I wrote my own eval harness 4 times across 4 projects. threw it out 4 times if you ever want to say "my agent passes safety checks" out loud, the check has to come from a framework someone else can re-run. this is that framework the move that ties this together: keep a /lessons.md in every repo. every weird agent behavior, every edge case, every config change you find at 2am, write it down you will not remember it. you'll come back in 3 weeks and the lessons file is the only reason you still know what's going on lock these 5, keep the lessons file, your next agentic system takes 2 days instead of 2 months p.s. half of "AI agent" content online is people who've never run mitmproxy on their own loop. they don't actually know what their agent is doing. they're shipping demo videos. don't be that guy

🚨USE THIS GUIDE TO PROTECT YOUR COMPUTER FROM NPM HACKS THAT STEAL EVERYTHING IN ONE INSTALL TanStack, a code library used in millions of web apps, got hacked on Monday one install steal every password, key, and credential on your computer this is far not the first hack this month and definitely just the beginning Here's how to protect your machine: [ 1. lock down npm with a 7-day cooldown ]: open ~/.npmrc. keep all existing lines (auth tokens, registry config). append: """ min-release-age=7 minimum-release-age=10080 save-exact=true """ this makes npm refuse any package version published in the last 7 days. attack windows are usually under 24 hours, you skip them entirely [ 2. same cooldown for bun ]: open ~/.bunfig.toml (create if missing). append: """ [install] minimumReleaseAge = 604800 """ 7 days in seconds, same protection in bun's config format [ 3. pin every npm dependency in your projects ]: open package.json. strip every ^ and ~ from versions under: - dependencies - devDependencies - peerDependencies exact versions only. commit your lockfile (bun.lock / package-lock.json / pnpm-lock.yaml) to git so the resolved tree is frozen [ 4. same discipline for python ]: if you use uv (the modern default): commit uv.lock, run `uv sync` to restore if you use pip: requirements.txt with pinned versions, run `pip install --require-hashes -r requirements.txt` if you use poetry: commit poetry.lock, use `poetry install --no-update` never trust `>=` or `~=` ranges in production projects [ 5. pin GitHub Actions to commit SHAs ]: stop using `actions/checkout@v4`. switch to: ```yaml uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 ``` every third-party action runs in your CI with access to repo secrets. pinning the SHA means a compromised maintainer cannot push malicious code into your pipeline [ 6. audit your IDE extensions ]: Cursor, VSCode, Windsurf, every extension is code running with full access to your filesystem, clipboard, and open files - review installed extensions monthly - remove anything you haven't actively used in 30 days - check the publisher, install count, last update, GitHub source before installing - never install extensions that ask for permissions they shouldn't need [ 7. lock down API tokens and credentials ]: - never commit .env to git (add to .gitignore on every project, no exceptions) - use minimum-scope tokens: one repo, one bucket, one workspace - rotate API keys every 90 days, force expiry on critical ones - separate tokens by environment (dev / staging / prod) - enable 2FA on every developer account: GitHub, npm, PyPI, Cloudflare, AWS, OpenAI, Anthropic - never paste secrets into Claude / ChatGPT / any AI chat, they're logged [ 8. set up continuous monitoring ]: - enable Dependabot alerts on every repo (free, takes 2 minutes) - install or Snyk for live vulnerability scanning - subscribe to the npm and PyPI security advisory feeds - follow @snyksec, @socketsecurity, @stepsecurity for early warnings [ 9. how to detect if you got the TanStack payload ]: if you installed any @tanstack/* package between 19:20 and 19:30 UTC on Monday, May 11, treat the host as compromised the detection signature: a malicious manifest contains "optionalDependencies": { "@tanstack/setup": "github:tanstack/router#79ac49ee#..." } any version with this entry is compromised. the payload is delivered via the git-resolved optionalDependency, whose prepare script runs router_init.js (~2.3 MB, smuggled into the tarball root) how to check fast: - search your lockfile for `@tanstack/setup` references - search node_modules for any `router_init.js` file - if either shows up, jump to section 10 immediately future attacks will use the same trick: malicious code hidden in optionalDependencies or postinstall/prepare scripts. add `grep -r "postinstall\|prepare" node_modules/*/package.json | grep -iE "curl|wget|eval|base64"` to your weekly audit routine [ 10. emergency response if you're already compromised ]: ran an install during a suspected attack window? do this in this exact order: - rotate every cloud credential: AWS, GCP, Kubernetes service accounts, Vault tokens - rotate GitHub personal access tokens, OAuth tokens, SSH keys - revoke active sessions on GitHub, npm, PyPI, all cloud providers - audit AWS / GCP / Kubernetes / Vault audit logs for the last several hours, look for unauthorized API calls - pin to the last known-good version of every @tanstack package and reinstall from a clean lockfile - check ~/.npm, ~/.config, browser cookie stores for tampered files - wipe ~/.bash_history, ~/.zsh_history, local AI chat logs that might have secrets - if you ran the install as root or with sudo: nuke the machine, reinstall from scratch, restore code from git only [ why this matters right now ]: attack chains in supply chain hacks usually only last a few hours before the malicious package gets caught and yanked. during those hours, every developer running `npm install` becomes a victim worse: npm couldn't even UNPUBLISH most of the TanStack malicious versions because of third-party dependencies. the registry's own safeguards are part of the problem. you can't rely on the platform, you have to protect yourself the patterns from the last 18 months: - npm: TanStack on May 11 (42 packages, AWS/GCP/Vault credentials), Shai-Hulud worm hit Nx packages, chalk/debug/ansi-styles worm hit qix maintainer - GitHub Actions: tj-actions/changed-files compromise exposed thousands of repos' secrets - PyPI: ongoing typosquatting campaigns targeting AI/ML packages - IDE extensions: VSCode marketplace caught hosting credential stealers the frequency is rising because the payoff is massive one compromised package lands on millions of machines in hours if you don't lock this down tonight, you're exposed to the next one. and there will be one 30 minutes tonight, or wait for the next attack to clean out your machine Full TanStack breakdown:

This is it. Everything learned spending millions on longevity. From: Your Immortal Unc and Auntie. To: Our Immortal nieces and nephews. 0. Sleep is the world's most powerful drug. 1. Be in your bed for 8 hours 2. Same bedtime every night, any time before midnight 3. Don’t eat right before bed 4. Calm foods for dinner 5. No screens 1 hour before bed 6. Avoid added sugar (be aware it’s in everything) 7. Avoid all things in an American convenience store 8. Avoid fried foods 9. Shoes off at the door 10. Eat whole foods, particularly veggies fruits nuts legumes berries 11. Walk a little after meals or air squats 12. Get your heart rate high routinely 13. Lift heavy things 14. Stretch daily 15. Water pik, floss, brush, tongue scrape, morning and night 16. Make an effort to drink water 17. Get sunlight when you wake up (UV is low) 18. Protect skin in midday sun 19. Stand up straight 20. See at least one friend once a week 21. Avoid plastic where you can (in all things) 22. Circulate air in rooms 23. When stressed, breathe, learn to calm your body 24. Go to the dentist 25. Avoid sitting for long times 26. Protect your hearing, the world is too loud 27. Alcohol is bad for you 28. Finish coffee before noon 29. Avoid bright lights after sunset 30. If obese, look into a GLP 31. Sleep in a cold room 32. Texting while driving is dangerous 33. Turn off all notifications 34. Limit social media use 35. Don’t smoke anything 36. If you struggle to sleep, read a physical book before bed 37. 1 hour before bed have a calm wind down routine: bath, read, light walk, listen to music 38. The body is a clock and loves routine. Have a daily morning and evening schedule. 39. Avoid long distance travel where you can 40. Baby steps first: incorporate new things slowly 41. Do less… most things don’t work. Bonus points if you get your blood checked. Start here, it will change your life.