Developer Convicted for “Kill Switch,” Github Security Alert, & More
⚔️ From “Hired” to Infinite Loops & “Kill Switch”!
Welcome to HackerPulse Dispatch! We've got a jam-packed update for you, delving into the latest tech headlines—from the GitHub Action tj-actions/changed-files breach to TypeScript's impressive 10x performance boost.
Plus, we'll explore why asking “stupid” questions is actually a superpower, the rising trend of companies forcing AI on devs, and a shocking case of a dev facing up to 10 years in prison for deploying malicious code that sabotaged his former employer's network.
Here’s what new:
🚀A 10X Faster Typescript: TypeScript is getting a native compiler, delivering a 10x speed boost, faster editor performance, and reduced memory usage, with a full rollout expected by the end of 2025.
⚖️ Developer Convicted for “Kill Switch” Code Activated Upon His Termination: A former software developer was convicted of sabotaging his employer’s network with malicious code, including a “kill switch” that triggered upon his termination, and now faces up to 10 years in prison.
⚡ As an Engineer, I’d Rather Be Called Stupid Than Stay Silent: Did you know that embracing vulnerability and asking stupid questions fosters learning, strengthens collaboration, and accelerates career growth?
⛔ Forcing AI on Developers Is a Bad Idea That Is Going to Happen: JetBrains’ decision to embed a non-removable AI Assistant in its IDEs highlights the dangers of forced feature adoption, sparking concerns over developer autonomy, security, and compliance.
👾 Popular Github Action Tj-Actions/Changed-Files Is Compromised: The popular GitHub Action tj-actions/changed-files has been compromised, exposing secrets in CI pipelines.
A 10X Faster Typescript (Read Paper)
The core value of TypeScript has always been an excellent developer experience, but as projects grow, performance bottlenecks emerge.
Large codebases face long load and check times, forcing developers to compromise between fast editor startup and a full project view. AI-powered features also require faster access to semantic data, while command-line builds need to validate entire projects efficiently.
To solve these challenges, TypeScript is going native—bringing a drastic boost in speed, memory usage, and responsiveness.
Key Points
Native compiler rewrite: TypeScript is getting a native implementation, expected to cut most build times by 10x, improve editor startup speeds, and reduce memory usage significantly. A preview for command-line typechecking is targeted for mid-2025, with full project builds and language service support by the end of the year.
Blazing-fast editor experience: With the new native implementation, loading the Visual Studio Code codebase in an editor drops from 9.6 seconds to just 1.2 seconds—an 8x improvement. This means faster navigation, instant error listings, and near-instant refactorings, all while cutting memory usage in half.
Roadmap to TypeScript 7: The current JS-based codebase will continue development into TypeScript 6.x, with TypeScript 7.0 marking the switch to the native compiler. While some projects may migrate immediately, TypeScript 6 will be maintained until TypeScript 7 reaches full maturity.
Developer Convicted for “Kill Switch” Code Activated Upon His Termination (🔗 Read Paper)
A former software developer faces up to 10 years in prison after deploying malicious code that sabotaged his employer’s systems, causing global disruptions and financial losses.
Davis Lu, 55, was convicted by a jury for intentionally damaging protected computers at Eaton Corp., where he had worked for 11 years. Prosecutors revealed that Lu embedded destructive scripts to crash systems, delete user profiles, and prevent logins—culminating in a “kill switch” that shut down operations on the day of his termination.
Key Points
Sabotage uncovered: Eaton Corp. identified the malicious code while investigating system crashes, tracing it back to Lu’s user ID and a restricted server only he could access.
Deliberate obstruction: Evidence from Lu’s search history revealed he had researched ways to escalate privileges, hide processes, and delete files, suggesting an intent to prevent colleagues from restoring the network.
Legal battle ahead: Lu admitted to writing some of the code but maintains his innocence. His attorney announced plans to appeal, while the DOJ has yet to set a sentencing date.
As an Engineer, I’d Rather Be Called Stupid Than Stay Silent (🔗Read Paper)
Asking ‘stupid’ questions isn’t a weakness—it’s a superpower. In high-pressure situations, like responding to incidents or troubleshooting complex systems, it’s easy to hesitate before asking for clarification.
What if everyone else understands, and you’re the only one left in the dark? That fear keeps many from speaking up, but the truth is: embracing vulnerability accelerates learning.
By daring to ask, you not only grow your own knowledge but also contribute to a culture where curiosity and collaboration thrive.
Key Points
Fear of looking clueless: Many professionals hesitate to ask questions, fearing they’ll seem incompetent. But staying silent can lead to bigger mistakes, delays, and missed opportunities for growth.
The power of vulnerability: By admitting what they don’t know, teams foster a culture of trust and shared learning. A blameless environment encourages open discussions, making problem-solving more efficient.
Curiosity fuels career growth: Embracing the ‘stupidity’ mindset helps individuals gain deeper knowledge and transition into more technical roles. Asking questions isn’t just about understanding—it’s a stepping stone to expertise.
Forcing AI on Developers Is a Bad Idea That Is Going to Happen (🔗 Read Paper)
Companies have a long history of introducing new features that users never asked for, often making their experience worse.
This phenomenon is so common that it deserves a name—perhaps JetBrains Syndrome, in honor of the latest example. JetBrains has integrated a non-removable AI Assistant into its IDEs, creating an immediate headache for developers who work under strict no-AI policies.
The problem isn’t the AI itself but the lack of choice: when software dictates how and when users interact with new tools, frustration is inevitable.
Key Points
Feature creep turns toxic: The introduction of unremovable AI in JetBrains IDEs disrupts workflows, forcing developers to engage with a tool they might not want or be allowed to use. Worse, it puts professionals in an awkward position, having to justify its presence to management.
The real risk isn’t just AI, it’s control: Whether the AI assistant is helpful or not is irrelevant—what matters is that developers should have the choice to enable or disable it. Making it mandatory ignores the security, compliance, and productivity concerns that many dev teams face.
AI isn’t going away, but how we handle it matters: Instead of forcing adoption, companies should focus on transparency, clear policies, and user-driven implementation. If AI assistance is truly valuable, developers will embrace it—on their own terms.
Popular Github Action Tj-Actions/Changed-Files Is Compromised (🔗 Read Paper)
A widely used GitHub Action, tj-actions/changed-files, has been compromised, potentially exposing secrets in thousands of CI pipelines.
The malicious payload attempted to dump credentials, but the compromised gist used in the attack has since been removed.
GitHub has released an advisory, and the maintainers have reverted affected tags and published a fixed version (v46.0.1). Developers must take immediate action to assess exposure and mitigate risks.
Key Points
Identify affected repositories: Search for tj-actions in your codebase using GitHub's search query or a Semgrep rule to locate impacted workflows. Any usage of the compromised commit (0e58ed8...) or affected tags should be reviewed and removed.
Mitigate the risk: Rotate any exposed secrets, update CI pipelines to use the latest safe commit (2f7c5bf...), and consider using immutable commit SHAs instead of version tags to prevent future incidents.
Audit past workflow runs: Review logs for suspicious activity, especially outbound network requests, and prioritize repositories where CI logs are public. Organizations should also configure GitHub settings to prevent unauthorized GitHub Actions from executing.
🎬 And that's a wrap. Stay tuned for the latest tech news and updates!
It is becoming a huge problem. Companies like microsoft and apple were also affected. Whats crazy is this puts almost 15k repos and about 1000 organizations at risk, I just read this piece on it, it provides a comprehensive overview: https://www.garnet.ai/blog/github-action-tj-changed-files-breach-2025