Missing some fun? Try the new HTML in Canvas.

The HTML-in-Canvas proposal introduces an API for rendering and interacting with HTML/SVG elements directly inside a canvas, bridging the gap between high-performance canvas rendering and rich HTML styling and accessibility. Key features include native support for text, complex layouts, user interactivity like scrolling, and improved accessibility, with core mechanisms including the layoutsubtree attribute and drawElementImage() method. For more details, visit WICG/html-in-canvas - GitHub.

Math.sumPrecise() according to MDN, is a static method takes an iterable of numbers and returns the sum of them.

Custom highlights style arbitrary text ranges, without adding extra elements to the DOM. Read MDN documentation on CSS Custom Highlights API.

Visual Studio 2022 now features native, built-in Azure Model Context Protocol (MCP) tools, eliminating the need for extensions to manage Azure resources. This integration enables AI agents to utilize over 230 tools across 45 services directly within the IDE for tasks like querying AKS, managing Cosmos DB, and deploying applications. Read the full story at Visual Studio Blog.

Astral is joining OpenAI to integrate its high-performance Python toolchain, including Ruff and uv, into AI-driven development workflows. OpenAI has committed to supporting and maintaining these open-source tools within the existing developer community. Read the full announcement at Astral.

Next read:

Supply Chain Alert: Bitwarden and Checkmarx Tooling Compromised, Lessons from post quantum migration from Meta, AI breaches and more.

On April 22, 2026, a coordinated supply chain attack hijacked the Bitwarden CLI npm package and several Checkmarx developer tools are reported to harvest sensitive credentials. Attackers compromised Bitwarden's GitHub Actions to distribute a malicious version of @bitwarden/[email protected], while Checkmarx’s KICS scanner and VS Code extensions were poisoned with secret-stealing payloads. The malware, linked to a broader campaign by the group TeamPCP, specifically targeted GitHub/npm tokens, SSH keys, and cloud provider credentials for exfiltration to attacker-controlled infrastructure.

Meta’s post-quantum migration framework outlines a phased transition using a five-level maturity model to move systems from "PQ-unaware" to quantum-resistant. The strategy prioritizes a "hybrid-first" approach, combining classical X25519 with NIST-standardized ML-KEM to maintain security while mitigating the risks of unproven new algorithms. To counter "Store Now, Decrypt Later" threats, Meta focused first on internal service-to-service traffic where they maintain full control over both network endpoints.

GitHub is ramping up its fight against supply chain attacks on CI/CD pipelines and advices developers to take action. Read the full article here.

AI & Security

In April 2026, Vercel confirmed a security incident initiated through a compromised third-party AI tool, allowing unauthorized access to internal environments and certain unencrypted environment variables. While sensitive data and the open-source supply chain remained secure, the breach impacted a limited subset of customers. Affected users were advised to rotate all credentials immediately. For full details, read the official incident report from Vercel.

A group of Discord users gained unauthorized access to Anthropic’s unreleased, high-security AI model, Claude Mythos, by guessing its URL and leveraging insider access. The incident highlights significant security gaps in vendor management, allowing unauthorized parties to access a tool designed to identify and exploit software vulnerabilities. Read the full story at WIRED.

An investigation by Awesome Agents reveals a "Reputation-as-a-Service" economy using over six million fake stars to manipulate GitHub's discovery algorithms, with AI/LLM projects frequently involved. Researchers found 16% of popular repositories participated in these campaigns by mid-2024 to artificially inflate metrics. Startups often buy these stars for as little as $0.06 to meet traction benchmarks for venture capital funding. Read the full investigation at Awesome Agents.

This week’s stories make one thing clear: the modern software supply chain is only as strong as its weakest vendor, package, or workflow. As AI tools and developer platforms become more deeply embedded in engineering teams, security hygiene, credential protection, and vendor scrutiny are no longer optional, they are core to shipping safely.

Updated Dev