The Download: LiteLLM hacked, Pretext layout engine, OpenAI news & more

GitHub| 00:05:07|Apr 3, 2026
Chapters8
A wild episode recap where hackers hijack AI gateways, a new layout engine sidesteps DOM reads, and GitHub Actions learns your time zone as a 3D pixel-art city sprouts from commit history—all previewed as the episode kicks off.

Pretext layout engine debuts, a light LLM supply chain attack hits, OpenAI snaps up Astral, and GitHub adds time zones to Actions.

Summary

Kedasha guides us through a whirl of updates in this episode, starting with Chenglu’s new Pretext layout engine. Pretext aims to stop browsers from hammering the DOM by predicting text height and routing lines without expensive DOM reads, delivering impressive demo results like accordion height prediction and masonry grids. The segment then warns that the light LLM Python package suffered a supply chain attack on March 24, 2026, where Trevi’s GitHub Actions were poisoned to harvest credentials and push a backdoored PyPI version. The attacker deployed a .pth file that executed a fork bomb and attempted to extract system metadata and cloud secrets. OpenAI announced it plans to acquire Astral (and Ruff) to weave Astral’s team into Codex, promising continued open-source support for Astral projects. Next, GitHub Actions gains native time zone support, letting users specify IANA zones in YAML like time zone America/New_York to align scheduled workflows with real-world time. Solo.io debuts Agent Evals, an OpenTelemetry-based tool that traces and scores agent reasoning to catch hallucinations before they reach production. Finally, GitCity turns GitHub profiles into a 3D pixel art city built with Next.js, three.js, Fiber, and Supabase, with buildings’ height, width, and brightness tied to contributions, repositories, and stars. It’s a playful reminder that tooling and creativity can collide in surprising ways. Stay curious, pin dependencies, and keep your builds green as the week wraps up.

Key Takeaways

  • Pretext predicts text height and routes lines without heavy DOM reads, enabling faster complex layout in demos like accordion heights and masonry grids.
  • On March 24, 2026, the light LLM Python package suffered a supply chain attack via Trevi's GitHub Actions, deploying a .pth file to trigger a fork bomb and steal credentials.
  • OpenAI intends to acquire Astral and Ruff to bolster Codex-based development across planning, execution, and maintenance, while pledging ongoing support for Astral's open-source projects.
  • GitHub Actions now supports native time zones in scheduled workflows by allowing an IANA time zone in YAML (e.g., time zone America/New_York).
  • Agent Evals from Solo.io uses OpenTelemetry to trace AI agent reasoning loops and scores them against golden datasets to detect hallucinations and drift.
  • GitCity showcases a playful Open Source project that visualizes a 3D pixel art city from a developer’s GitHub data, built with Next.js, three.js, Fiber, and Supabase.

Who Is This For?

Essential viewing for developers who want to stay updated on browser performance innovations, software supply chain security, AI tooling, and developer-friendly OSS projects. Great for engineers evaluating new tooling like Pretext, auditing dependencies, or exploring AI governance and creative use of GitHub data.

Notable Quotes

"Pretext predicts text height and routes lines without those expensive hotpath DOM reads."
Defines the core advantage of the Pretext layout engine.
"The payload? A sneaky .pth file that fired up on every Python interpreter startup, triggering a fork bomb and malware execution."
Describes the attack vector and payload used in the supply chain incident.
"GitHub Actions added native time zone support for scheduled workflows."
Highlights a practical improvement for reliability of scheduled tasks.
"Agent Evals, a new open-source project built to improve the reliability of agentic AI systems."
Introduces the tool and its purpose in validating AI agent behavior.
"GitCity is an open-source project that turns your GitHub profile into a 3D pixel art city."
Captures the playful yet insightful project showcasing data-to-visualization mapping.

Questions This Video Answers

  • How does Pretext reduce DOM reads and improve browser layout performance?
  • What happened in the light LLM supply chain attack and how can I mitigate similar risks?
  • Will OpenAI's acquisition of Astral affect uv and Ruff users in Python tooling?
  • How do I configure time zone support in GitHub Actions scheduled workflows?
  • What is Agent Evals and how does it help prevent AI hallucinations in production?
Pretext layout engineDOM reads optimizationChengluGitHub Actions time zonelight LLM supply chain attackTreviAstraluvRuffCodex ecosystem","Agent Evals","OpenTelemetry","CNCF","GitCity","Next.js","three.js","Fiber","Supabase"
Full Transcript
Hackers turned your AI gateway into a credential vacuum. A new layout engine is making DOM reads obsolete. GitHub Actions finally learn what time zone you live in, and someone built a 3D pixel art city out of your commit history. All that and more on this episode of The Download. [music] Welcome back to another episode of The Download, the show where we cover the latest developer news and open-source projects. I'm Kedasha, developer advocate here at GitHub. Let's get into it. Software engineer Chenglu has released Pretext, a high-performance layout engine that's here to make your browser stop struggling during complex layout tasks. The big idea? Stop reading from the DOM so much. Pretext predicts text height and routes lines without those expensive hotpath DOM reads that's been slowing us all down. The demos are genuinely impressive. We're talking accordion height prediction, masonry grids, obstacle-aware title routing, particle-driven ASCII art, and continuous flow and fixed height spread. If you've ever watched a browser get stuck on complex layout and thought there has to be a better way, Chenglu thought so too and apparently built the better way. Keep an eye on this one. Okay, so this one is not a drill. On March 24th, 2026, the light LLM Python package suffered a serious supply chain attack courtesy of a group called Team PCP. Attackers poisoned Trevi's GitHub Actions to harvest credentials from light LLM CI/CD pipeline, then used those credentials to push a backdoored version of PyPI. The payload? A sneaky .pth file that fired up on every Python interpreter startup, triggering a fork bomb and malware execution. If that wasn't enough, it was also designed to steal system metadata, cloud credentials, and Kubernetes secrets. The malware was only discovered when it maxed out CPUs after being loaded via a cursor launch MCP server. Your AI coding assistant was the delivery mechanism. Pin your dependencies, use lock files with checksum, and consider remote MCP architectures to reduce local attack surfaces. Stay safe out there, folks. The supply chain is not always your friend. OpenAI announced its intent to acquire Astral, the beloved team behind uv, the blazing-fast Python package manager, and Ruff, the linter that made Python devs actually enjoy linting. The plan? Plug Astral's engineering talents into the Codex ecosystem to build AI agents capable of handling the entire software development life cycle, from planning all the way through maintenance. OpenAI also promised to continue supporting Astral's open-source projects, which is the answer every developer was nervously waiting to hear. Whether this means your uv workflow gets an AI copilot or your Ruff config starts writing itself, the Python tooling world just got a very interesting new neighbor. Raise your hand if you've ever done mental UTC math at 11:00 p.m. trying to figure out why your cron job fired at the wrong time. GitHub heard us. GitHub Actions added native time zone support for scheduled workflows. You can now drop an IANA time zone right in your YAML, something like time zone America/New_York, right along your cron expression. No more manual UTC offset calculations. You'll now have scheduled workflows that actually run when you expect them. As agentic AI systems become more prevalent, the big question is, how do you know your AI agent isn't just confidently making things up? Solo.io has an answer, Agent Evals, [music] a new open-source project built to improve the reliability of agentic AI systems. The tool uses OpenTelemetry to trace agent reasoning loops and then scores them against golden data sets to catch hallucinations or drift before they become production problems. Think of it as a fact-checker for your AI coworkers. As a bonus, Solo.io is also contributing its Agent Registry project to the CNCF to help build community standards for AI agents governance. Responsible AI tooling getting the open-source community-driven treatment it deserves? That's a headline worth celebrating. And finally, because not everything in tech has to be serious, GitCity is an open-source project that turns your GitHub profile into a 3D pixel art city. And yes, it's exactly as wonderful as it sounds. Here's how your digital real estate is valued. Building height equal your contribution count, building width equal repository count, window brightness equal your GitHub stars. Built with Next.js, 15, three.js, Fiber, and Supabase, the project includes a flight mode to explore your city, achievement systems, and even profile comparison tools. Because nothing says healthy developer competition like flying through a 3D city made of your commit history. It's the kind of project that makes you want to merge a PR just to make your buildings a little taller. And that's a wrap on this week's dev news. Stay curious, pin your dependencies, and may your builds always be green. See you next time.

More from GitHub

Get daily recaps from
GitHub

AI-powered summaries delivered to your inbox. Save hours every week while staying fully informed.

Get Started