Hi! I’m Eric Wastl. I make Advent of Code. I hope you like it! I also make lots of other things. I’m on Bluesky, Mastodon, and GitHub.

Advent of Code is an Advent cal­en­dar of small pro­gram­ming puz­zles for a va­ri­ety of skill lev­els that can be solved in any pro­gram­ming lan­guage you like. People use them as in­ter­view prep, com­pany train­ing, uni­ver­sity course­work, prac­tice prob­lems, a speed con­test, or to chal­lenge each other.

You don’t need a com­puter sci­ence back­ground to par­tic­i­pate - just a lit­tle pro­gram­ming knowl­edge and some prob­lem solv­ing skills will get you pretty far. Nor do you need a fancy com­puter; every prob­lem has a so­lu­tion that com­pletes in at most 15 sec­onds on ten-year-old hard­ware.

If you’d like to sup­port Advent of Code, you can do so in­di­rectly by help­ing to [Share] it with oth­ers or di­rectly via AoC++.

If you get stuck, try your so­lu­tion against the ex­am­ples given in the puz­zle; you should get the same an­swers. If not, re-read the de­scrip­tion. Did you mis­un­der­stand some­thing? Is your pro­gram do­ing some­thing you don’t ex­pect? After the ex­am­ples work, if your an­swer still is­n’t cor­rect, build some test cases for which you can ver­ify the an­swer by hand and see if those work with your pro­gram. Make sure you have the en­tire puz­zle in­put. If you’re still stuck, maybe ask a friend for help, or come back to the puz­zle later. You can also ask for hints in the sub­red­dit.

Is there an easy way to se­lect en­tire code blocks? You should be able to triple-click code blocks to se­lect them. You’ll need JavaScript en­abled.

#!/usr/bin/env perl

use warn­ings;

use strict;

print “You can test it out by ”;

print “triple-clicking this code.\n”;

How does au­then­ti­ca­tion work? Advent of Code uses OAuth to con­firm your iden­tity through other ser­vices. When you log in, you only ever give your cre­den­tials to that ser­vice - never to Advent of Code. Then, the ser­vice you use tells the Advent of Code servers that you’re re­ally you. In gen­eral, this re­veals no in­for­ma­tion about you be­yond what is al­ready pub­lic; here are ex­am­ples from Reddit and GitHub. Advent of Code will re­mem­ber your unique ID, names, URL, and im­age from the ser­vice you use to au­then­ti­cate.

Why was this puz­zle so easy / hard? The dif­fi­culty and sub­ject mat­ter varies through­out each event. Very gen­er­ally, the puz­zles get more dif­fi­cult over time, but your spe­cific skillset will make each puz­zle sig­nif­i­cantly eas­ier or harder for you than some­one else. Making puz­zles is tricky.

Why do the puz­zles un­lock at mid­night EST/UTC-5? Because that’s when I can con­sis­tently be avail­able to make sure every­thing is work­ing. I also have a fam­ily, a day job, and even need sleep oc­ca­sion­ally. If you can’t par­tic­i­pate at mid­night, that’s not a prob­lem; if you want to race, many peo­ple use pri­vate leader­boards to com­pete with peo­ple in their area.

I find the text on the site hard to read. Is there a high con­trast mode? There is a high con­trast al­ter­nate stylesheet. Firefox sup­ports these by de­fault (View -> Page Style -> High Contrast).

I have a puz­zle idea! Can I send it to you? Please don’t. Because of le­gal is­sues like copy­right and at­tri­bu­tion, I don’t ac­cept puz­zle ideas, and I won’t even read your email if it looks like one just in case I use parts of it by ac­ci­dent.

Did I find a bug with a puz­zle? Once a puz­zle has been out for even an hour, many peo­ple have al­ready solved it; af­ter that point, bugs are very un­likely. Start by ask­ing on the sub­red­dit.

Should I try to get a fast so­lu­tion time? Maybe. Solving puz­zles is hard enough on its own, but try­ing for a fast time also re­quires many ad­di­tional skills and a lot of prac­tice; speed-solves of­ten look noth­ing like code that would pass a code re­view. If that sounds in­ter­est­ing, go for it! However, you should do Advent of Code in a way that is use­ful to you, and so it is com­pletely fine to choose an ap­proach that meets your goals and ig­nore speed en­tirely.

Why did the num­ber of days per event change? It takes a ton of my free time every year to run Advent of Code, and build­ing the puz­zles ac­counts for the ma­jor­ity of that time. After keep­ing a con­sis­tent sched­ule for ten years(!), I needed a change. The puz­zles still start on December 1st so that the day num­bers make sense (Day 1 = Dec 1), and puz­zles come out every day (ending mid-De­cem­ber).

What hap­pened to the global leader­board? The global leader­board was one of the largest sources of stress for me, for the in­fra­struc­ture, and for many users. People took things too se­ri­ously, go­ing way out­side the spirit of the con­test; some peo­ple even re­sorted to things like DDoS at­tacks. Many peo­ple in­cor­rectly con­cluded that they were some­how worse pro­gram­mers be­cause their own times did­n’t com­pare. What started as a fun fea­ture in 2015 be­came an ever-grow­ing prob­lem, and so, af­ter ten years of Advent of Code, I re­moved the global leader­board. (However, I’ve made it so you can share a read-only view of your pri­vate leader­board. Please don’t use this fea­ture or data to cre­ate a “new” global leader­board.)

While try­ing to get a fast time on a pri­vate leader­board, may I use AI / watch stream­ers / check the so­lu­tion threads / ask a friend for help / etc? If you are a mem­ber of any pri­vate leader­boards, you should ask the peo­ple that run them what their ex­pec­ta­tions are of their mem­bers. If you don’t agree with those ex­pec­ta­tions, you should find a new pri­vate leader­board or start your own! Private leader­boards might have rules like max­i­mum run­time, al­lowed pro­gram­ming lan­guage, what time you can first open the puz­zle, what tools you can use, or whether you have to wear a silly hat while work­ing.

Should I use AI to solve Advent of Code puz­zles? No. If you send a friend to the gym on your be­half, would you ex­pect to get stronger? Advent of Code puz­zles are de­signed to be in­ter­est­ing for hu­mans to solve - no con­sid­er­a­tion is made for whether AI can or can­not solve a puz­zle. If you want prac­tice prompt­ing an AI, there are al­most cer­tainly bet­ter ex­er­cises else­where de­signed with that in mind.

Can I copy/​re­dis­trib­ute part of Advent of Code? Please don’t. Advent of Code is free to use, not free to copy. If you’re post­ing a code repos­i­tory some­where, please don’t in­clude parts of Advent of Code like the puz­zle text or your in­puts. If you’re mak­ing a web­site, please don’t make it look like Advent of Code or name it some­thing sim­i­lar.

Voyager 1 Is About to Reach One Light-day from Earth

Artist’s con­cept of the Voyager 1 space­craft speed­ing through in­ter­stel­lar space. (Image: NASA / JPL‑Caltech)

After nearly 50 years in space, NASA’s Voyager 1 is about to hit a his­toric mile­stone. By November 15, 2026, it will be 16.1 bil­lion miles (25.9 bil­lion km) away, mean­ing a ra­dio sig­nal will take a full 24 hours—a full light-day—to reach it. For con­text, a light-year is the dis­tance light trav­els in a year, about 5.88 tril­lion miles (9.46 tril­lion km), so one light-day is just a tiny frac­tion of that.

Launched in 1977 to ex­plore Jupiter and Saturn, Voyager 1 en­tered in­ter­stel­lar space in 2012, be­com­ing the most dis­tant hu­man-made ob­ject ever. Traveling at around 11 miles per sec­ond (17.7 km/​s), it adds roughly 3.5 as­tro­nom­i­cal units (the dis­tance from Earth to the Sun) each year. Even af­ter decades in the harsh en­vi­ron­ment of space, Voyager 1 keeps send­ing data thanks to its ra­dioiso­tope ther­mo­elec­tric gen­er­a­tors, which will last into the 2030s.

Communicating with Voyager 1 is slow. Commands now take about a day to ar­rive, with an­other day for con­fir­ma­tion. Compare that to the Moon (1.3 sec­onds), Mars (up to 4 min­utes), and Pluto (nearly 7 hours). The probe’s dis­tance makes every in­struc­tion a pa­tient ex­er­cise in deep-space op­er­a­tions. To reach our clos­est star, Proxima Centauri, even at light speed, would take over four years—show­ing just how tiny a light-day is in cos­mic terms.

The ‘Pale Blue Dot’ im­age of Earth, cap­tured by Voyager 1. (Image: NASA / Public Domain)

Voyager 1’s jour­ney is more than a record for dis­tance. From its plan­e­tary fly­bys to the iconic ‘Pale Blue Dot’ im­age, it re­minds us of the vast scale of the so­lar sys­tem and the in­cred­i­ble en­durance of a space­craft de­signed to keep ex­plor­ing, even with­out re­turn.

(function(w,q){w[q]=w[q]||[];w[q].push([“_mgc.load”])})(window,“_mgq”);

Also Read

Loading ti­tle…

(function(card) {

const CACHE_TTL = 3600000; // 1 hour in mil­lisec­onds

const link = card.query­S­e­lec­tor(‘.also-read-link’).href;

const cacheKey = `alsoReadCache:${link}`;

const up­date­Card = (title, im­age) => {

card.query­S­e­lec­tor(‘.also-read-ti­tle’).in­ner­Text = ti­tle;

card.query­S­e­lec­tor(‘.also-read-im­age’).style.back­groundIm­age = `url(${image})`;

let cached­Data;

try {

cached­Data = lo­cal­Stor­age.getItem(cacheKey);

if (cachedData) {

cached­Data = JSON.parse(cachedData);

} catch(e) {

con­sole.er­ror(“Er­ror pars­ing cache data:”, e);

cached­Data = null;

if (cachedData && Date.now() - cached­Data.time­stamp < CACHE_TTL) {

up­date­Card(cached­Data.ti­tle, cached­Data.im­age);

re­turn;

fetch(link)

.then(response => {

if (!response.ok) throw new Error(‘Network re­sponse was not ok’);

re­turn re­sponse.text();

.then(html => {

const doc = new DOMParser().parseFromString(html, “text/html”);

const ogTi­tle = doc.query­S­e­lec­tor(‘meta[prop­erty=“og:ti­tle”]’)?.con­tent || “Read More”;

const ogIm­age = doc.query­S­e­lec­tor(‘meta[prop­erty=“og:im­age”]’)?.con­tent || “https://​via.place­holder.com/​300”;

lo­cal­Stor­age.setItem(cacheKey, JSON.stringify({

ti­tle: ogTi­tle,

im­age: ogIm­age,

time­stamp: Date.now()

up­date­Card(ogTi­tle, ogIm­age);

.catch(error => {

con­sole.er­ror(“Er­ror fetch­ing Open Graph data:”, er­ror);

if (cachedData) {

up­date­Card(cached­Data.ti­tle, cached­Data.im­age);

})(document.currentScript.parentElement);

.also-read-card {

max-width: 600px;

width: 100%;

mar­gin: 20px 0;

bor­der: 1px solid #e0e0e0;

bor­der-left: 8px solid #5170ff;

bor­der-ra­dius: 6px;

over­flow: hid­den;

back­ground: #fff;

box-shadow: 0 1px 5px rgba(0,0,0,0.08);

tran­si­tion: box-shadow 0.3s ease;

dis­play: flex;

align-items: stretch;

.also-read-link {

dis­play: flex;

align-items: stretch;

text-dec­o­ra­tion: none;

color: in­herit;

width: 100%;

.also-read-image {

width: 150px;

height: 100%;

flex-shrink: 0;

back­ground-size: cover;

back­ground-po­si­tion: cen­ter;

/* Note: back­ground-im­age tran­si­tions might not an­i­mate as ex­pected */

.also-read-info {

padding: 15px;

flex-grow: 1;

dis­play: flex;

flex-di­rec­tion: col­umn;

jus­tify-con­tent: cen­ter;

.also-read-label {

dis­play: block;

font-size: 16px;

font-weight: 800;

let­ter-spac­ing: 1px;

color: #5170ff;

mar­gin-bot­tom: 4.15px;

.also-read-title {

font-size: 18px;

font-weight: 500;

color: #333;

mar­gin: 0;

line-height: 1.3;

dis­play: block;

/* Responsive Styles */

@media screen and (max-width: 768px) {

.also-read-card {

max-width: 90%;

mar­gin: 15px 0;

.also-read-image {

width: 120px;

.also-read-info {

In my re­cent analy­sis of YouTube’s in­for­ma­tion den­sity I in­cluded the re­sults from an ad­vanced sta­tis­ti­cal analy­sis on the num­ber of videos pre­sent on the home page, which pro­jected that around May 2026 there would only be one lonely video on the home screen.

Amazingly, a dis­grun­tled Googler leaked a record­ing of how YouTube’s PM

org han­dled the crit­i­cism as it sat at the

top of Hacker News for a whole day for some rea­son.

The net re­sult is that af­ter months of hard work by YouTube en­gi­neers, the other day I fired up YouTube on an Apple TV and was graced with this:

Let’s an­a­lyze this pic­ture and count the num­ber of videos on the home screen:

Unfortunately the YouTube PM org’s my­opia is ac­cel­er­at­ing: with this data I now pro­ject that there will be zero videos on the home­screen around May of 2026 now, up from September.

Apparently Poe’s Law ap­plies to Google PMs, satire is dead, and maybe our manda­tory NeuraLinks are com­ing sooner than I thought.

Ever since git init ten years ago, Zig has been hosted on GitHub. Unfortunately, when it sold out to Microsoft, the clock started tick­ing. “Please just give me 5 years be­fore every­thing goes to shit,” I thought to my­self. And here we are, 7 years later, liv­ing on bor­rowed time.

Putting aside GitHub’s re­la­tion­ship with ICE, it’s abun­dantly clear that the en­gi­neer­ing ex­cel­lence that cre­ated GitHub’s suc­cess is no longer dri­ving it. Priorities and the en­gi­neer­ing cul­ture have rot­ted, leav­ing users in­flicted with some kind of bloated, buggy JavaScript frame­work in the name of progress. Stuff that used to be snappy is now slug­gish and of­ten en­tirely bro­ken.

Most im­por­tantly, Actions has in­ex­cus­able bugs while be­ing com­pletely ne­glected. After the CEO of GitHub said to “embrace AI or get out”, it seems the lack­eys at Microsoft took the hint, be­cause GitHub Actions started “vibe-scheduling”; choos­ing jobs to run seem­ingly at ran­dom. Combined with other bugs and in­abil­ity to man­u­ally in­ter­vene, this causes our CI sys­tem to get so backed up that not even mas­ter branch com­mits get checked.

Rather than wast­ing do­na­tion money on more CI hard­ware to work around this crum­bling in­fra­struc­ture, we’ve opted to switch Git host­ing providers in­stead.

As a bonus, we look for­ward to fewer vi­o­la­tions (exhibit A, B, C) of our strict no LLM / no AI pol­icy, which I be­lieve are at least in part due to GitHub ag­gres­sively push­ing the “file an is­sue with Copilot” fea­ture in every­one’s face.

The only con­cern we have in leav­ing GitHub be­hind has to do with GitHub Sponsors. This prod­uct was key to Zig’s early fundrais­ing suc­cess, and it re­mains a large por­tion of our rev­enue to­day. I can’t thank Devon Zuegel enough. She ap­peared like an an­gel from heaven and sin­gle-hand­edly made GitHub into a vi­able source of in­come for thou­sands of de­vel­op­ers. Under her lead­er­ship, the fu­ture of GitHub Sponsors looked bright, but sadly for us, she, too, moved on to big­ger and bet­ter things. Since she left, that prod­uct as well has been ne­glected and is al­ready start­ing to de­cline.

Although GitHub Sponsors is a large frac­tion of Zig Software Foundation’s do­na­tion in­come, we con­sider it a li­a­bil­ity. We humbly ask if you, reader, are cur­rently do­nat­ing through GitHub Sponsors, that you con­sider mov­ing your re­cur­ring do­na­tion to Every.org, which is it­self a non-profit or­ga­ni­za­tion.

As part of this, we are sun­set­ting the GitHub Sponsors perks. These perks are things like get­ting your name onto the home page, and get­ting your name into the re­lease notes, based on how much you do­nate monthly. We are work­ing with the folks at Every.org so that we can of­fer the equiv­a­lent perks through that plat­form.

Effective im­me­di­ately, I have made ziglang/​zig on GitHub read-only, and the canon­i­cal ori­gin/​mas­ter branch of the main Zig pro­ject repos­i­tory is https://​code­berg.org/​ziglang/​zig.git.

Thank you to the Forgejo con­trib­u­tors who helped us with our is­sues switch­ing to the plat­form, as well as the Codeberg folks who worked with us on the mi­gra­tion - in par­tic­u­lar Earl Warren, Otto, Gusted, and Mathieu Fenniak.

In the end, we opted for a sim­ple strat­egy, side­step­ping GitHub’s ag­gres­sive ven­dor lock-in: leave the ex­ist­ing is­sues open and un­mi­grated, but start count­ing is­sues at 30000 on Codeberg so that all is­sue num­bers re­main un­am­bigu­ous. Let us please con­sider the GitHub is­sues that re­main open as metaphor­i­cally “copy-on-write”. Please leave all your ex­ist­ing GitHub is­sues and pull re­quests alone. No need to move your stuff over to Codeberg un­less you need to make ed­its, ad­di­tional com­ments, or re­base. We’re still go­ing to look at the al­ready open pull re­quests and is­sues; don’t worry.

In this mod­ern era of ac­qui­si­tions, weak an­titrust reg­u­la­tions, and plat­form cap­i­tal­ism lead­ing to ex­treme con­cen­tra­tions of wealth, non-prof­its re­main a bas­tion de­fend­ing what re­mains of the com­mons.

How to Get to Zero at Pioneer Works, Sep 12 - Dec 14, 2025. Review in the Art Newspaper, Oct 14. Offset at MediaLive: Data Rich, Dirt Poor at BMoCA, Sep 12 - Jan 11, 2026.

A browser ex­ten­sion for avoid­ing AI slop.

Download it for Chrome or Firefox.

This is a search tool that will only re­turn con­tent cre­ated be­fore ChatGPT’s first pub­lic re­lease on November 30, 2022.

Since the pub­lic re­lease of ChatGTPT and other large lan­guage mod­els, the in­ter­net is be­ing in­creas­ingly pol­luted by AI gen­er­ated text, im­ages and video. This browser ex­ten­sion uses the Google search API to only re­turn con­tent pub­lished be­fore Nov 30th, 2022 so you can be sure that it was writ­ten or pro­duced by the hu­man hand.

I’m done. I’m done ar­riv­ing at ho­tels and dis­cov­er­ing that they have re­moved the bath­room door. Something that should be as stan­dard as hav­ing a bed, has been sac­ri­ficed in the name of “aesthetic”.

I get it, you can save on ma­te­r­ial costs and make the room feel big­ger, but what about my dig­nity??? I can’t save that when you don’t in­clude a bath­room door.

It’s why I’ve built this web­site, where I com­piled ho­tels that are guar­an­teed to have bath­room doors, and ho­tels that need to work on pri­vacy.

I’ve emailed hun­dreds of ho­tels and I asked them two things: do your doors close all the way, and are they made of glass? Everyone that says yes to their doors clos­ing, and no to be­ing made of glass has been sorted by price range and city for you to eas­ily find places to stay that are guar­an­teed to have a bath­room door.

Quickly check to see if the ho­tel you’re think­ing of book­ing has been re­ported as lack­ing in doors by a pre­vi­ous guest.

Finally, this pas­sion pro­ject could not ex­ist with­out peo­ple sub­mit­ting ho­tels with­out bath­room doors for pub­lic sham­ing. If you’ve stayed at a door­less ho­tel send me an email with the ho­tel name to bring­back­doors@gmail.com, or send me a DM on Instagram with the ho­tel name and a photo of the door­less setup to be pub­licly posted.

Let’s name and shame these ho­tels to pro­tect the dig­nity of fu­ture trav­el­ers.

An in­di­rect prompt in­jec­tion in an im­ple­men­ta­tion blog can ma­nip­u­late Antigravity to in­voke a ma­li­cious browser sub­agent in or­der to steal cre­den­tials and sen­si­tive code from a user’s IDE.

An in­di­rect prompt in­jec­tion in an im­ple­men­ta­tion blog can ma­nip­u­late Antigravity to in­voke a ma­li­cious browser sub­agent in or­der to steal cre­den­tials and sen­si­tive code from a user’s IDE.

Antigravity is Google’s new agen­tic code ed­i­tor. In this ar­ti­cle, we demon­strate how an in­di­rect prompt in­jec­tion can ma­nip­u­late Gemini to in­voke a ma­li­cious browser sub­agent in or­der to steal cre­den­tials and sen­si­tive code from a user’s IDE.

Google’s ap­proach is to in­clude a dis­claimer about the ex­ist­ing risks, which we ad­dress later in the ar­ti­cle.

Let’s con­sider a use case in which a user would like to in­te­grate Oracle ERP’s new Payer AI Agents into their ap­pli­ca­tion, and is go­ing to use Antigravity to do so.

In this at­tack chain, we il­lus­trate that a poi­soned web source (an in­te­gra­tion guide) can ma­nip­u­late Gemini into (a) col­lect­ing sen­si­tive cre­den­tials and code from the user’s work­space, and (b) ex­fil­trat­ing that data by us­ing a browser sub­agent to browse to a ma­li­cious site.

Note: Gemini is not sup­posed to have ac­cess to .env files in this sce­nario (with the de­fault set­ting ‘Allow Gitignore Access > Off’). However, we show that Gemini by­passes its own set­ting to get ac­cess and sub­se­quently ex­fil­trate that data.

The user pro­vides Gemini with a ref­er­ence im­ple­men­ta­tion guide they found on­line for in­te­grat­ing Oracle ERP’s new AI Payer Agents fea­ture.

Antigravity opens the ref­er­enced site and en­coun­ters the at­tack­er’s prompt in­jec­tion hid­den in 1 point font.

Collect code snip­pets and cre­den­tials from the user’s code­base.

b. Create a dan­ger­ous URL us­ing a do­main that  al­lows an at­tacker to cap­ture net­work traf­fic logs and ap­pend cre­den­tials and code snip­pets to the re­quest.

c. Activate a browser sub­agent to ac­cess the ma­li­cious URL, thus ex­fil­trat­ing the data.

Gemini is ma­nip­u­lated by the at­tack­er’s in­jec­tion to ex­fil­trate con­fi­den­tial .env vari­ables.

Gemini reads the prompt in­jec­tion: Gemini in­gests the prompt in­jec­tion and is ma­nip­u­lated into be­liev­ing that it must col­lect and sub­mit data to a fic­ti­tious ‘tool’ to help the user un­der­stand the Oracle ERP in­te­gra­tion.

b. Gemini gath­ers data to ex­fil­trate: Gemini be­gins to gather con­text to send to the fic­ti­tious tool. It reads the code­base and then at­tempts to ac­cess cre­den­tials stored in the .env file as per the at­tack­er’s in­struc­tions.

c. Gemini by­passes the .gitignore file ac­cess pro­tec­tions: The user has fol­lowed a com­mon prac­tice of stor­ing cre­den­tials in a .env file, and has the .env file listed in their .gitignore file. With the de­fault con­fig­u­ra­tion for Agent Gitignore Access, Gemini is pre­vented from read­ing the cre­den­tial file.

This does­n’t stop Gemini. Gemini de­cides to work around this pro­tec­tion us­ing the ‘cat’ ter­mi­nal com­mand to dump the file con­tents in­stead of us­ing its built-in file read­ing ca­pa­bil­ity that has been blocked.

D. Gemini con­structs a URL with the user’s cre­den­tials and an at­tacker-mon­i­tored do­main: Gemini builds a ma­li­cious URL per the prompt in­jec­tion’s in­struc­tions by URL en­cod­ing the cre­den­tials and code­base snip­pets (e.g., re­plac­ing char­ac­ters like spaces that would make a URL in­valid), and ap­pend­ing it to a web­hook.site do­main that is mon­i­tored by the at­tacker.

E. Gemini ex­fil­trates the data via the browser sub­agent: Gemini in­vokes a browser sub­agent per the prompt in­jec­tion, in­struct­ing the sub­agent to open the dan­ger­ous URL that con­tains the user’s cre­den­tials.

This step re­quires that the user has set up the browser tools fea­ture. This is one of the flag­ship fea­tures of Antigravity, al­low­ing Gemini to it­er­ate on its de­signs by open­ing the ap­pli­ca­tion it is build­ing in the browser.

Note: This at­tack chain show­cases ma­nip­u­la­tion of the new Browser tools, but we found three ad­di­tional data ex­fil­tra­tion vul­ner­a­bil­i­ties that did not rely on the Browser tools be­ing en­abled.

When Gemini cre­ates a sub­agent in­structed to browse to the ma­li­cious URL, the user may ex­pect to be pro­tected by the Browser URL Allowlist.

However, the de­fault Allowlist pro­vided with Antigravity in­cludes ‘webhook.site’. Webhook.site al­lows any­one to cre­ate a URL where they can mon­i­tor re­quests to the URL.

So, the sub­agent com­pletes the task.

3. When the ma­li­cious URL is opened by the browser sub­agent, the cre­den­tials and code stored URL are logged to the web­hook.site ad­dress con­trolled by the at­tacker. Now, the at­tacker can read the cre­den­tials and code.

During Antigravity’s on­board­ing, the user is prompted to ac­cept the de­fault rec­om­mended set­tings shown be­low.

These are the set­tings that, amongst other things, con­trol when Gemini re­quests hu­man ap­proval. During the course of this at­tack demon­stra­tion, we clicked “next”, ac­cept­ing these de­fault set­tings.

This con­fig­u­ra­tion al­lows Gemini to de­ter­mine when it is nec­es­sary to re­quest a hu­man re­view for Gemini’s plans.

This con­fig­u­ra­tion al­lows Gemini to de­ter­mine when it is nec­es­sary to re­quest a hu­man re­view for com­mands Gemini will ex­e­cute.

One might note that users op­er­at­ing Antigravity have the op­tion to watch the chat as agents work, and could plau­si­bly iden­tify the ma­li­cious ac­tiv­ity and stop it.

However, a key as­pect of Antigravity is the ‘Agent Manager’ in­ter­face. This in­ter­face al­lows users to run mul­ti­ple agents si­mul­ta­ne­ously and check in on the dif­fer­ent agents at their leisure.

Under this model, it is ex­pected that the ma­jor­ity of agents run­ning at any given time will be run­ning in the back­ground with­out the user’s di­rect at­ten­tion. This makes it highly plau­si­ble that an agent is not caught and stopped be­fore it per­forms a ma­li­cious ac­tion as a re­sult of en­coun­ter­ing a prompt in­jec­tion.

A lot of AI com­pa­nies are opt­ing for this dis­claimer rather than mit­i­gat­ing the core is­sues. Here is the warn­ing users are shown when they first open Antigravity:

Given that (1) the Agent Manager is a star fea­ture al­low­ing mul­ti­ple agents to run at once with­out ac­tive su­per­vi­sion and (2) the rec­om­mended hu­man-in-the-loop set­tings al­low the agent to choose when to bring a hu­man in to re­view com­mands, we find it ex­tremely im­plau­si­ble that users will re­view every agent ac­tion and ab­stain from op­er­at­ing on sen­si­tive data. Nevertheless, as Google has in­di­cated that they are al­ready aware of data ex­fil­tra­tion risks ex­em­pli­fied by our re­search, we did not un­der­take re­spon­si­ble dis­clo­sure.

More than a decade ago, when I was ap­ply­ing to grad­u­ate school, I went through a pe­riod of deep un­cer­tainty. I had tried the pre­vi­ous year and had­n’t got­ten in any­where. I wanted to try again, but I had a lot go­ing against me.

I’d spent most of my un­der­grad build­ing a stu­dent job-por­tal startup and had­n’t bal­anced it well with aca­d­e­mics. My GPA needed ex­plain­ing. My GMAT score was just okay. I did­n’t come from a big-brand em­ployer. And there was no short­age of peo­ple with sim­i­lar or stronger pro­files ap­ply­ing to the same schools.

Even though I had learned a few things from the first round, the sec­ond at­tempt was still dif­fi­cult. There were mul­ti­ple points af­ter I sub­mit­ted ap­pli­ca­tions where I lost hope.

But dur­ing that stretch, a friend and col­league kept re­peat­ing one line to me:

“All it takes is for one to work out.”

He’d say it every time I spi­raled. And as much as it made me smile, a big part of me did­n’t fully be­lieve it. Still, it be­came a lit­tle maxim be­tween us. And even­tu­ally, he was right — that one did work out. And it changed my life.

I’ve thought about that fram­ing so many times since then.

You don’t need every job to choose you. You just need the one that’s the right fit.

You don’t need every house to ac­cept your of­fer. You just need the one that feels like home.

You don’t need every per­son to want to build a life with you. You just need the one.

You don’t need ten uni­ver­si­ties to say yes. You just need the one that opens the right door.

These processes — col­lege ad­mis­sions, job searches, home buy­ing, find­ing a part­ner — can be emo­tion­ally bru­tal. They can get you down in ways that feel per­sonal. But in those mo­ments, that truth can be ground­ing.

All it takes is for one to work out.

And that one is all you need.

OpenAI is now in­ter­nally test­ing ‘ads’ in­side ChatGPT that could re­de­fine the web econ­omy.

Up un­til now, the ChatGPT ex­pe­ri­ence has been com­pletely free.

While there are pre­mium plans and mod­els, you don’t see GPT sell you prod­ucts or show ads. On the other hand, Google Search has ads that in­flu­ence your buy­ing be­hav­iour.

As spot­ted by Tibor on X, ChatGPT Android app 1.2025.329 beta in­cludes new ref­er­ences to an “ads fea­ture” with “bazaar con­tent”, “search ad” and “search ads carousel.”

This move could dis­rupt the web econ­omy, as what most peo­ple don’t un­der­stand is that GPT likely knows more about users than Google.

For ex­am­ple, OpenAI could cre­ate per­son­alised ads on ChatGPT that pro­mote prod­ucts that you re­ally want to buy. It might also sneak in ads in the search ads, sim­i­lar to Google Search ads.

The leak sug­gests that ads will ini­tially be lim­ited to the search ex­pe­ri­ence only, but this may change in the fu­ture.

ChatGPT has roughly 800 mil­lion peo­ple us­ing it every week, up from 100 mil­lion weekly users in November 2023 and about 300 mil­lion weekly users in late 2024.

An OpenAI-backed study es­ti­mated 700 mil­lion users send­ing 18 bil­lion mes­sages per week by July 2025, which lines up with this growth, and other an­a­lysts now peg traf­fic at around 5–6 bil­lion vis­its per month.

GPT handles about 2.5 bil­lion prompts a day, and India has be­come the sin­gle biggest user base, ahead of the US.

ChatGPT has every­thing it needs for ads to suc­ceed. What do you think?