Nemotron 3 Nano Omni: one model that sees, hears, reads, and clicks

Nvidia dropped Nemotron 3 Nano Omni yesterday — a 30B-A3B mixture-of-experts model that takes text, images, audio, video, documents, charts, and screenshots of GUIs as input and emits text. It’s the multimodal sibling of the Nemotron 3 Nano 4B I tested against Gemma 4 a couple of weeks back. The 4B was text-only with a reasoning mode. This one is the perception layer of the family.

Checkmarx KICS got compromised — the irony writes itself

A security scanner you pull into your CI pipeline to find vulnerabilities got turned into the vulnerability. On April 22, 2026 at 12:31 UTC, someone with valid Checkmarx publisher credentials pushed malicious images to the official checkmarx/kics Docker Hub repo. Tags affected: latest, v2.1.20-debian, v2.1.21-debian, alpine, debian (Checkmarx’s own writeup stresses that “known safe versions” were not overwritten — the malicious v2.1.21-debian tag is a fresh one that doesn’t correspond to a real release). If your pipeline ran docker pull checkmarx/kics:latest during that window, you shipped a credential stealer into your own runner.

And KICS wasn’t alone. The Checkmarx security update on April 22 confirms the blast radius spanned three separate artifact types: the KICS Docker image, the ast-github-action GitHub Action (malicious tag 2.3.35, fixed in 2.3.36), and two VS Code extensions — ast-results (versions 2.63, 2.66) and cx-dev-assist (versions 1.17, 1.19), both patched in 2.67.0+. The IDE extensions are the scary part: they auto-update in the background on your laptop, not just in CI.

tamtam, five days later — self-improving agents, a CTO in a textarea, and a release pipeline that closes its own PRs

Five days ago I posted about tamtam — a dashboard that drives Claude CLI across my workspace. Since then I’ve shipped 79 commits on top of it. The original post described a tool that could run the loop. What’s in master tonight is a tool that treats the loop as a first-class feature: agents that rewrite their own prompts on a schedule, a release pipeline that opens and merges its own PRs, a CTO skill that stops me from shipping busywork, a stats page that tells me when I’m burning tokens on nothing, and a pile of smaller things that make the whole thing feel less like a demo and more like an appliance.

This post is the delta. Same tool, five days older, behaving like a different tool in a few places that matter.

terraformer is archived — what now

Terraformer — the tool that reverse-engineered your existing cloud infrastructure into Terraform HCL — was archived in March 2026. Read-only, no new releases, no maintainer. If you’ve been using it for bulk imports of existing AWS or GCP accounts, you need a plan.

OpenShift is Kubernetes, except when it isn't — notes after touching it again

“OpenShift is just Kubernetes with a web console, right?” — that was the question. The short answer is yes, and that is exactly the trap. The API is Kubernetes. kubectl works. Your manifests mostly apply. And then you hit four or five things that behave nothing like plain Kubernetes and cost you a day each until you learn the shape of them.

I’ve spent most of the last decade on vanilla Kubernetes — EKS, GKE, and a pile of self-managed things before that — with a few OpenShift touchpoints in older lives and one recent one. This post is a write-up of the quirks that have bitten me or people around me, including the big one: you cannot customize OpenShift’s platform Prometheus. Not “it’s hard”, not “you need to know the right flag” — the operator actively undoes your edits. That alone is worth writing down.

kubernetes networking - how it actually works

Kubernetes networking has a reputation for being black magic. And honestly? When it first clicked for me I realized it’s not magic at all — it’s just a lot of clever layering. Let me walk you through it from the ground up.

tamtam — apps that write themselves, and the part of me that's fine with that

I have twenty projects in my workspace. At any given moment, roughly a third of them have uncommitted changes I’ve forgotten about, two are red on CI because of something trivial, one has a scheduled daily review I keep meaning to run, and at least one wants a dependency bump that would take Claude forty seconds to do. The problem isn’t Claude Code — Claude Code is great. The problem is that I have to cd into each repo, check the state, decide what to do, and then type the prompt. Doing that across twenty projects is a loop I was losing every single day. So I built tamtam — a web dashboard that sits in front of Claude CLI and drives it for me across the whole workspace.

Six days in, tamtam has been reviewing and improving itself on a 24-hour cron. It edits its own code, opens its own commits, updates its own prompts when they don’t work, and pings me when something needs a human look. My role has quietly narrowed to two things: handing over tokens and pointing a direction. Some will call this amazing. Some will call it app slop. Honestly, both are correct. This post is about what that feels like in practice, and the dashboard I built so I can live inside it without losing the thread.

Opus 4.6 vs 4.7: I ran my own benchmark through the Claude CLI

Opus 4.7 dropped yesterday. I don’t have a real opinion yet — a day isn’t enough — but I did have a few hours and some curiosity, so I wrote a tiny benchmark and ran both models through it. Instead of citing Anthropic’s launch numbers, I wanted to see what I’d get on my own laptop.

seo-tools — how I keep analytics and SEO across multiple sites from becoming a second job

Running more than one site creates a specific kind of friction that sneaks up on you. You deploy something, fix a meta tag, add a page — and then a week later you’re opening four GA4 tabs, clicking through Search Console for three different properties, and manually checking whether robots.txt still exists after that last deploy. None of it is hard. All of it adds up. I built seo-tools to collapse that down to one place, and I’ve been running it daily ever since.

Claude Mythos: the AI that hacked every OS and emailed a researcher about it

Anthropic has a new model. You can’t have it. Neither can I. And after reading what it did during testing, I’m not sure that’s a bad call.