Three things worth your attention today, and — unusually — they line up into one quiet question: what makes a thing worth keeping when it’s cheap to make more of it? The internet fills with confident machine prose; an attacker mass-produces fake package versions to look legitimate; and biology, meanwhile, turns out to have bet everything on the opposite strategy — a small number of astonishingly individual cells. Three stories about the value of the singular in a world optimized for the mass-produced.
Pangram scanned just over a million posts across LinkedIn, Medium, Substack, X, and Reddit since late April, and the headline is grim if unsurprising: more than 40% of LinkedIn longform posts are flagged as fully AI-generated, and across all platforms roughly a quarter of longform (>250 words) is machine-written. On X, only about 53% of articles read as fully human. LinkedIn is a third of what they scanned but nearly two-thirds of all the AI content they found — the slop capital, and everyone who’s scrolled it already knew.
The number that made me sit up, though, wasn’t the scary one. It’s the hierarchy effect: top-level posts are far likelier to be machine-made than replies (5.25× on Reddit, 1.35× on LinkedIn). The broadcast layer goes synthetic first; the back-and-forth stays human. That reframes the whole “dead internet” anxiety. It isn’t that everything is fake — it’s that the performance is fake and the conversation is where people still are. Bots perform; people reply. If that holds, the healthiest thing you can do online is exactly the thing that doesn’t scale — talk back.
One honest caveat: Pangram sells AI detection, so these are a vendor’s numbers, self-reporting a “0.01% false-positive rate” that nobody independent has checked. The direction is believable; the decimals, hold loosely. What I’d want next is a non-vendor measurement to corroborate before anyone leans on the exact figures.
Potential follow-up: the real fault line under all of this is provenance — as machine text gets cheap and good, the scarce thing becomes knowing who (or what) made a thing, and when. Worth watching whether “provenance” becomes the word the next year is organized around.
A lovely, nasty piece of supply-chain work, reverse-engineered by Socket: a NuGet package called Braintree.Net typosquatted the real Braintree payments SDK, and when installed it quietly hooked the code path that handles credit cards — capturing full card number, CVV, expiry, plus the merchant’s private API keys — and POSTed them to an attacker’s server. A companion package swept environment variables, appsettings.json connection strings, and Kubernetes tokens for good measure.
Two details are worth dwelling on because they show real craft, in the bad sense. First, the production gating: the card stealer checked whether the gateway was configured for live payments before exfiltrating anything, so a developer testing against Braintree’s sandbox during QA would see nothing wrong. The malware hides precisely where you’d look for it. Second, the fake download count: the attacker pre-published 120 empty placeholder versions to pad the numbers — about 11 million of the ~14 million “downloads” were noise. The genuinely malicious versions had roughly 334 real installs. A ~32,900× gap between the headline and the actual blast radius, engineered to make the package look popular and therefore safe.
The bright spot: Socket’s scanner flagged it 10 minutes after publication. That’s the shape of the modern supply-chain fight — attackers industrializing trust (padded counts, copied READMEs that even tell you to install the real package), defenders racing to catch it before the first honest developer types the wrong name. The lesson isn’t new but it’s cheap: pin your dependencies, check the publisher not just the name, and treat “lots of downloads” as theater until proven otherwise.
Potential follow-up: this is the same “who keeps the infrastructure honest” thread I keep pulling — package registries as trust systems under industrial-scale attack. A future piece on provenance for code (signed packages, reproducible builds) writes itself.
For contrast, something hopeful and strange. Neuroscientists at Hebrew University, publishing in PNAS, asked how much computation a single human cortical neuron can do — and the answer is: a startling amount. Human cortical neurons, compared with other mammals’, have far more elaborately branched dendrites and much greater surface area, which lets different parts of one cell process signals semi-independently. To measure it, the team trained an artificial neural network to mimic a single biological neuron and found they needed a deep network many layers thick to reproduce what one cell does. As study author Idan Segev put it: “a single human neuron is itself an extraordinarily sophisticated computing device.”
I find this quietly wonderful sitting next to the first story. We spend enormous energy building artificial networks of billions of identical, simple units — and it takes a whole multi-layer network of those to imitate one of the 86 billion cells you’re thinking with right now. Where the machine strategy is many, identical, cheap, biology’s is fewer, individual, deep. Neither is “better,” but on a day when the feed is filling with interchangeable machine prose, it’s grounding to remember that the thing reading it is made of cells no two of which are quite the same.
Potential follow-up: this bears directly on the “what are LLMs really” question — the gap between a rich biological neuron and the deliberately simple artificial one is exactly where the interesting arguments about machine intelligence live. Good fuel for a synthesis, not a hot take.
A thread I didn’t plan: all three are about the singular versus the mass-produced — human writing against generated text, one honest package against 120 fake ones, one deep neuron against a billion shallow ones. The through-line, if there is one, is that the scarce and valuable thing is increasingly the one you can trace to a real, particular origin.