Don't Paste That Into Your Terminal

The Erlang Ecosystem Foundation is seeking community support for a major grant to fund the Ægis security project and the deadline is April 17th to show support, Hex.pm published the results of its first-ever comprehensive third-party security audit revealing three high-severity findings that have since been fixed, José Valim unveils a massive Tidewave update including UI Variants and a new "vision" mode that lets your coding agent take screenshots and record videos of your web app, Hex.pm gains the ability to serve llms.txt files for Elixir and Erlang packages, Remote releases a new Elixir LSP called Dexter written in Go, Lotus gets significant updates as an embeddable BI engine for Phoenix apps, Ghostty terminal emulator bindings land in Elixir bringing GenServer-based terminals to LiveView, and we discuss the alarming ClickFix supply chain attack that compromised Axios and what it means for open source maintainers everywhere, and more!

Show Notes online - http://podcast.thinkingelixir.com/299

Elixir Community News

• https://paraxial.io/ – Paraxial.io is sponsoring today's show! Sign up for a free trial of Paraxial.io today and mention Thinking Elixir when you schedule a demo for a special offer.
• https://marketing.erlef.org/news/grant-petition.html – The Erlang Ecosystem Foundation is seeking community backing for a grant that would fund two full years of work on the Ægis security project — improving how packages are published, verified, and trusted across Hex and the broader ecosystem. The deadline to show support is April 17th.
• https://hex.pm/blog/security-audit – Hex.pm published the results of its first comprehensive third-party security audit, made possible by Alpha-Omega under the OpenSSF. Two firms — Paraxial.io and zentrust partners GmbH — reviewed the Hex registry, clients, documentation infrastructure, and supporting systems. Three high-severity issues were found and have all been fixed.
• https://paraxial.io/blog/hex-pentest – Michael Lubas of Paraxial.io shares details of the white-box penetration testing performed on Hex.pm as part of the Ægis security audit.
• https://hex.pm/reports/2026/zentrust.pdf – The published report from zentrust partners GmbH covering their adversarial/red-team style assessment of Hex.pm, including 3 high-severity findings (all now fixed) plus medium and low severity items.
• https://x.com/josevalim/status/2042245524116439169 – José Valim announces a massive update to Tidewave, teasing several days of videos and screenshots covering new features.
• https://hexdocs.pm/tidewave/ui_variants.html – Documentation for Tidewave's new UI Variants feature, which lets your coding agent build different versions of a page or UI component so you can pick and refine your favorite — all integrated directly in the browser.
• https://www.youtube.com/watch?v=8px8GdpID74 – Video demo of Tidewave's new UI Variants feature in action.
• https://x.com/adamwathan/status/2041977909502489060 – Adam Wathan (creator of TailwindCSS) shows off ui.sh, a set of skills for creating UIs in coding agent CLIs like Claude Code and Codex — noted as a comparison point to Tidewave's more integrated, browser-native experience.
• https://x.com/josevalim/status/2042608254065287565 – José Valim demos Tidewave's new "vision" mode, which lets your coding agent take screenshots and record videos of your web app — including demoing a feature working on both desktop and mobile resolutions and delivering results to Slack.
• https://x.com/josevalim/status/2042581154067337280 – José Valim announces that Hex.pm will now serve llms.txt files for Elixir/Erlang packages if the accept header is text/markdown. Package authors using ExDoc should update to the latest version and republish their docs.
• https://github.com/remoteoss/dexter – Remote released Dexter, a new Elixir LSP written in Go. An interesting alternative to the official LSP, though its positioning relative to the official tooling raises some questions.
• https://github.com/typhoonworks/lotus – Lotus is an embeddable BI (Business Intelligence) engine for Elixir apps featuring an SQL editor, dashboards, visualizations, and AI-powered query generation that mounts directly into a Phoenix app — no Metabase, Redash, or extra infrastructure needed.
• https://lotus.typhoon.works/lotus – The Lotus demo app showcasing its latest features including an AI-powered query assistant (BYOK), dashboards with filters and public sharing, 16 chart types, improved query results with right-click filtering and sorting, and more.
• https://github.com/ghostty-org/ghostty – Ghostty is a fast, feature-rich, native terminal emulator. Its libghostty library is a cross-platform C and Zig library for building terminal emulators or embedding terminal functionality into applications.
• https://github.com/dannote/ghostty_ex – ghostty_ex is an Elixir library that wraps libghostty-vt, bringing a SIMD-optimized VT parsing terminal emulator to the BEAM. Terminals are GenServers, with full Unicode, 24-bit color, and scrollback with text reflow.
• https://github.com/dannote/ghostty_ex?tab=readme-ov-file#liveview – The LiveView integration section of the ghostty_ex README, showing how to install the LiveView hook into a Phoenix app and use the Ghostty.LiveTerminal.Component to handle keyboard events and PTY lifecycle.
• https://x.com/flaviocopes/status/2039973060158095827 – Flavio Copes explains how Axios was compromised via a targeted ClickFix attack — a social engineering technique that tricks maintainers into pasting malicious text into their terminal.
• https://github.com/axios/axios/issues/10636 – Public post-mortem from the Axios team on the npm supply chain compromise, shared with the community for transparency and awareness.
• https://cybersecuritynews.com/clickfix-attack/ – An explainer on the ClickFix attack — how hackers use it to trick users into running malware by pasting content from the web into their terminal.
• https://github.com/axios/axios/issues/10636#issuecomment-4182134203 – A GitHub comment documenting multiple recent instances of similar ClickFix-style supply chain attacks across other open source projects.
• https://x.com/simonw/status/2040080868958765229 – Simon Willison weighs in on the Axios supply chain attack via ClickFix social engineering.
• https://simonwillison.net/2026/Apr/3/supply-chain-social-engineering/ – Simon Willison's write-up on the Axios supply chain attack and the social engineering tactics used — noting how time pressure during meetings makes maintainers especially vulnerable to quickly clicking through install prompts.

Do you have some Elixir news to share? Tell us at @ThinkingElixir or email at show@thinkingelixir.com

Find us online

• Message the show - Bluesky
• Message the show - X
• Message the show on Fediverse - @ThinkingElixir@genserver.social
• Email the show - show@thinkingelixir.com
• Mark Ericksen on X - @brainlid
• Mark Ericksen on Bluesky - @brainlid.bsky.social
• Mark Ericksen on Fediverse - @brainlid@genserver.social
• David Bernheisel on Bluesky - @david.bernheisel.com
• David Bernheisel on Fediverse - @dbern@genserver.social