<?xml version="1.0" encoding="UTF-8"?>
<rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:dc="http://purl.org/dc/elements/1.1/">
  <channel>
    <title>DEV Community: Orchid Files</title>
    <description>The latest articles on DEV Community by Orchid Files (@orchidfiles).</description>
    <link>https://dev.to/orchidfiles</link>
    <image>
      <url>https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F3625701%2F579307cf-8816-4794-bbdf-95beb86470bf.png</url>
      <title>DEV Community: Orchid Files</title>
      <link>https://dev.to/orchidfiles</link>
    </image>
    <atom:link rel="self" type="application/rss+xml" href="https://dev.to/feed/orchidfiles"/>
    <language>en</language>
    <item>
      <title>I discovered a large-scale malware distribution campaign on GitHub</title>
      <dc:creator>Orchid Files</dc:creator>
      <pubDate>Thu, 18 Jun 2026 17:44:00 +0000</pubDate>
      <link>https://dev.to/orchidfiles/i-discovered-a-large-scale-malware-distribution-campaign-on-github-4m6o</link>
      <guid>https://dev.to/orchidfiles/i-discovered-a-large-scale-malware-distribution-campaign-on-github-4m6o</guid>
      <description>&lt;p&gt;This is the story of how I found 10,000 repositories on GitHub that distribute Trojan malware. They are all from different contributors, have different names, and are not forks of other repositories. But they share a common pattern, which is what allowed me to write a script to find such repositories.&lt;/p&gt;

&lt;h3&gt;
  
  
  Introduction
&lt;/h3&gt;

&lt;p&gt;I have a project on GitHub, and I wanted to check whether search engines had indexed it. I typed the project name into Google, and my repository appeared in the results. I entered the same query into Bing, and someone else’s repository appeared in the results, with the exact same name and description. It was a copy of my repository with all the commits, and I was listed as a contributor. But an hour ago, another commit was pushed with a change to the readme. A link to a zip archive has been added to it.&lt;/p&gt;

&lt;p&gt;I was choosing appropriate tags for another one of my projects on GitHub. I clicked through those tags to look at similar projects. In the list, I found a repository whose name and description matched exactly those of another repository on that list. It turned out that it also contained copies of all the commits from that repository, and two hours ago, a link to a zip archive has been added to the readme.&lt;/p&gt;

&lt;p&gt;After monitoring these two repositories, I discovered that every few hours they delete the previous commit and push the exact same commit again. This commit contains only one change: adding a link to the archive in the readme file.&lt;/p&gt;

&lt;p&gt;I submitted a request to GitHub support asking them to delete these repositories. Two weeks passed and nothing has changed; GitHub support hasn’t responded. I discussed with an AI what else could be done about this, but it didn’t offer any useful advice. I opened a thread on GitHub, and three people replied with the same AI slop that was of no use at all.&lt;/p&gt;

&lt;p&gt;Another month later, GitHub support sent me an email saying that they had removed these repositories.&lt;/p&gt;

&lt;p&gt;You can open other similar repositories, look at the latest commit, and see that a link to a zip archive was added to the readme a few hours ago:&lt;br&gt;
&lt;a href="https://github.com/lucasheriq4374/welink" rel="noopener noreferrer"&gt;https://github.com/lucasheriq4374/welink&lt;/a&gt;&lt;br&gt;
&lt;a href="https://github.com/lucioloprey/OcyShield-Framework" rel="noopener noreferrer"&gt;https://github.com/lucioloprey/OcyShield-Framework&lt;/a&gt;&lt;br&gt;
&lt;a href="https://github.com/luigi1973/AssetRipper-CLI" rel="noopener noreferrer"&gt;https://github.com/luigi1973/AssetRipper-CLI&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;The zip archive contains 4 files:&lt;/strong&gt;  &lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;Application.cmd or Launcher.cmd
&lt;/li&gt;
&lt;li&gt;loader.exe or luajit.exe or another_name.exe
&lt;/li&gt;
&lt;li&gt;random_name.cso or random_name.txt
&lt;/li&gt;
&lt;li&gt;lua51.dll&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;If you submit a link to the archive to VirusTotal, it will find 0 viruses.&lt;br&gt;
If you submit the zip file itself, it will detect a Trojan inside it.&lt;/p&gt;

&lt;h3&gt;
  
  
  Continued
&lt;/h3&gt;

&lt;p&gt;It seemed like I had already forgotten about this event, but my subconscious hadn’t. And my subconscious often throws interesting ideas at me when I’m sleeping or waking up. Recently, I woke up and in the very same second realized what I needed to do. I need to come up with a general pattern and then write a script that will analyze all GitHub repositories and find the ones that match that pattern.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Search pattern:&lt;/strong&gt;  &lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;Every few hours the previous commit is deleted and a new one is pushed
&lt;/li&gt;
&lt;li&gt;Only the readme file is updated in the commit
&lt;/li&gt;
&lt;li&gt;The readme file contains a link to a zip archive
&lt;/li&gt;
&lt;li&gt;The commits are copied from another repository
&lt;/li&gt;
&lt;li&gt;This is a new repository, not a fork
&lt;/li&gt;
&lt;li&gt;All repositories have different contributors and different names&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;From the last two points, it becomes clear that even if we find one such repository, we won’t be able to find other similar repositories using it. But there are 500 million repositories on GitHub. How can we analyze all of them? GitHub allows 5,000 requests per hour with a single token. For each repository, we need to make several requests to get the list of commits, modified files, and the content of the readme file. I didn’t want to wait a year for the script to analyze all the repositories.&lt;/p&gt;

&lt;p&gt;But we don’t need all the repositories, we only need the ones that are updated every few hours. I found a service called &lt;a href="https://www.gharchive.org/?ref=orchidfiles.com" rel="noopener noreferrer"&gt;gharchive&lt;/a&gt;, which lets you download all GitHub events for any given day. So we need to download the event archives for the last few days, filter them to include only commit push events, and identify the repositories that are updated between 2 and 10 times every 10 hours.&lt;/p&gt;

&lt;p&gt;Over the past 5 days, there have been 16 million commit pushes. Of these, only 3,000 are repositories that are updated every few hours.&lt;/p&gt;

&lt;p&gt;However, the events do not include information about which specific files were modified. This means that for each relevant repository, we need to make additional requests to the GitHub API.&lt;/p&gt;

&lt;p&gt;After running the script, it returned a large number of repositories. I added several parameters to the filters:  &lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;The commit must be from a user, not a bot
&lt;/li&gt;
&lt;li&gt;More than a month has passed between the last commit and the one before that
&lt;/li&gt;
&lt;li&gt;The repositories have more than one contributor&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;After that, only 14 repositories were found that fully matched the pattern. And I couldn’t stop wondering: why were there so few repositories? What are the odds that I stumbled upon these repositories two months ago and there are only 14 of them on the entire GitHub? There should be many more. Imagine what the headline of this article would have been if I’d found a million such repositories or even just a thousand.&lt;/p&gt;

&lt;p&gt;But I accepted the fact that there were only 14 of them and started writing this article. I decided to double-check them one more time so I wouldn’t accidentally include any unnecessary repositories in the article. Imagine my surprise when I saw that they had all been updated 20 hours ago. So the “updated every few hours” parameter was completely wrong. The filter had discarded all repositories that are updated infrequently.&lt;/p&gt;

&lt;p&gt;During my manual check, I also noticed repositories that contained a link to a zip archive and had a recent commit, but that commit had zero changes. The filter, however, only considered repositories where a single readme file had been modified in the latest commit.&lt;/p&gt;

&lt;p&gt;I also noticed that the last commit in all of these repositories had the same name: “Update README.md”.&lt;/p&gt;

&lt;p&gt;I changed the filter. Now the script searched for repositories that were updated between 1 and 24 times every 24 hours. It found 40,000 such repositories.&lt;/p&gt;

&lt;p&gt;There were 10,000 repositories that exactly matched the pattern. That’s 25% of the total.&lt;/p&gt;

&lt;p&gt;Each of these repositories contains a zip archive with a Trojan.&lt;/p&gt;

&lt;p&gt;These repositories have been around for many months, some even for over a year, and GitHub does not automatically detect and delete them.&lt;/p&gt;

&lt;p&gt;I’ve published a complete list of these repositories &lt;a href="https://github.com/orchidfiles/git-malware-finder/blob/main/full-list.txt?ref=orchidfiles.com" rel="noopener noreferrer"&gt;on GitHub&lt;/a&gt;.&lt;br&gt;
A script for finding such repositories: &lt;a href="https://github.com/orchidfiles/git-malware-finder/?ref=orchidfiles.com" rel="noopener noreferrer"&gt;Git Malware Finder&lt;/a&gt;&lt;/p&gt;

&lt;h3&gt;
  
  
  Open Questions
&lt;/h3&gt;

&lt;ol&gt;
&lt;li&gt;Why do they only clone new repositories, rather than popular ones?&lt;/li&gt;
&lt;li&gt;Why do they delete a commit and push a new one every few hours?&lt;/li&gt;
&lt;li&gt;Why doesn’t GitHub automatically detect such repositories?&lt;/li&gt;
&lt;li&gt;What exactly does the executable exe file from the archive do?&lt;/li&gt;
&lt;li&gt;What is the actual scale of this campaign?&lt;/li&gt;
&lt;/ol&gt;

&lt;h3&gt;
  
  
  My Hypotheses
&lt;/h3&gt;

&lt;p&gt;The hackers’ goal is to understand how the system works, find its limitations and vulnerabilities, and exploit that information. If overwriting commits helps bypass GitHub’s security algorithms, then that’s what they did. Perhaps that’s also why every commit is named “Update README.md”.&lt;/p&gt;

&lt;p&gt;The second goal is to spread the virus. How do they get people to find and download it? I think they do this by cloning only new repositories, which immediately appear at the top of search engine results for low-volume search terms. They also add these repositories to popular GitHub tags to increase the chances of indexing and to help people find them through those tags.&lt;/p&gt;

&lt;p&gt;But why do they copy all the commits and contributors? After all, they could have just copied the entire source code. This is likely done to build trust. When someone visits a repository, they see the contributors, can click through to their profiles, and see that these aren’t one-day accounts. And the commit history is preserved so it’s clear that the repository didn’t just appear yesterday. But perhaps this is also done to bypass GitHub’s algorithms.&lt;/p&gt;

&lt;p&gt;These are just my assumptions, but the reality may be completely different.&lt;/p&gt;

&lt;h3&gt;
  
  
  Conclusion
&lt;/h3&gt;

&lt;p&gt;I was subject to GitHub’s API limit of 5,000 requests per hour. I optimized the script to search only for relevant repositories, and I think that because of the filter, the script found only a small percentage of repositories. The GitHub team does not have such limitations. They can analyze all 500 million repositories, find any archives or executable files within them, and scan them for viruses.&lt;/p&gt;

&lt;p&gt;This time, I won’t be sending a request to GitHub. There are simply too many repositories. If any of you have direct contact with GitHub’s security team, please send them a link to this article.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;* Update&lt;/strong&gt;&lt;br&gt;
I found this article from April 18: &lt;a href="https://hexastrike.com/resources/blog/threat-intelligence/cloned-loaded-and-stolen-how-109-fake-github-repositories-delivered-smartloader-and-stealc/?ref=orchidfiles.com" rel="noopener noreferrer"&gt;How 109 Fake GitHub Repositories Delivered SmartLoader and StealC&lt;/a&gt;&lt;br&gt;
It explains in detail how this Trojan malware works. At that time, the author had found 109 such repositories.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;* Update 2&lt;/strong&gt;&lt;br&gt;
GitHub has started deleting all the repositories that the script found. Most of these repositories have already been deleted.&lt;/p&gt;

</description>
      <category>github</category>
      <category>malware</category>
      <category>trojan</category>
      <category>security</category>
    </item>
    <item>
      <title>More bad advice from AI</title>
      <dc:creator>Orchid Files</dc:creator>
      <pubDate>Tue, 09 Jun 2026 18:10:51 +0000</pubDate>
      <link>https://dev.to/orchidfiles/more-bad-advice-from-ai-5b3h</link>
      <guid>https://dev.to/orchidfiles/more-bad-advice-from-ai-5b3h</guid>
      <description>&lt;p&gt;If you ask AI whether you should post the full text of an article on platforms like Medium or Reddit, it will almost always say you should post a preview of 1-2 paragraphs, a hook, and include a link to your website with the full version of the article at the end. Because if you post the entire text, you’ll be giving away seo traffic to that platform. AI doesn’t give a damn that this is a complete lack of respect for the audience, if there’s just one paragraph and “read more on my blog” at the end. We’re not in 2017 anymore, are we?&lt;/p&gt;

&lt;p&gt;It might also suggest not posting a copy of the text, but creating an adapted version for each platform. That’s nonsense. You’d have to spend time adapting the text to turn one article into several different ones, and what’s the point if you’re just going to give seo value of the adapted version to that platform anyway?&lt;/p&gt;

&lt;p&gt;If you tell AI that this doesn’t suit you, it’ll say that you shouldn't post your content on other platforms at all, you should only keep an archive of your texts on your own site. It doesn’t care that seo traffic won’t come for several years, until search engines start trusting the site.&lt;/p&gt;

&lt;p&gt;This is yet another example of how asking AI for advice, let alone following it, can be harmful. When it comes to marketing, advertising, and user acquisition, AI is almost useless.&lt;/p&gt;

&lt;p&gt;It’s much more effective in the early stages to publish your content wherever possible. The full text, not a teaser or an adapted version. And add a link to your blog at the end.&lt;/p&gt;

</description>
      <category>ai</category>
    </item>
    <item>
      <title>What city do you live in?</title>
      <dc:creator>Orchid Files</dc:creator>
      <pubDate>Sat, 30 May 2026 15:44:07 +0000</pubDate>
      <link>https://dev.to/orchidfiles/what-city-do-you-live-in-3bj</link>
      <guid>https://dev.to/orchidfiles/what-city-do-you-live-in-3bj</guid>
      <description>&lt;p&gt;Recruiters often ask this question when they want to check whether a candidate’s time zone matches the team’s working hours. Suppose it’s -5 in their city, while your team is at +3. That’s an eight-hour difference. But why does it matter what city they live in?&lt;/p&gt;

&lt;p&gt;What if the candidate named a city but is planning to move away from it? Or they constantly travel and live in different time zones. And what if their life isn’t tied to a time zone at all?&lt;/p&gt;

&lt;p&gt;The mistake is asking the candidate for their time zone instead of stating yours. It doesn’t matter what city they live in today or where they’ll live in a month. If you need them to work at specific times of day, just ask whether they’re willing to work those hours.&lt;/p&gt;

</description>
      <category>note</category>
      <category>recruiting</category>
    </item>
    <item>
      <title>I build projects and manage teams without a single call</title>
      <dc:creator>Orchid Files</dc:creator>
      <pubDate>Sun, 24 May 2026 08:00:00 +0000</pubDate>
      <link>https://dev.to/orchidfiles/i-build-projects-and-manage-teams-without-a-single-call-439d</link>
      <guid>https://dev.to/orchidfiles/i-build-projects-and-manage-teams-without-a-single-call-439d</guid>
      <description>&lt;p&gt;What I dislike most is short calls. When someone tells me, “I have a slot tomorrow at 11:30, let’s do a 10-minute call”. That’s the worst thing possible. For the other person, it’s just another call, one of dozens they have that day. But for me, it becomes the event my whole day starts to revolve around. I have to break out of my flow, put my tasks on hold, take the call, and then get back into context. In the end, a 10-minute call can cost me several hours of focus. And I might spend the entire day thinking about it.&lt;/p&gt;

&lt;p&gt;And it’s especially unpleasant if I end up not liking the person on that short call. Their tone, manner of speaking, their emotions. That can ruin my whole day. Even though the exact same thing could have been discussed over text.&lt;/p&gt;

&lt;p&gt;Often the reason for a call is that someone doesn’t want to formulate their thoughts in text. It’s easier to start talking and think out loud than to structure the thought first. A call lets you improvise, fill things in as you go, and jump from one idea to another. Text requires you to think first and takes time.&lt;/p&gt;

&lt;p&gt;Imagine the year 1500. A war is going on, you’re an army general, and you need to assign tasks to officers who are thousands of miles away from you. You can’t call them and verbally explain the importance of the tasks, the values of the military campaign, and your vision for conquering the world. All you can do is write out the assignment, put your seal on it, and dispatch a messenger who will reach the recipient after several weeks. If the recipient has questions after reading the letter, he won’t be able to get an answer right away. That is why you have to think through the contents of the letter, the list of tasks, and the depth of explanation. To make it brief and at the same time include all the details. Because once the messenger disappears over the horizon, you will no longer be able to change the contents or get the letter back.&lt;/p&gt;

&lt;p&gt;Today we don’t have those constraints. We can write an underdefined task and fill in the details on a call. We can call an employee and pull them out of their flow because we’re “managers” and can afford to do it. It is easier for us to record a voice message than to spend time typing.&lt;/p&gt;

&lt;p&gt;I think I was very lucky that I became a programmer first, and only later a manager and founder. When I was a programmer, I immediately came to hate calls. And when I became a team lead, I always tried to structure the team in a way that minimized them. If I had the choice between calling someone and writing to them, I always chose text.&lt;/p&gt;

&lt;p&gt;Over time this turned into a full-fledged approach. Now I build entire projects and manage teams without a single call. I only need to think through the task, write it out in text, discuss the details over text, and get a completion report over text. And in that report, just the word “Done” would be enough for me, rather than a two-page write-up of how it was done.&lt;/p&gt;

&lt;p&gt;There was a time when I worked in companies where everything was built around Scrum. Dailies, retrospectives, syncs, planning. I even remember the days when dailies were actually held standing up in the office. Back then it seemed to me that this was the right management style. I built my first projects the same way.&lt;/p&gt;

&lt;p&gt;But many years ago I gave up Scrum completely in my teams. What’s more, over time I almost stopped coming across startups where Scrum is used in its classic form at all. Many distributed teams are gradually moving toward an async approach with a minimum number of calls. I gave up calls altogether. If someone has a problem, they write to me right away. If they want to discuss something with the team, they write in the team chat. I can’t even imagine a task or question that can’t be discussed over text.&lt;/p&gt;

&lt;p&gt;When I join a new startup, I have to spend a lot of time convincing the owners that the team can work without calls. No matter how many reasons I give, the calls are almost always kept. Usually, if the founder lives on calls themselves, they want everyone else to live on them too. But in the rare cases when I’m allowed to manage a team without them, everyone responds positively to it. In all that time, I’ve never met a single person who sincerely wanted more dailies, syncs, and meetings.&lt;/p&gt;

&lt;p&gt;&lt;a href="https://orchidfiles.com/" rel="noopener noreferrer"&gt;Blog&lt;/a&gt; • &lt;a href="https://t.me/orchidfiles" rel="noopener noreferrer"&gt;Telegram&lt;/a&gt;&lt;/p&gt;

</description>
      <category>management</category>
      <category>leadership</category>
      <category>productivity</category>
      <category>remotework</category>
    </item>
    <item>
      <title>I'm tired of AI-generated answers</title>
      <dc:creator>Orchid Files</dc:creator>
      <pubDate>Fri, 22 May 2026 15:46:00 +0000</pubDate>
      <link>https://dev.to/orchidfiles/im-tired-of-ai-generated-answers-36ae</link>
      <guid>https://dev.to/orchidfiles/im-tired-of-ai-generated-answers-36ae</guid>
      <description>&lt;p&gt;I found GitHub repositories that were spreading malware. I asked AI what to do about it, but it gave me nothing useful. So I opened a discussion on GitHub. Someone replied. It was the exact same text the AI had given me. I called it out and the comment was deleted. Then another person replied. It was the same AI answer again.&lt;/p&gt;

&lt;p&gt;I worked as a developer at a company. I asked the business owner a question about a business task. He sent me a ChatGPT screenshot with the answer. I replied that it had nothing to do with my question and everything there was wrong. A minute later he sent me another ChatGPT screenshot. He didn’t even read the AI’s answer. He just took a screenshot and forwarded it to me.&lt;/p&gt;

&lt;p&gt;Recently someone messaged me on Reddit about my post. I replied. They wrote again, I replied again. After a few messages I realized I was talking to an AI agent.&lt;/p&gt;

&lt;p&gt;I’m tired of talking to AI.&lt;br&gt;
I want to talk to real people.&lt;br&gt;
But even when I talk to people, they forward my questions to AI and send me the AI’s answer.&lt;/p&gt;

&lt;p&gt;&lt;a href="https://orchidfiles.com/" rel="noopener noreferrer"&gt;Blog&lt;/a&gt; • &lt;a href="https://t.me/orchidfiles" rel="noopener noreferrer"&gt;Telegram&lt;/a&gt;&lt;/p&gt;

</description>
      <category>ai</category>
      <category>note</category>
    </item>
    <item>
      <title>Saved by chance</title>
      <dc:creator>Orchid Files</dc:creator>
      <pubDate>Wed, 20 May 2026 19:12:09 +0000</pubDate>
      <link>https://dev.to/orchidfiles/saved-by-chance-1g98</link>
      <guid>https://dev.to/orchidfiles/saved-by-chance-1g98</guid>
      <description>&lt;p&gt;If you’ve lived long enough, you’ve had that moment when you almost lost everything, but somehow didn’t. You accidentally deleted your customer database, but a backup you’d only just set up saved your business. You sold an asset the day before it surged in value, but the exchange canceled the trade because of an error. You could have lost your life, but an incredible confluence of circumstances saved you. None of us would have trouble recalling a moment like that.&lt;/p&gt;

&lt;p&gt;What changes a person more: losing something important or keeping it by sheer luck?&lt;/p&gt;

&lt;p&gt;&lt;a href="https://orchidfiles.com/" rel="noopener noreferrer"&gt;Blog&lt;/a&gt; • &lt;a href="https://t.me/orchidfiles" rel="noopener noreferrer"&gt;Telegram channel&lt;/a&gt;&lt;/p&gt;

</description>
      <category>note</category>
    </item>
    <item>
      <title>Multilingualism in startups</title>
      <dc:creator>Orchid Files</dc:creator>
      <pubDate>Mon, 18 May 2026 12:19:58 +0000</pubDate>
      <link>https://dev.to/orchidfiles/multilingualism-in-startups-dno</link>
      <guid>https://dev.to/orchidfiles/multilingualism-in-startups-dno</guid>
      <description>&lt;p&gt;When launching a startup, don’t make it multilingual until you have stable revenue and a team to support it. You can’t know whether the startup will become profitable, so early on, your time is better spent finding PMF and acquiring users. AI can write scripts to manage translation files and help with text translation, but the quality will still be poor. Users might as well use the browser’s built-in translator.  &lt;/p&gt;

&lt;p&gt;If you build the service in 10 languages right away, you’ll struggle to maintain it. Every interface change means updating translation files across all languages, even though most of your users will likely understand an English interface anyway. But if you’re building for a specific country, build it in that country’s language and don’t add English. Even two languages at the start are worse than one. With a single language, you can keep text directly in the code instead of splitting it into separate translation files.&lt;/p&gt;

&lt;p&gt;&lt;a href="https://orchidfiles.com/" rel="noopener noreferrer"&gt;Blog&lt;/a&gt; • &lt;a href="https://t.me/orchidfiles" rel="noopener noreferrer"&gt;Telegram channel&lt;/a&gt;&lt;/p&gt;

</description>
      <category>note</category>
    </item>
    <item>
      <title>Typical AI conversation</title>
      <dc:creator>Orchid Files</dc:creator>
      <pubDate>Fri, 15 May 2026 14:45:17 +0000</pubDate>
      <link>https://dev.to/orchidfiles/typical-ai-conversation-5bg</link>
      <guid>https://dev.to/orchidfiles/typical-ai-conversation-5bg</guid>
      <description>&lt;p&gt;— Why did my last post on X get 0 impressions? Is it a shadowban?&lt;br&gt;
— It’s not necessarily a shadowban. First, X shows the post to a small group of followers, and if there are no reactions, it doesn’t push it any further.&lt;br&gt;
— So it showed the post to 0 people, got 0 reactions, and didn’t show it to anyone else?&lt;br&gt;
— Yes.&lt;br&gt;
— But if there were 0 impressions, how could there be reactions?&lt;br&gt;
— Maybe the stats just haven’t updated. Try posting this from another account.&lt;br&gt;
— The stats haven’t updated in 2 days? Why would I post it from another account?&lt;br&gt;
— You’re right. I got sidetracked. Going back to your original question. First, X shows the post to a small group...&lt;/p&gt;

&lt;p&gt;&lt;a href="https://orchidfiles.com/" rel="noopener noreferrer"&gt;Blog&lt;/a&gt; • &lt;a href="https://t.me/orchidfiles" rel="noopener noreferrer"&gt;Telegram channel&lt;/a&gt;&lt;/p&gt;

</description>
      <category>ai</category>
      <category>note</category>
    </item>
    <item>
      <title>Millionaire</title>
      <dc:creator>Orchid Files</dc:creator>
      <pubDate>Thu, 14 May 2026 18:27:43 +0000</pubDate>
      <link>https://dev.to/orchidfiles/millionaire-102g</link>
      <guid>https://dev.to/orchidfiles/millionaire-102g</guid>
      <description>&lt;p&gt;You start out wanting to become a millionaire. Then you become one and realize you’re just one of a million people just like you. You’re not special, you’re no better than anyone else, you’re not even one in a thousand. You’re one in a million.&lt;/p&gt;

&lt;p&gt;&lt;a href="https://orchidfiles.com/" rel="noopener noreferrer"&gt;Blog&lt;/a&gt; • &lt;a href="https://t.me/orchidfiles" rel="noopener noreferrer"&gt;Telegram channel&lt;/a&gt;&lt;/p&gt;

</description>
      <category>note</category>
    </item>
    <item>
      <title>Urgent advice from AI</title>
      <dc:creator>Orchid Files</dc:creator>
      <pubDate>Wed, 13 May 2026 09:59:20 +0000</pubDate>
      <link>https://dev.to/orchidfiles/urgent-advice-from-ai-5d3l</link>
      <guid>https://dev.to/orchidfiles/urgent-advice-from-ai-5d3l</guid>
      <description>&lt;p&gt;I once asked Composer 2 to add support for a third-party API in the code. I was so lazy that I just dropped the token into the chat and gave it the task. It replied in bold “This is urgent. You sent the token in the chat. Revoke it right now”. At least it wasn’t in all caps. It didn’t even try to do the task. No other model has ever talked to me in that urgent tone, like some cheap marketing gimmick. Of course, I didn’t bother changing the token.&lt;/p&gt;

&lt;p&gt;&lt;a href="https://orchidfiles.com/" rel="noopener noreferrer"&gt;Blog&lt;/a&gt; • &lt;a href="https://t.me/orchidfiles" rel="noopener noreferrer"&gt;Telegram channel&lt;/a&gt;&lt;/p&gt;

</description>
      <category>ai</category>
      <category>note</category>
    </item>
    <item>
      <title>Apostrophe and quotes</title>
      <dc:creator>Orchid Files</dc:creator>
      <pubDate>Wed, 13 May 2026 07:10:00 +0000</pubDate>
      <link>https://dev.to/orchidfiles/apostrophe-and-quotes-10o4</link>
      <guid>https://dev.to/orchidfiles/apostrophe-and-quotes-10o4</guid>
      <description>&lt;p&gt;American style uses double typographic quotes “ ”, British style uses single typographic quotes ‘ ’, and technical documentation uses straight quotes " ". In American style, punctuation goes inside the quotation marks; in British style, placement follows meaning. But even in American blogs and technical books, punctuation is often placed by meaning rather than inside.&lt;/p&gt;

&lt;p&gt;The apostrophe is either straight ' or typographic ’. For articles and posts, the typographic apostrophe is recommended. But if you look at popular news outlets or blogs from large tech companies, you’ll often find straight and typographic apostrophes and quotation marks mixed even within the same article. Some AI agents can’t use typographic symbols and replace them with straight ones.&lt;/p&gt;

&lt;p&gt;Straight quotes are always easier to type than holding 3 keys for typographic ones. On top of that, with straight quotes the opening and closing mark is the same character, while typographic quotes use different ones. Smart auto-replacement to typographic symbols can be set up on a laptop, but most apps ignore that setting. If you write in different languages or for different styles, smart replacement will not help. You can set up a script to replace them before publishing articles, but if the article contains code examples, you can’t replace them there. You can also replace them manually before publishing, but when replying to comments you end up with straight ones again. Some fonts render the straight apostrophe beautifully, but you control the font only on your own site. Some websites automatically convert typed text into typographic marks, but if you paste text, they leave the straight ones in.&lt;/p&gt;

&lt;p&gt;&lt;a href="https://orchidfiles.com/" rel="noopener noreferrer"&gt;Blog&lt;/a&gt; • &lt;a href="https://t.me/orchidfiles" rel="noopener noreferrer"&gt;Telegram channel&lt;/a&gt;&lt;/p&gt;

</description>
      <category>note</category>
    </item>
    <item>
      <title>Startup success probability</title>
      <dc:creator>Orchid Files</dc:creator>
      <pubDate>Tue, 12 May 2026 16:47:00 +0000</pubDate>
      <link>https://dev.to/orchidfiles/startup-success-probability-45p2</link>
      <guid>https://dev.to/orchidfiles/startup-success-probability-45p2</guid>
      <description>&lt;p&gt;Statistics say that 90% of startups shut down in the first few years. But this only applies to venture-backed startups. Startups with other kinds of funding may have a 50% chance of success, and your own odds may be even higher.  &lt;/p&gt;

&lt;p&gt;If you’ve already launched 5 startups, even if all of them shut down, your next startup will have better odds of success than someone on their first startup. And if some of your startups became profitable, your next startup will have better odds than someone whose 5 startups all lost money. With each new attempt, you improve your odds of success.&lt;/p&gt;

&lt;p&gt;&lt;a href="https://orchidfiles.com/" rel="noopener noreferrer"&gt;Blog&lt;/a&gt; • &lt;a href="https://t.me/orchidfiles" rel="noopener noreferrer"&gt;Telegram channel&lt;/a&gt;&lt;/p&gt;

</description>
      <category>note</category>
    </item>
  </channel>
</rss>
