Edition

00

picks

# AI Hacker Daily — 2026-05-12 **Theme: the defensive aftermarket for agent-coded software.** Yesterday afternoon, attackers chained three GitHub Actions misconfigurations and pushed 84 malicious versions across 42 `@tanstack/*` packages in six minutes.

# AI Hacker Daily — 2026-05-12 **Theme: the defensive aftermarket for agent-coded software.** Yesterday afternoon, attackers chained three GitHub Actions misconfigurations and pushed 84 malicious versions across 42 `@tanstack/*` packages in six minutes. Anyone whose agent ran `npm install` for them between 19:20 and 19:26 UTC on May 11 is now triaging a cred-rotation. That's the precipitating event; the four picks underneath it are the kinds of tools that show up in the days after a story like that — supply-chain hardening, per-task token caps, review gates with teeth, and a BYOK escape hatch from a vendor's rate limits. We dropped the model-launch firehose (Interfaze, MiniCPM-V 4.6, Claude on AWS) and most of ProductHunt's vertical SaaS — none of it changes anyone's Tuesday. ## TanStack publishes a full postmortem of the npm compromise that hit it on May 11 Worth reading even if you don't use TanStack. The attack chained `pull_request_target` running fork code, GitHub Actions cache poisoning across trust boundaries, and OIDC token extraction from runner memory — three things most repos still have. The malware then harvested AWS, GCP, Kubernetes, Vault, GitHub, npm, and SSH credentials and self-propagated to the maintainers' other packages. npm pulled the 84 tarballs server-side, but anything you installed between 19:20 and 19:26 UTC is suspect. The remediation list is concrete: rotate every cloud and source-control credential that touched a machine running the bad versions, add `repository_owner` guards on any workflow with `pull_request_target`, and pin action SHAs. If you're an AI tool author whose users run your CLI in CI, this is your weekend. **Delete:** the "supply chain attacks are rare" assumption. The pattern (compromise one maintainer, propagate via npm publish) is now reproducible. **Tradeoff:** locking down GitHub Actions workflows breaks fast-iteration habits for legitimate contributors. That's the cost. [Postmortem](https://tanstack.com/blog/npm-supply-chain-compromise-postmortem) ## safe-install ships the Bun/pnpm hardening defaults that npm still won't add A direct response to the TanStack incident: a small npm package that disables postinstall scripts by default, requires you to allowlist any dependency that's allowed to run them, and blocks "exotic" sub-dependencies (the `blockExoticSubdeps` pattern pnpm has shipped for a year). Bun has had trusted-dependencies natively for ages. npm has not. Useful right now, with one caveat: `npm install --ignore-scripts` gets you 80% of the way there for free. safe-install's real value is the named allowlist — being explicit about which packages are *allowed* to execute code at install time, instead of relying on `--ignore-scripts` and remembering to re-run for the legitimate cases. That allowlist is also the audit trail you'll want when the next incident lands. **Delete:** the habit of running `npm install` without `--ignore-scripts` on any machine with cloud credentials. **Tradeoff:** allowlist-based tools work as long as you actually maintain the allowlist. Most teams won't. [Show HN thread](https://news.ycombinator.com/from?site=npmjs.com) · [npm package](https://www.npmjs.com/package/@gkiely/safe-install) ## adamsreview is a Claude Code plugin that runs review as parallel sub-agents and feeds Codex CLI for a second opinion The built-in `/review` runs one agent through one pass. adamsreview fans out into specialized lenses (correctness, security, UX, performance) in parallel, deduplicates findings, and gates them through validation passes before showing you anything. It persists state under `~/.adams-reviews/<repo>/<branch>/` so you can review on Monday, do a walkthrough on Wednesday, and run the auto-fix loop on Friday — the JSON state survives across sessions. The interesting part is `--ensemble`: it actually invokes Codex CLI as a peer reviewer if you have the Codex plugin installed. Two models, two harnesses, one finding list. Requires Claude Code Max (it runs against your subscription, not pay-as-you-go), `uv`, `python3.10+`, `gh`, `jq`. Not lightweight. **Delete:** `/review` as your only line of defense on agent-generated PRs. **Tradeoff:** Max-plan-only, and the orchestrator token counts will over-attribute if you switch contexts mid-review. [GitHub](https://github.com/adamjgmiller/adamsreview) ## Tokenyst parses Claude Code transcripts to enforce per-task budgets locally A 50-line idea, well-executed: instead of polling the Anthropic API for usage (which lags and requires API keys with admin scope), Tokenyst reads the session transcripts Claude Code already writes to `~/.claude/projects/` and computes spend from the recorded token counts using built-in pricing tables. You create a task with a budget (`tkst -t "Issue-243" -b 5`), then start a session through it (`tkst claude`), and it deducts cost as you go. Local-first, no cloud, no extra auth. The limitation is the limitation of every transcript-parser: it depends on Claude Code's file format staying stable. When the format moves, the tool breaks until somebody pushes an update. For a single-developer machine that's a fine tradeoff. **Delete:** the practice of finding out about a $200 day when the credit card statement arrives. **Tradeoff:** local-only by design, so no team-level rollups or shared budgets — yet. [GitHub](https://github.com/jher7/tokenyst) ## OpenGravity is a high schooler's vanilla-JS, BYOK clone of Google Antigravity Different flavor of defensive tooling: the kind that exists because a vendor's rate limits made the original unusable. A GCSE student got tired of "agent terminated" errors and Antigravity's usage caps, so they wrote a vanilla HTML/CSS/JS reimplementation that ships the same shape — browser IDE, WebContainer-backed Linux terminal, agentic file management — and reads your API key out of localStorage. No backend, no metering. Caveat: it's Gemini-only today. The hardcoded model IDs (`gemini-3.1-pro`, `gemini-3-flash`) need to come out before this can multiplex Anthropic and OpenAI keys, which is the work that would make it actually interesting. Worth bookmarking as the first credible escape hatch from a major vendor's agent product — the architecture is right, just unfinished. **Delete:** the assumption that browser-IDE agent products with rate-limit walls don't get cloned by 16-year-olds. **Tradeoff:** Gemini-only and rough UX (the API key goes in via a tiny "a" icon, per the author). [GitHub](https://github.com/ab-613/opengravity)