Roman | Building Scaffly

how did Peter Steinberger made 16k commits on a single day?

Software horror: litellm PyPI supply chain attack. Simple `pip install litellm` was enough to exfiltrate SSH keys, AWS/GCP/Azure creds, Kubernetes configs, git credentials, env vars (all your API keys), shell history, crypto wallets, SSL private keys, CI/CD secrets, database passwords. LiteLLM itself has 97 million downloads per month which is already terrible, but much worse, the contagion spreads to any project that depends on litellm. For example, if you did `pip install dspy` (which depended on litellm>=1.64.0), you'd also be pwnd. Same for any other large project that depended on litellm. Afaict the poisoned version was up for only less than ~1 hour. The attack had a bug which led to its discovery - Callum McMahon was using an MCP plugin inside Cursor that pulled in litellm as a transitive dependency. When litellm 1.82.8 installed, their machine ran out of RAM and crashed. So if the attacker didn't vibe code this attack it could have been undetected for many days or weeks. Supply chain attacks like this are basically the scariest thing imaginable in modern software. Every time you install any depedency you could be pulling in a poisoned package anywhere deep inside its entire depedency tree. This is especially risky with large projects that might have lots and lots of dependencies. The credentials that do get stolen in each attack can then be used to take over more accounts and compromise more packages. Classical software engineering would have you believe that dependencies are good (we're building pyramids from bricks), but imo this has to be re-evaluated, and it's why I've been so growingly averse to them, preferring to use LLMs to "yoink" functionality when it's simple enough and possible.

To manage growing demand for Claude we're adjusting our 5 hour session limits for free/Pro/Max subs during peak hours. Your weekly limits remain unchanged. During weekdays between 5am–11am PT / 1pm–7pm GMT, you'll move through your 5-hour session limits faster than before.

wtf chrome has vertical tabs now. finally

Now you can use AI agents to design directly on the Figma canvas, with our new use_figma MCP tool and skills to teach them. Open beta starts today.

We’re saying goodbye to Sora. To everyone who created with Sora, shared it, and built community around it: thank you. What you made with Sora mattered, and we know this news is disappointing. We’ll share more soon, including timelines for the app and API and details on preserving your work. – The Sora Team

Today, we’re releasing a feature that allows Claude to control your computer: Mouse, keyboard, and screen, giving it the ability to use any app. I believe this is especially useful if used with Dispatch, which allows you to remotely control Claude on your computer while you’re away.

I just moved to Cyprus 🇨🇾 My first impressions and why I moved: > it's safe (unlike rest of Europe) > friendly people (unlike rest of Europe) > quiet > clean air > fast WiFi > tax friendly > great coffee > amazing food > very walkable > incredible weather > affordable (€2 for coffee, €7 for meal) > great laptop cafe culture (unlike rest of Europe) > growing tech scene (unlike rest of Europe) It's been so long since I had somewhere I could lock in from and call home. I was torn between UAE and Cyprus but the last month made my decision for me. And so far I am so happy with my decision.

I want to make /init more useful- what do you think it should do to help setup Claude Code in a repo?

Don't monetize it. A WhatsApp mockup generator doesn't need a paywall, especially in 2026. Instead, share it everywhere you possibly can - Hacker News - Product Hunt - TinyLaunch - Uneed, etc... Worst case: you get a few followers. Best case: you also build a traffic machine. Then move on and build something AI hasn't made obsolete.

My new command for Claude with remote control on yolo mode: c() { IS_SANDBOX=1 claude rc --dangerously-skip-permissions "$@"; }

We just released Claude Code channels, which allows you to control your Claude Code session through select MCPs, starting with Telegram and Discord. Use this to message Claude Code directly from your phone.