todai
Tuesday, 9 June
4 min read · 750 words

ACTION NEEDED

  • npm supply chain attack targeting Claude Code. Compromised packages under @redhat-cloud-services and @antv inject a persistent backdoor into ~/.claude/settings.json and ~/.claude/mcp.json. Check lockfiles: run npm ls @redhat-cloud-services, npm ls @vapi-ai/server-sdk, npm ls ai-sdk-ollama. Removing the package does NOT remove the malware — it persists in your editor config. Remediation: https://old.reddit.com/r/ClaudeAI/comments/1u05t5e/

TODAY'S ITEMS

1. npm "Mini Shai-Hulud" Attack Plants Persistent Backdoors in Claude Code and VS Code

Two waves of supply chain attacks (May-June 2026) compromised 89+ npm packages across @antv and @redhat-cloud-services. The malware plants itself in Claude Code's startup settings and MCP config, harvesting every credential on the machine — and persists after uninstalling the package.

2. Jane Street: "I Design with Claude More Than Figma Now"

A designer at Jane Street describes replacing Figma mockups and spec docs with Claude Code prototypes built in the production codebase. The workflow — write a problem description, iterate with Claude to a working prototype — now handles 2,000+ line diffs at zero team coordination cost.

3. Xiaomi MiMo v2.5 Hits 1,000 Tokens/Second on a 1T Model

Xiaomi claims MiMo v2.5-Pro-UltraSpeed achieves 1,000+ tokens per second on a 1-trillion parameter model using a standard 8-GPU server, combining FP4 quantization with a new inference engine called TileRT. If validated, a significant step toward real-time inference at frontier scale.

REDDIT SIGNAL

  • Workplace — Developer builds an AI skill that catches errors in client deliverables, now debating: share with the team or keep the edge? Top comments split: "keep them, they keep you hired" vs "you'll get more credit building the team up." — 90 upvotes, 87 comments | r/ClaudeAI | https://old.reddit.com/r/ClaudeAI/comments/1tzlq8w/
  • Pattern — "The Illusion of Finished Work in Claude Code" — Claude's output often looks complete before it's been verified, changing what review means when you're checking chains of agent actions, not just code. — 97 upvotes, 33 comments | r/ClaudeAI | https://old.reddit.com/r/ClaudeAI/comments/1tzo0q6/
  • refactoringhq/tolaria — 649★ today (13,459★ total) — Desktop app for managing markdown knowledge bases. Git-backed, local-first, built for teams that keep docs in plain text | https://github.com/refactoringhq/tolaria

NEW TOOL / PRODUCT SPOTLIGHT

  • Lathe — Generate hands-on technical tutorials from any prompt, then work through them in a local UI. Write /lathe build a 3D Slicer in Erlang in Claude Code and it generates a multi-part tutorial you complete by hand. 1,033★ | HN 375 points | brew install devenjarvis/tap/lathe | https://github.com/devenjarvis/lathe

PROMPT OF THE DAY

After making changes to this project, verify your own work before telling me it's done:

1. List every file you modified and what changed in each
2. Run the build and paste the full output — pass or fail
3. Run tests and paste the full output — pass or fail
4. Check for regressions: search for any TODO, FIXME, or commented-out code you introduced
5. If anything failed or looks fragile, fix it now rather than reporting it as a known issue

Self-verification for Claude Code — make it prove the work is done before you accept it.

Source: @ClaudeDevs self-check workflow | https://x.com/ClaudeDevs/status/2061900434722496604

LANDSCAPE NOTES