#034

Bun starts 773K-line Rust port, Edge keeps passwords in cleartext, GameStop bids $55B for eBay

Bun started a 773K-line Rust rewrite because Zig bans LLM contributions. Edge keeps every saved password in cleartext memory at startup. Microsoft says by design.

Listen to this edition

Bun just opened a branch called claude/phase-a-port, dumped 773,950 lines of AI-drafted Rust into it across 1,646 files, and started porting itself off Zig. The reason isn’t performance. Zig’s foundation bans LLM contributions, Anthropic bought Bun in December, and Claude is doing the rewrite.

Phase-A drafts don’t compile yet, so today’s Bun keeps running. Phase-B starts replacing real subsystems crate by crate, which means the next 12 months are when Anthropic’s choice of Rust over Zig shows up in your CI.

In today’s indie hacker news:

  • Bun starts a 773K-line Zig-to-Rust port because Zig bans LLMs
  • Edge keeps every saved password in cleartext memory, by design
  • Pentester audited 50 AI-built SaaS, found the same 3 holes every time
  • SalesRobot went $40K to $72K MRR running 6 channels in parallel
  • GameStop, $11B cap, just bid $55.5B for eBay

TOP STORIES

BUN GOES CRAB MODE

Bun starts a 773K-line Zig-to-Rust port because Zig bans LLM contributions.

Bun starts a 773K-line Zig-to-Rust port

The story: Jarred Sumner shipped commit 46d3bc2 with a 622-line PORTING.md and a port-batch script, the first committed artifacts of Bun’s migration off Zig. A separate branch called claude/phase-a-port already holds 773,950 line additions across 1,646 files, the AI-drafted Rust translation Phase-A is generating. Phase-A’s goal per the docs: a draft .rs file next to each .zig source that “captures logic faithfully, it does not need to compile.” Phase-B makes it compile crate by crate. The runtime gets carved into 18 Rust crates covering the parser, bundler, installer, HTTP server, JS shell, every subsystem.

The details:

  • Banned in the Rust port per PORTING.md: tokio, rayon, hyper, async-trait, std::fs, std::net, std::process. No async fn either, callbacks and state machines only, matching Zig’s architecture.
  • Anthropic acquired Bun on December 2, 2025, its first-ever acquisition, announced the same day Claude Code hit $1B ARR six months after public launch.
  • Sumner verbatim: “Anthropic is investing in Bun as the infrastructure powering Claude Code, Claude Agent SDK, and future AI coding products.” Bun stays open-source MIT, same team, same roadmap.
  • The Zig Software Foundation bans all LLM contributions across issues, PRs, and bug tracker comments, and moved off GitHub to Codeberg in December 2025 partly over Copilot.
  • The companion HN essay “I am worried about Bun” hit 436 points and 294 comments, a 67% comment-to-vote ratio. The author’s worry is cultural, Anthropic-driven org drift eroding Bun’s quality the way they say it has Claude Code’s, not anything about Rust.

Why builders care: If you ship Bun in production, nothing breaks today. Phase-A drafts don’t compile yet, so 1.x is unaffected. The risk is the next 12-18 months: as Phase-B replaces real subsystems crate by crate, regressions are possible. Don’t auto-bump Bun minors in CI without a test suite that exercises your specific runtime behavior, workers, ffi, sqlite, native bindings. The deeper signal: Anthropic owns Bun and the port is being done with Claude. The runtime under your JS stack is now an AI-development testbed. Pin your version. Watch the changelog.

PASSWORDS BY DESIGN

Edge keeps every saved password in cleartext memory at startup, Microsoft says by design.

Edge keeps every saved password in cleartext memory

The story: Security researcher @L1v1ng0ffTh3L4N published a writeup showing that Microsoft Edge decrypts every saved password at startup and holds the plaintext in process memory, even for sites you never visit in a session. Chrome decrypts on demand. Edge does not. Extraction needs only standard user privileges via Windows OpenProcess + ReadProcessMemory, no admin required. Microsoft was notified April 29, the post went public May 4. Their official position: “by design,” won’t be patched. No CVE assigned by either Microsoft or the Chromium project, since both treat same-user process memory as out of scope.

The details:

  • Microsoft’s own Edge security docs concede the behavior verbatim: “Even if passwords are encrypted in a vault by a master key, they’ll be decrypted when loaded in the browser’s memory space and can be harvested after you unlock the vault.”
  • Edge requires re-authentication before showing passwords in the Password Manager UI, yet the same passwords sit in process memory unguarded the whole session.
  • Chrome ships App-Bound Encryption (ABE), which binds key access to an authenticated process so other processes can’t reuse Chrome’s keys. Edge has no equivalent.
  • On-disk passwords ARE encrypted (DPAPI on Windows, Keychain on macOS, libsecret/KWallet on Linux). The bug is purely in-memory cleartext at startup.
  • The HN thread hit 459 points and 159 comments in 10 hours. Top comment defends “airtight hatchway” framing (if you can read process memory, you can already attach a debugger). Counter: defense-in-depth still matters for Spectre-class side channels and same-user infostealer malware.

Why builders care: If you ship a desktop app that holds secrets, auth tokens, API keys, OAuth refresh tokens, customer credentials, keeping them decrypted in memory “just in case” is the exact pattern Edge is being roasted for. The fix is the OS keychain (DPAPI, Keychain, libsecret) and decrypt-only-at-point-of-use, then zero the buffer. The “physical access required” defense is fiction in 2026. Same-user infostealer malware, dual-boot, evil-maid, memory forensics, and speculative-execution side channels all bypass it without any privilege escalation.

SAME 3 HOLES, EVERY TIME

A Brazilian pentester chained IDOR into admin takeover on 3 AI-built SaaS in one week.

Pentester audits AI-built SaaS

The story: A Brazilian pentest firm operator (u/Responsible-Sand6733) posted on r/microsaas after auditing roughly 50 AI-built SaaS in 2026 so far, products built mostly with Cursor, Claude Code, v0, and Bolt. Three vulns recur “constantly”: broken tenant isolation (BOLA/IDOR, swap an ID in the URL and read another user’s data), Stripe webhook handlers with no signature validation so events can be forged, and hardcoded secrets in frontend bundles or pushed to public repos. He chained IDOR into full admin takeover in 3 separate cases in one week. Two were AI-built. One had a human team with code review.

The details:

  • Fourth recurring vuln: race conditions in checkout and usage limits. Single-use coupons get redeemed multiple times via parallel requests because AI-generated code adds no locking unless explicitly told to. Op’s quote: “AI doesn’t add any kind of locking unless you explicitly tell it to. And most devs don’t think about it until something weird shows up in billing.”
  • Independent Sherlock Forensics scan of ~5,600 vibe-coded apps: 92% had at least one critical issue. VibeAppScanner independently found 1 in 4 had API keys in client-side code and 78% had .env files publicly exposed.
  • Recent precedent: Lovable’s February breach left broken access control open for 48 days, exposing source code and DB credentials of 18,000+ users across 170+ databases.
  • Moltbook (vibe-coded social network) was breached within 3 days of launch, 1.5M API tokens and 35,000 emails leaked via misconfigured Supabase with no row-level security.
  • BOLA/IDOR has sat at #1 on the OWASP API Security Top 10 for years. Op’s framing: “The real issue was never the ID format. It’s the backend not checking ‘does this user actually own this thing?’”

Why builders care: If Cursor or Claude Code wrote your auth, the backend almost certainly checks “is this user logged in” but skips “does this resource belong to them.” That’s the IDOR shape, OWASP API #1, and it takes five minutes to test: log into two accounts, swap an ID in the URL, see what loads. After that, check the Stripe webhook for signature validation, run git log -- .env to confirm you never pushed secrets, and add row-level security to your Supabase tables. Bots index public GitHub in minutes. Your AWS bill is how you find out otherwise.

PARALLEL OR PERISH

SalesRobot went $40K to $72K MRR in 12 months by running 6 channels in parallel.

SalesRobot growth from $40K to $72K MRR

The story: Saurav (@saguppa) runs SalesRobot, a bootstrapped LinkedIn + email outreach SaaS with 22 people in India, and posted on r/SaaS the six habits that took him from $40K to $72K MRR in 12 months after three years stuck flat. The verified TrustMRR Stripe data shows $72,009 with a 45% margin. His framing is sharper than the headline: he ran channels sequentially for four years, hit a wall, and 2025 was the first year he ran all six at once. “If you’re stuck between $10K and $100K MRR, the problem probably isn’t effort. You’re just doing things one at a time.”

The details:

  • Habit 1, fix the product weekly: a March 2025 LinkedIn API backend migration moved trial-to-campaign-creation from 20% to 50%. He says three years of flat growth came from a backend issue he kept deferring while spending on marketing. “You cannot outmarket a broken product.”
  • Habit 2, post on LinkedIn and AI-DM every commenter: one post hit 3,000 comments, the AI auto-DMed everyone, 652 free trials, $2K MRR from a single post.
  • Habit 3, use your own product on yourself: 649 LinkedIn connection requests in one month, 56% accepted, 35% replied, 0 bans in 7 months, 5 SDR accounts generating $22K monthly pipeline at $0 tool cost.
  • Habit 4, cold email to lookalikes only: he burned 300 email domains on mass cold outreach before pivoting to two niches, lead-gen agencies and devs on the LinkedIn API. Closed a $3K MRR Brazilian agency from one cold email last month.
  • Habit 6 is the quiet one: white-label is 5% of his customers and 25% of revenue. One UK agency went from 5 seats to 80 seats with no extra sales effort. Treat agencies as a distribution channel, not a pricing tier.

Why builders care: The $40K-$100K MRR plateau is where most bootstrapped SaaS founders circle for years, and the parallelism is what breaks the loop. Sequential channel testing kills compounding because LinkedIn virality feeds cold-email recognition feeds event follow-up. Two moves do the heavy lifting: fix activation before adding marketing spend (his 20%-to-50% trial conversion compounds every channel), then treat white-label agencies as quiet distribution. Pair this with the day-1 founder flood in trending below to see what doesn’t work yet.

MINNOW BIDS FOR WHALE

GameStop ($11B) made an unsolicited $55.5B bid for eBay with half the deal unfunded.

GameStop bids $55.5B for eBay

The story: Ryan Cohen’s GameStop sent eBay’s board a nonbinding $125-per-share offer on May 3, 50% cash and 50% GameStop stock, total implied equity around $55.5 billion. GameStop’s market cap is roughly $11.5B, so it’s bidding for a target nearly five times its size. The cash half alone is $27B and GameStop has $9.4B in cash plus a non-binding “highly-confident” letter from TD Securities for up to $20B in debt, leaving a $26B funding gap that has to come from stock dilution. The market reaction was instant: GameStop down 10% on dilution fears, eBay up 8-12% on the takeover premium. eBay’s board “will carefully review” and flagged concern about “the value of the GameStop stock consideration and the ability of GameStop to deliver a binding, actionable proposal.”

The details:

  • $125/share is a 27% premium to eBay’s 30-day VWAP, 46% to its Feb 4 close (when GameStop quietly built a ~5% stake, mostly through derivatives).
  • Revenue mismatch: eBay did $11.1B in FY2025 versus GameStop’s $3.6B, and eBay’s Q1 2026 revenue alone ($3.09B) almost matched GameStop’s full year. GameStop revenue is down ~40% over three years.
  • Cohen’s pitch: GameStop’s 1,600 U.S. stores become authentication, intake, fulfillment, and live-commerce hubs for eBay’s 135M buyers and 18M sellers. Projected $2B annual cost cuts inside 12 months.
  • Cohen on CNBC threatening a proxy fight: “prepared to wage a proxy battle and go directly to shareholders if eBay’s board is not open to the acquisition.” He had not contacted eBay management before announcing. “We are just starting.”
  • GameStop’s 4,710 BTC stash (~$368M) is now in covered-call play at Coinbase. At $55.5B deal scale, the entire crypto position is rounding error.

Why builders care: If you sell on eBay, this is mostly noise. eBay’s board has no obligation to engage and the financing doesn’t pencil. For marketplace operators, Cohen’s thesis (physical retail as eBay’s missing authentication layer) is real given the rise of card and watch authentication, but GameStop’s foot traffic is in freefall, so the integration story is thin. The bigger signal: meme-stock-era capital formation (retail squeeze, cash hoard, unsolicited M&A) is now a real lever for hostile bids, but the market punished the acquirer 10% on day one. Won’t be a repeatable playbook unless GameStop’s stock holds.

🚫 “I am worried about Bun” overshadowed Bun’s own commit on HN. Engineer wwj’s essay (436 points / 294 comments) ran on HN’s front page next to the official porting commit (240 points / 161 comments). The 67% comment-to-vote ratio on the worry post is the signal, that’s people fighting, not consensus upvotes. The actual argument is cultural, not technical: wwj is worried Anthropic-driven org drift will erode Bun the way they say it has Claude Code. The runtime drama is now a referendum on Anthropic’s stewardship.

🌊 r/SaaS got flooded with day-1 founders. A dozen-plus “I just launched my first SaaS, please help” posts hit r/SaaS and r/startups in 24 hours, including a job-app SaaS with 20 users and “I quit my job for $77.92 MRR” (today’s First Dollar). The arc is consistent: weekend-built with Cursor, 0-2 paying users, asking for distribution help. Vibecoding is producing real builders faster than community advice can keep up. Pair it with the SalesRobot writeup above for the contrast: this is the launch pad, that’s the runway.

🎨 r/ChatGPT is using rival labs against each other for content. Two meta-prompt posts hit the front page in two hours: a face-merge “weird perspective portrait” prompt (148 upvotes) and a “picture of Claude, Gemini and yourself hanging out” prompt comparing labs side-by-side. The comparison itself is the content. Builders shipping AI image tools in 2026 are competing with users who’d rather watch the labs benchmark each other in stylized selfies than read a blog post.

FIRST DOLLAR

$77.92, JUST ONLY

A founder quit their job and hit exactly $77.92 MRR in two weeks.

u/Old-Speech-3057 posted the cleanest first-dollar title we’ve seen this year: “I quit my job for my SaaS… now it’s making $77.92 MRR just only with two weeks, but more yet to come :)”. The post got 6 points and 11 comments. A skeptical commenter pushed back that organic search in 14 days is “nearly impossible,” and the OP clarified: the MRR is two weeks, the indexing took longer. They never said what the SaaS does. Don’t be the SalesRobot story above. Be this post first. Ship something. Charge for it. Get a Stripe screenshot. Then read the six-channel playbook.

STACK OF THE DAY

📋 Kanban-CLI

Tiny Bun-powered CLI by Vochsel that turns a Markdown file into a local Trello-style kanban board. Drag-and-drop in the browser, syncs back to the source Markdown, lives next to your TODO.md in git. Apache-2.0, no install: npx kanban-cli@latest board.md. v0.2.4 shipped this month, 32 commits total. Builder fit: open-source, runs locally, no SaaS lock-in, plays nice with the runtime that just made the day’s other big story.

Not sponsored. We just feature tools builders would actually use.

BOOKMARKED TODAY

💪 Talking to 35 strangers at the gym - Thienan Tran ran a one-month experiment, approached one new person at his gym every day, logged each conversation in a spreadsheet, ended up with one real gym buddy and several recurring “hi” acquaintances. 1,234 HN points. The cold-approach script that runs in your head before walking up to a stranger is the same one that runs before sending a cold email. Same fix.

📰 Simon Willison’s April 2026 newsletter - Monthly roundup covering Opus 4.7 + GPT-5.5 (both with price increases), the Claude Mythos / LLM security research thread, ChatGPT Images 2.0, and his current “what I’m using” tool list. Reliable monthly catch-up if you missed half of April.

🧠 What I’m Hearing About Cognitive Debt (So Far) - Margaret Storey (UVic) revisits the engineering concept where shortcuts in understanding compound into invisible debt. Adapted to AI-coded systems: the AI handles syntax, the developer never builds the mental model. Pairs perfectly with the pentester writeup above.