Pieter Levels published every line item of his production stack on Friday, the entire FREE/CHEAP/NOT-FREE recipe. Builders bookmarked it faster than they liked it.
This is his fourth stack tweet in as many editions. Earlier ones highlighted one tool; today’s named the whole menu and what each line costs.
In today’s indie hacker news:
- 💰 Levels’ $5/mo Hetzner stack runs Photo AI
- 🚫 Google reCAPTCHA now silently requires Play Services on Android
- 🐛 curl killed its bug bounty; HackerOne and Node.js followed
- 🏢 4 Claude agents shipped 35 tools and zero customers
- 🦀 Stack: KillClawd, a sarcastic desktop crab on local Ollama
TOP STORIES
FREE, CHEAP, NOT-FREE
Levels published the full $5/mo stack: vanilla PHP, SQLite, Hetzner box, $150K/mo at 87% margin.
The story: Pieter Levels’ May 8 tweet opens with one word: FREE. Nginx on Ubuntu, vanilla PHP, vanilla CSS, vanilla JS, SQLite, Cron workers, Cloudflare Tunnel for DNS and SSL, Tailscale, OpenFreeMap for tiles, vanilla Node for game servers. Then CHEAP: xAI for AI calls, Stripe for payments, a Hetzner CX22 VPS, a Cloudflare domain. 197,988 views and 3,702 bookmarks against 2,792 likes in 15 hours.
Photo AI runs on the same recipe at $150K/mo MRR, 87% margin, 2,573 active subscribers, one employee, fully bootstrapped. After Lex Fridman tripled his traffic, CPU usage went down on a single VPS. No Kubernetes, no edge, no auto-scaling.
The details:
- Hetzner CX22: 2 vCPU, 4GB RAM, 40GB SSD, 20TB traffic, €4.49/mo post April 2026 price adjustment (Hetzner)
- xAI Grok 4.1 Fast at $0.20/M input tokens with up to $175/mo free credits via the data-sharing program. Most indie workloads land at zero (benchmark)
- Total infrastructure for all of Levels’ non-AI sites combined sits under $1,000/mo with over 99% take-home margin (receipt)
- A copycat repo php-jquery-sqlite-starter-pack already shipped with forks. rawdog.new is an AI app builder explicitly wrapped around the recipe
- Edition #36 covered the Cloudflare Tunnel install on the same VPS. Today’s tweet adds the cost breakdown across all tiers
Why builders care: The default indie cloud bundle (Vercel + Supabase + Clerk + Resend) bills hundreds a month before its first paying user. Levels just published the dissent. The kicker: he’s one builder on a laptop outearning most YC-funded SaaS at the same revenue tier.
Work from any WiFi like it's your home network. NordVPN's Meshnet runs a free private mesh between your laptop, dev box, and home server. SSH from a café without exposing a port, the way you'd use Tailscale. The paid VPN on top lets you test geo-fenced Stripe checkouts or feature flags from any country.
We get a cut if you sign up. Only added for tools we use ourselves.
WEI BACK, NOW PAID
Google’s new reCAPTCHA silently requires Play Services on Android, locking out de-Googled phones.
The story: Reclaim The Net broke the story May 8 that Google’s updated reCAPTCHA Mobile Verification swapped image puzzles for a QR-code challenge that requires Play Services 25.41.30+ on Android. GrapheneOS, /e/OS, CalyxOS, LineageOS, every custom ROM without Google Mobile Services, all structurally blocked from completing the captcha. The change shipped silently to existing reCAPTCHA customers via auto-enrollment in ‘Google Cloud Fraud Defense’, the rebrand Google announced at Cloud Next April 22.
Critics call it Web Environment Integrity returning via the paid commercial route. Google proposed WEI as a browser standard in 2023; W3C and Mozilla rejected it. The same hardware-attestation mechanism just shipped as enterprise SaaS, bypassing standards review entirely. 739 HN points, 256 comments in nine hours.
The details:
- Mechanism: QR scan invokes Play Integrity API. Device endorsement key signs an ephemeral attestation key Google’s servers verify. Hardware attestation, not behavior analysis (HN thread)
- 14M+ domains protected by reCAPTCHA/Fraud Defense per Google’s own claim. Every one of those mobile forms now silently fails for de-Googled users
- An October 2025 Internet Archive snapshot already lists the Play Services requirement. Groundwork was laid six months before public reporting
- Existing reCAPTCHA customers auto-enrolled in Fraud Defense with no opt-out, no migration, and no code change required. The dependency arrived without a notification
- Drop-in alternatives: Cloudflare Turnstile (free forever, browser-only JS), hCaptcha, Friendly Captcha. None invoke Play Integrity. Firefox on Android is also unsupported because Mozilla declined to ship device attestation
Why builders care: If your site uses reCAPTCHA and a user trips the escalation threshold, anyone on a privacy-focused Android gets a hard block, not a degraded UX. The affected population skews developer-heavy: privacy-conscious devs, security researchers, journalists, exactly the loud crowd who notice. Cloudflare Turnstile is a five-minute swap. The kicker: what the standards process killed in public, the billing department just relaunched in private.
EMBARGO IS DEAD
AI killed curl’s bug bounty; HackerOne and Node.js followed; the 90-day disclosure model just collapsed.
The story: Jeff Kaufman published May 8 the cleanest framing yet of how AI is breaking both vulnerability disclosure cultures simultaneously. The ‘fix it quietly in a high-volume commit stream’ approach Linux relied on for decades broke first: LLMs scan every merged kernel diff at scale, and security-relevant changes get flagged within hours of merge. The coordinated embargo broke too. Its load-bearing assumption (that independent researchers won’t rediscover the same bug inside the 90-day window) collapsed when AI scanning went mainstream.
The receipts arrived this year. Daniel Stenberg shut down curl’s bug bounty January 31 after legitimate submissions fell below 5%, the rest AI-generated slop with fabricated function names and fictional PoCs. HackerOne paused the Internet Bug Bounty March 27, citing AI-assisted research overwhelming maintainer triage. Node.js followed when HackerOne’s pause cut off its funding. Google stopped accepting AI-generated vulnerability reports in March.
The details:
- Copy Fail (CVE-2026-31431): Kuan-Ting Chen independently rediscovered the same ESP vulnerability nine hours after Hyunwoo Kim’s initial report. The embargo collapsed before it could begin (Unit 42)
- CVE-Genie multi-agent LLM successfully reproduced 51% of all 2024-2025 CVEs at $2.77 each. Working exploits generate in 10-15 minutes (CSA whitepaper)
- Kaufman tested major AI models on Linux kernel commit f4c50a403 (networking tree). All flagged the security implications from the diff alone, with no source-code context beyond the patch
- Top HN commenter tptacek: ‘AIs have vaporized the pretense’ that patches stay obscure in commit noise (thread)
- DirtyFrag from edition #37 is the live example of ‘fix quietly’ failing. Hyunwoo Kim disclosed two kernel exploits a week apart, both networking-subsystem ESP bugs, both deterministic root
Why builders care: If you ship a side project with user data and you push a security fix, your commit message is now the zero-day. AI pipelines diff your patch and ship a weaponized exploit before users update. Practical playbook: silent patches with no ‘security’ or ‘CVE’ in the message, private 24-72h windows for downstream packagers, no public monetary bounty (it just feeds the agent slop economy). The kicker: drop the cash reward and the agents leave. Pay enough to triage real reports yourself.
AGENTS BUILT IT, NOBODY CAME
Three indie builders shipped ‘run a company on autopilot’ in 24 hours, all on the same 53k-star Paperclip layer.
The story: In one Saturday, three independent indie posts converged on the same idea: a company you operate via AI agents on a near-zero stack. Lakyus launched on Show HN as ‘the AI COO’. MarketingAI posted day 10 of an 18-day live experiment: four Claude Sonnet agents (CEO, CTO, Sprint Engineer, Head of Quality), 35+ tools shipped, zero paying customers, zero revenue. DeepEval published ‘Vibe code your agents without vibe coding your agent’, the eval-first counter to the autopilot wave.
The shared substrate is Paperclip, the open-source Node.js + React orchestration layer that hit 53,000+ GitHub stars in its first six weeks after launching March 2. Org charts, agent budgets, heartbeat schedules. MarketingAI’s verdict so far: product is easy, distribution is everything.
The details:
- MarketingAI’s free-tier stack: Paperclip + Vercel free + GitHub free + MailerLite (1k subs and 12k emails/mo, the first hard limit they’ll hit) + Stripe (2.9% + 30¢) + Gumroad (10% fee). 18-day target was $200 AUD, public ledger empty with eight days left
- Paperclip creator @dotta was running an automated hedge fund with 20+ Claude Code tabs before building the orchestration layer. Solved the shared-context, cost-tracking, state-recovery problem the rest of us are still wiring by hand
- DeepEval (15.3k stars) frames the loop differently: coding agent installs the eval framework, generates test datasets, runs
deepeval test run, patches smallest fix, repeats. Quality layer for the autopilot wave - Lakyus’ website blocks direct fetch (HTTP 403). No founder, pricing, or live demo indexed as of today. Most opaque of the three voices, possibly vapor or early waitlist
- Same convergence pattern as edition #37’s local-control-plane cluster. When 3 independent builders ship the same abstraction in a day, the playbook just went mainstream
Why builders care: Convergence on Paperclip means the indie scene has a shared multi-agent runtime. Read the three voices together: MarketingAI surfaces the real bottleneck, Lakyus tests the managed-service wrapper, DeepEval ships the quality layer everyone eventually has to build. The kicker: agents can build product autonomously today. Distribution still needs a human in 2026.
TRENDING TODAY
📚 Karpathy’s LLM-Wiki pattern shipped as a default Hermes Agent skill. @coreyganim posted two threads on the bundled implementation: drop raw sources in raw/, one CLAUDE.md schema tells the agent how to organize, agent ingests and cross-links into 10-15 markdown wiki pages with no RAG re-discovery on every query. 152 bookmarks on the primary thread vs 58 likes (2.6x save-to-like ratio). Karpathy published the original gist last month; Nous Research turned it into a built-in.
💸 r/SaaS turned into a first-dollar confession booth this Saturday. Three top-scoring posts in 24 hours: ‘4 paying users in one day’ (Askmeety, 49 upvotes), ‘I studied 47 SaaS products that went $0 to $10K MRR last year’ (deleted by author shortly after posting), and roughly six separate ‘I built a SaaS but have no idea how to get my first users’ threads stacked on the front page. Pattern: more builders crossing $0 to $100 MRR in public this week than any in recent memory.
DRAMA
ONE TRICK MARKETER
Roy Lee fires back at Cluely critics with seven-figure-solo receipt; Linahuaa: ‘not that special’.
Cluely’s Roy Lee dropped a fully loaded receipt: solo built and marketed Interview Coder past seven figures of profit in months, hardly touched the $20.3M he raised since. 758 likes, 90 replies, 103,401 views in three hours. @Linahuaa fired back: ‘I’m not a coder but I built two separate bootstrapped >$1M businesses by age 22 as well. I flex this to troll normies. Not that special.’ Reminder: in March 2026 Roy admitted he’d lied to TechCrunch about Cluely’s $7M ARR; actual was $5.2M.
Why builders care: The spat crystallizes indie Twitter’s central anxiety: is bootstrapped seven-figure profit a real signal of builder quality, or is it manufacturable with a clipping farm and audacity? Roy is unusually willing to fight publicly about his own numbers even after admitting he lied about them once, which makes him the community’s stress test for how to price reputation against results. The kicker: Cluely had 700 paid video clippers pumping content. The marketing was never one person, even when the build was.
FIRST DOLLAR
100 PAID DOWNLOADS, 80 DAYS
A solo iOS dev shipped a $1.99 voice-memo merger and let App Store search do the rest.
u/oceabside hit 100 paid downloads on Combine Voice Memos+ after 80 days, $1.99 a copy, users in 17 countries, roughly $199 lifetime revenue. 70%+ of downloads came from App Store Search alone, ranked #3 for ‘combine voice memos’ and #7 for ‘merge voice memos’. First sale on day 5. He treats it as a tiny digital asset: low ceiling, niche pain, one to two daily downloads on autopilot. ASO outperformed every other channel he tried. The opposite end of the spectrum from yesterday’s autopilot-company experiment, and the part with paying users.
STACK OF THE DAY
🦀 KillClawd
KillClawd is a transparent always-on-top desktop overlay, a tiny AI crab named Clawd who wanders your screen, judges your file organization, and roasts you in real time. Built in roughly 2,000 lines of vanilla JS and Electron 28, runs entirely on local Ollama (default qwen 4B, any model works), no cloud calls, no API key, no subscription. Dual-model architecture: one model streams replies fast, a background model refreshes the response pool so Clawd never repeats the same line. r/SideProject, r/artificial, and Show HN all picked it up on launch day. Built by a physics student named ninjahawk. MIT, Windows-only.
Not sponsored. We just feature tools builders would actually use.
BOOKMARKED TODAY
🐜 Ant: a from-scratch JavaScript runtime in 9 MB. Custom ‘Ant Silver’ engine, not a V8 wrapper. 81% C, 12% JS, 6% Zig. Cold start 5.4ms vs Node 31ms vs Bun 12.8ms. WinterTC conformant. 252 stars, MIT, solo build by theMackabu.
📄 Simon Willison: The Unreasonable Effectiveness of HTML. Argues HTML beats Markdown when prompting LLMs for explainers because it unlocks SVG diagrams, interactive widgets, in-page nav. If you ship Claude-generated tutorials, ask for HTML and let the model draw.
📈 Nevo David: 0 to $93K MRR with Postiz, tier by tier. Five moves: Apache 2.0 open source for the 0-tier, Product Hunt #1 day/week/month, n8n integration that doubled MRR, AI-agent integrations via OpenClaw and MCP, sell outcomes not tools at the top end.
Curated by AI, built by a human.