Mini Shai-Hulud just jumped from npm to PyPI through PyTorch Lightning. Versions 2.6.2 and 2.6.3, running on 311,027 installs a day, ship an 11MB worm that drains AWS keys, GitHub tokens, .env files, and crypto wallets, then re-publishes itself through your npm token.
This is the third Mini Shai-Hulud campaign in 2026 and the first to cross from npm into PyPI. AI builders run Lightning in cloud environments with broad IAM permissions, so a single pip install is now a credential firehose.
In today’s indie hacker news:
- PyTorch Lightning’s pip install drains AWS keys and crypto wallets
- IBM’s 8B Granite beats its own 32B model and runs on a laptop
- Skio sold for $105M cash on $8M raised, no Series A
- Vercel’s $20 plan really costs $564 with 14 line items
- Linux distros find out about kernel CVEs from public commits
TOP STORIES
PIP INSTALL WORM
Mini Shai-Hulud worms its way into PyTorch Lightning. AWS keys gone in 18 minutes.
The story: Semgrep flagged PyTorch Lightning versions 2.6.2 and 2.6.3 on April 30 as the first PyPI target of the Mini Shai-Hulud worm campaign. The malware injects code into __init__.py, downloads Bun JavaScript runtime v1.3.13, then runs an 11MB obfuscated payload called router_runtime.js from a hidden _runtime/ directory. It scans for SSH keys, .env files, AWS/GCP/Azure/Kubernetes credentials, npm tokens, and cryptocurrency wallets (Bitcoin, Monero, Exodus, Atomic, Ledger), RSA-2048 encrypts the haul, then exfiltrates through four parallel channels including GitHub commit-search dead drops. If npm credentials are present on the box, the worm re-publishes itself through your packages.
The details:
- The
lightningpackage gets 311,027 daily installs on PyPI, plus 436,296 more for the legacypytorch-lightningalias - Persistence hooks planted in
.claude/settings.json(Claude Code SessionStart) and.vscode/tasks.json(folderOpen) re-launch the dropper every time you open the project - Lightning AI’s Andy McSherry confirmed the PyPI credentials were compromised; the GitHub repo was clean and malicious versions were quarantined
- Socket flagged the upload 18 minutes after publication, but
pipcaches mean infected envs already exist in the wild - Third Mini Shai-Hulud target after Bitwarden CLI and SAP npm packages; first jump from npm into the Python package index
Why builders care: Run pip show lightning right now. If you’re on 2.6.2 or 2.6.3, downgrade to 2.6.1 and rotate every secret in that environment: AWS keys, GitHub tokens, .env, crypto seeds. Then check .claude/settings.json and .vscode/tasks.json for a setup.mjs line. Pin your ML deps; pip 26.1’s --uploaded-prior-to=P1D flag blocks brand-new versions on CI. (Speaking of agents billing you for words you didn’t write, see Drama for what Anthropic’s classifier did next.)
Work from any WiFi like it's your home network. NordVPN's Meshnet runs a free private mesh between your laptop, dev box, and home server. SSH from a café without exposing a port, the way you'd use Tailscale. The paid VPN on top lets you test geo-fenced Stripe checkouts or feature flags from any country.
We get a cut if you sign up. Only added for tools we use ourselves.
8B BEATS 32B
IBM’s 8B Granite 4.1 just out-scored its own 32B MoE on tool calls and instruction following.
The story: IBM dropped Granite 4.1 yesterday: three dense decoder-only models at 3B, 8B, and 30B, all Apache 2.0. The 8B variant scores 87.06 on IFEval and 68.27 on BFCL v3 tool-calling, both higher than IBM’s own prior-gen 32B-A9B MoE. It’s a 5.3GB Ollama download, fits on any 8GB-VRAM laptop or M-series MacBook, and runs on llama.cpp, vLLM, and SGLang with no custom tooling. Hugging Face published a coordinated build post the same day.
The details:
- 512K context window for 8B and 30B; 128K for 3B; pre-trained on 15 trillion tokens across 5 phases
- Non-reasoning architecture means predictable token counts and latency, important for production RAG and tool-calling pipelines
- HN tester 2ndorderthought: “I test drove it yesterday. It’s pretty impressive at 8b. Runs on commodity hardware quickly.”
- Contrarian view from the same thread: dissahc says Qwen3.5 9B still beats Granite 4.1 30B on artificialanalysis (32 vs 15 score)
- Available now:
ollama run ibm/granite4.1:8b
Why builders care: If you’re running local inference for RAG, coding assist, or tool-calling agents, Granite 4.1 8B is the new local default to benchmark against. Qwen3 still edges it on raw coding, but Granite wins on structured extraction, instruction following, and tool calls, which is the actual bottleneck in production agentic pipelines. Apache 2.0 means zero legal friction for a commercial product.
$8M IN, $105M OUT
YC alum Skio sold for $105M cash on $8M raised. Solo founder, profitable, no Series A.
The story: Recharge acquired Skio on April 30 in a $105M all-cash deal that closed at signing. Solo founder Kennan Frost raised $8.55M total across YC S20 plus a $3.7M Adjacent seed in 2021, then never raised again. Skio hit $32M ARR profitable, processed $4B in payments, and Frost stepped back two years before the sale to let his former COO Aidan Thibodeaux take over as CEO and run it to exit.
The details:
- Pivoted hard during YC S20 before landing on Shopify subscription billing; Frost says he ‘completely failed during the batch’ until the pivot
- Roughly 70 employees at exit; brands include Liquid I.V., Milk Bar, Polaroid, Barstool, and Unilever
- Combined Recharge-plus-Skio entity now powers 20,000 merchants and $20B in annual GMV
- About 12.3x return on every dollar of capital invested; Frost’s personal cut estimated at $47M-$58M
- Frost already moved on, founded Icon, an AI ad-generation tool
Why builders care: This is the canonical low-dilution exit indie hackers actually want: solo founder, single seed, no VC treadmill, profitable before the call. A 3.3x ARR multiple isn’t a moonshot; it’s a disciplined operator picking a sticky B2B niche (Shopify subscription billing) that became infrastructure. Pick a category that’s sticky, get profitable, then wait for the strategic acquirer who needs you more than you need them.
THE UPSELL GAME
A solo builder just receipt-checked Vercel’s $20 plan at $564. 14 line items vs 3 marketing columns.
The story: Rofi (@bidah on X) shipped an 8-part takedown of Vercel pricing that opens with a fake invoice for Team Sunrise-7: $564.58 owed on a plan whose marketing page says $20. The site cross-references Vercel’s published docs against builder horror stories. Hobby’s hard cap stops your site at 100GB bandwidth (HTTP 402 with x-vercel-error: DEPLOYMENT_PAUSED). Pro’s spend cap is soft, meaning bills can exceed it. A documented DDoS incident on Pro generated a $23,000 bill at the standard $0.15/GB rate, roughly twice AWS egress.
The details:
- Pro starts at $20 but includes only 1 developer seat; each extra seat is $20/mo permanently
- SAML SSO costs $300/mo as a Pro add-on, free on Enterprise (compliance forced upsell)
- HIPAA BAA: another $350/mo on Pro
- Image optimization charges separately; one builder’s 28K transforms added $115/mo
- Vercel CEO signaled IPO readiness in April with ARR tripled from $100M to $340M in 18 months; the pricing is working for Vercel even as builders bleed
Why builders care: Vercel is the default Next.js deploy target because Vercel created Next.js. Solo founders on Hobby get hard-cutoff downtime instead of overages, worst possible time being when a side project goes viral on HN. Pro founders face 14 potential line items, DDoS liability, and a per-seat tax. Cloudflare Pages (free egress), Railway, Render, and a $20 VPS all undercut Vercel at small-to-medium scale. Switching costs are real if you’re deep in Edge Functions, but the receipt is now public.
732 BYTES TO ROOT
A 732-byte Python script rooted Ubuntu, RHEL, and SUSE before any distro got told.
The story: Sam James from Gentoo posted to oss-security on April 30: “For Linux kernel vulnerabilities, unless the reporter chooses to bring it to the linux-distros ML, there is no heads-up to distributions. It did not happen here.” The triggering bug is CVE-2026-31431 ‘CopyFail’, a local privilege escalation in the kernel’s authencesn AEAD cryptographic template. It’s been live since kernel 4.14 in 2017. A 732-byte Python proof-of-concept achieves root on any affected system. At public disclosure, only 2 of 7 supported LTS branches were patched.
The details:
- Confirmed vulnerable: Ubuntu 24.04 LTS, RHEL 10.1, SUSE 16, Amazon Linux 2023, Rocky Linux 9.7, Debian; Solar Designer reproduced root on Rocky 9.7
- Greg KH’s documented kernel policy: reporters should never contact linux-distros first, the team rejects its mandatory 14-day public disclosure
- 3,649 kernel CVEs assigned in 2025, 8-9 per day, no prioritization signal to distros
- HN’s tptacek (Thomas Ptacek): “It is literally not the vulnerability researcher’s problem to solve or address this.”
- SUSE’s Jiri Kosina, on the kernel team’s stance: “many kernel security fixes will go by unnoticed, as distro kernel people will never be explicitly made aware of them”
Why builders care: Every indie hacker with a VPS, K8s node, CI runner, or shared host is downstream of this gap. CopyFail turns any unprivileged shell into root on the exact distros running most bootstrapped products. Distros find out the same way attackers do, by watching the public git log. If you haven’t pulled a kernel update in a week, that window may still be open on your servers.
TRENDING TODAY
🔥 r/LocalLLaMA called April “one of the best months of all time for local LLMs” - 329 upvotes, 109 comments. The wave: Qwen 3.6 (27B/35B/122B-A10B), Gemma 4 31B Apache 2.0, GLM-5.1 744B MoE, Kimi K2.6, Granite 4.1, AMD Halo Box (Ryzen 395, 128GB unified memory). All runnable without a cloud subscription. The ground is shifting fast under hosted inference providers.
💸 LLM Spend Guard launched on r/microsaas - a proxy that intercepts OpenAI-compatible API calls and returns HTTP 402 once your monthly cap is hit. Free tier covers $100/mo per project. Built after a dev got billed $1,800 despite a $100 alert because the alert fired while he was away and the agent kept running. Alerts aren’t stops.
🛠️ Show HN went indie-tool flood today - Pu.sh (coding-agent harness in 400 lines of POSIX shell), ClawIRC (IRC for agents), Winpodx (Windows apps as native Linux windows), Vibe (single-header C networking lib), KeeWebX (KeePass running from a double-clicked HTML file). All under 8 hours old. Show HN’s median post used to be a YC-funded SaaS; today it’s a 400-line tool one person wrote on a weekend.
DRAMA
CLASSIFIER PART 2
Claude Code now refuses requests if your git history mentions OpenClaw.
Theo Browne posted to X: Claude Code refuses requests or routes them to extra billing if your commit history contains the string ‘OpenClaw’. Same server-side classifier that hit HERMES.md yesterday. Anthropic claimed it was ‘fixed’. The fix patched HERMES.md but left every other competitor name in the trigger set. 1,016 HN points and 568 comments today. Three independent reproductions in the thread including @abdullin (full session quota drained on a JSON schema string {"schema": "openclaw.inbound_meta.v1"}) and flutas ($0.20 charged on a single prompt with full Max plan quota free).
Why builders care: Second time in 48 hours Anthropic’s anti-abuse classifier billed paying subscribers based on words in their git history that have nothing to do with the current session. The classifier exists to enforce the April 4 rule blocking third-party harnesses from Pro/Max quota. The deeper issue: a single substring filter cannot safely scope. Promise, fix, break, repeat is more damaging than the original bug.
FIRST DOLLAR
21 DAYS, 12 USERS, $0 REVENUE
$1,200 spent on AWS, ads, and tools. The honest pre-revenue post.
A solo builder posted the honest version on r/microsaas: 21 days in, 12 users, $0 revenue, $1,200 spent on AWS infra plus data feeds plus Google Ads plus tools. Options flow scanner with AI chat, sentiment index, position sizing, and performance tracking, every feature except paying customers. Google Ads burned $128 on 55 clicks with zero conversions. The 4 best users came from a r/algotrading post that didn’t mention the product. Break-even sits at 11-12 paid subs at $27.99-$47.99/mo. Feature breadth doesn’t beat distribution.
10,000 COLD EMAILS LATER
The 6-month outbound experiment.
A B2B agency operator posted the head-to-head: 10,000 cold emails plus ~2,000 dials over 6 months. Static-database lists (Apollo-style export-and-blast) hit ~1% reply rate, half being unsubscribes. Intent-signal scraping, monitoring social platforms for people complaining about the exact problem the offer solves, doubled booked-meeting rate. The list-building method matters less than whether your offer solves a painkiller vs a vitamin.
STACK OF THE DAY
Pu.sh - a full coding-agent harness in 400 lines of POSIX shell by Nahim Nasser. Anthropic and OpenAI APIs, 7 built-in tools (bash, read, write, edit, grep, find, ls), REPL mode, auto-compaction, checkpoint/resume. Dependencies are just shell, curl, and awk. Install via curl -sL pu.dev/pu.sh. Free, open source, hackable. The anti-Claude-Code crowd just got their answer.
Not sponsored. We just feature tools builders would actually use.
BOOKMARKED TODAY
📡 How Mark Klein told the EFF about Room 641A - MIT Press book excerpt on the AT&T technician who in 2003 found the secret room in San Francisco’s switching facility wired to mirror every fiber-optic cable into NSA equipment, then went public in 2006 via the EFF. 470 HN points, 154 comments.
💻 GPT-5.5 cyber capabilities evaluation - Simon Willison summarizes the UK AI Security Institute’s eval: 71.4% on expert cyber tasks, reverse-engineered a custom virtual machine from a stripped binary in 10 minutes for $1.73, completed 2 of 10 runs of a 32-step corporate network attack chain.
🛢️ How an oil refinery works - Construction Physics deep-dive. The killer fact: roughly 90% of all chemical feedstocks come from petroleum, so refineries aren’t just fuel suppliers, they’re the upstream of plastics, fabrics, fertilizer, and paint. 355 HN points.
Curated by AI, built by a human.