#002

The First Vibe-Coded Billion-Dollar Company, Cursor 3, and the Axios Hack

A solo founder built a $1.8B telehealth company with $20K and AI tools. Cursor 3 just dropped. North Korea hacked the axios npm package. And Levelsio launched Vibe Jam 2026 with $35K in prizes.

A solo founder just built a $1.8 billion company with $20K and a pile of AI tools. Cursor 3 dropped with a full agents overhaul. North Korea compromised the axios npm package. And Levelsio launched Vibe Jam 2026 with $35K in cash prizes. Here’s what happened.

In this edition:

  • Medvi: the first vibe-coded billion-dollar company
  • Cursor 3 launches with multi-agent workflows
  • North Korea hacked axios on npm
  • Vibe Jam 2026 is live with $35K in prizes
  • Numbers of the week

TOP STORIES

$20K AND AI TOOLS TO $1.8 BILLION

Medvi might be the first vibe-coded billion-dollar company

The New York Times just profiled Matthew Gallagher, 41, who built Medvi, a GLP-1 telehealth startup, with $20,000 and more than a dozen AI tools. He used Claude, ChatGPT, and Grok for code. Midjourney for marketing images. ElevenLabs for customer service calls.

The result: $401M in revenue in 2025. $65M net profit. On track for $1.8B in 2026 sales. Two employees total.

The details:

  • Built the platform in 2 months with $20K
  • 250,000 customers in year one
  • 16.2% net profit margin ($65M)
  • Uses Claude, ChatGPT, Grok, Midjourney, ElevenLabs
  • @nic_carter’s tweet calling it the “first vibecoded billion-dollar company” hit 2.5M views and 4,165 bookmarks

Why builders care: @levelsio said it best: “It’s not an AI/tech biz that is $1B solo. It’s a medical business that applied AI.” The biggest vibe-coding wins won’t be yet another SaaS tool. They’ll be applying AI to slow-moving industries where the incumbents can’t adapt.

THE AGENT ERA BEGINS

Cursor 3 drops with multi-agent workflows and design mode

Cursor shipped version 3 on April 2. The biggest change: it’s agent-centric now. You can run multiple AI agents in parallel across repos, locally, in worktrees, in the cloud, and on remote SSH.

New features include Agent Tabs for viewing multiple chats side-by-side, Design Mode for annotating UI elements directly in the browser, and /worktree and /best-of-n commands for isolated task execution.

The details:

  • 376 HN points, 304 comments
  • Agent Tabs: run many agents in parallel, view side-by-side
  • Design Mode: annotate browser UI elements to direct agents
  • New /worktree command for isolated task execution
  • /best-of-n for comparing outputs across models
  • Available immediately to all Cursor users

Why builders care: The IDE wars just became the agent orchestration wars. Cursor is betting that the future of coding isn’t “AI helps you write code” but “you manage a team of AI agents writing code.” If you’re still using Cursor like a fancy autocomplete, you’re leaving power on the table.

NORTH KOREA HACKED YOUR DEPENDENCIES

Axios npm supply chain compromise hit 100M weekly downloads

On March 30, a North Korean threat actor (UNC1069) compromised a maintainer’s npm account for axios, the JavaScript HTTP library with 100 million weekly downloads. They published two backdoored versions that delivered a cross-platform Remote Access Trojan.

Google and Microsoft both attributed the attack to North Korean state actors. The malicious versions were live for a window before being caught.

The details:

  • Axios has ~100M weekly npm downloads
  • Attacker published axios@1.14.1 and axios@0.30.4 with RAT payloads
  • Backdoor delivered via a malicious postinstall hook
  • 135+ endpoints observed contacting attacker C2 infrastructure
  • Safe versions: axios@1.14.0 and axios@0.30.3
  • Attributed to North Korean group UNC1069 / Sapphire Sleet

Why builders care: If you’re an indie hacker running npm install without lockfiles and audits, this is your wake-up call. The axios package is in virtually every Node.js project. Run npm audit today. Pin your dependency versions. This won’t be the last time a state actor goes after the JavaScript supply chain.

VIBE JAM IS BACK

Levelsio launches 2026 Vibe Coding Game Jam with $35K in prizes

@levelsio announced Vibe Jam 2026, sponsored by Cursor and Bolt. $20K for gold, $10K for silver, $5K for bronze. Rules: at least 90% of code must be AI-written, games must be web-based with no login required, and you can’t submit old games.

The announcement hit 170K views and 1,281 bookmarks. Deadline: May 1, 2026.

The details:

  • Sponsored by @cursor_ai + @boltdotnew
  • $20K / $10K / $5K prizes
  • 90%+ code must be AI-generated
  • Web-based, no login, no heavy loading screens
  • Deadline: May 1, 2026 at 13:37 UTC
  • 170K views, 1,281 bookmarks, 109 retweets on announcement

Why builders care: Last year’s Vibe Jam was a benchmark for what AI coding could do. This year will show how far it’s come. If you’ve been wanting to try Cursor or Bolt for game dev, this is the perfect excuse. One month, one game, real cash prizes.

BUILDER SPOTLIGHT

FROM $20K TO $1.8 BILLION WITH AI

Matthew Gallagher (@gallagator) built Medvi with AI and no engineering team

Gallagher, 41, grew up in a trailer park. Dropped out of university. Built a viral URL shortener (millions of hits, $0 earned), then a watch marketplace ($300M peak sales). When GLP-1 drugs exploded, he spent 2 months and $20K building Medvi with Claude, ChatGPT, Midjourney, and ElevenLabs.

The numbers: $401M revenue in 2025, $65M net profit, $1.8B projected 2026, 250K customers, 2 employees

Why builders care: He didn’t build an AI company. He used AI to build distribution for an existing massive market. The tech is the enabler, not the product.

What indie hackers are talking about right now:

🎮 Vibe Jam 2026 is dominating the timeline - @levelsio’s game jam announcement (170K views) has everyone brainstorming multiplayer browser games. He’s even building tracking widgets in PHP so games can be ranked by actual player count during the jam.

🤖 AI costs matching payroll - @tednotlasso dropped a quote overheard in NYC: “our company’s AI credit costs now match our payroll costs, will probably outpace it this week.” 137K views, 1,677 likes. The era of AI being “basically free” is ending fast.

💻 Garry Tan code quality debate continues - @levelsio defended Tan with 170K views: “the ‘real’ devs once again gatekeeping, out of fear non-coders are now entering their scene.” @RhysSullivan is calling out GitHub’s status page as misleading (39K views). The vibe coding discourse isn’t going away.

DRAMA CORNER

NPM IS A NATIONAL SECURITY PROBLEM

A single compromised account, 100M weekly downloads, and auto-running postinstall scripts

Microsoft, Google, Elastic, Snyk, and Huntress all published analyses of the axios hack within days. The response was fast. The question: why was a single maintainer account enough to backdoor a package installed on half the JavaScript projects in production?

Why builders care: Every indie SaaS running npm install is one compromised package away from shipping malware to customers.

BOOKMARKED THIS WEEK

Reads, tools, and resources worth saving:

📌 @coreyganim: AI agency playbook for small-scale wealth - Build AI marketing agencies, sell skill packs for $97-297, or create programmatic SEO lead gen. 540 bookmarks, 39K views. Practical and specific.

📌 @coreyganim: $999 AI audit playbook - Charge $999 for a 45-min interview, feed transcript to Claude, build report in Gamma, upsell $3-10K. 513 bookmarks, 37K views.

📌 @starter_story: Founder with 5 apps making $700K/month - Full breakdown of the stack, revenue splits, and growth strategies. 598 bookmarks, 23K views.

NUMBERS OF THE WEEK

  • $1.8B projected - Medvi (GLP-1 telehealth), 2 employees, built with AI tools for $20K
  • $2M ARR - @itsumeshk’s Runable, hit milestone 3 weeks after launching 2.0 (519K views, 393 bookmarks)
  • $130K MRR - @cormachayden_’s Oasis, annual subs only, 24K views
  • $1M/month - Online logo maker profiled by @starter_story, solo operation

Curated by AI, built by a human. Get this daily: indiehacker.news | X | Telegram