⚔️ 73 Packages Just Burned AI Agents

73 npm packages. The moment an AI agent opened them, a self-replicating credential stealer ran. This is the second time in weeks, same vector, same target: packages that look legitimate until an agent touches them.

This one matters for operators, not just security teams. Agents don't scan before they install. They follow instructions, and right now the instructions don't include "verify the package isn't poison." Ars Technica has the breakdown.

The practical fix is simple: lock your package versions, run agent installs in a sandboxed environment, and never give your agent credentials with write scope unless the task specifically requires it. The window between "agent fetches a dependency" and "credentials are exfiltrated" is narrower than most pipelines account for.

Today's issue: 9 Drops across Claude Code tools, skills, and vector infrastructure, 3 Stack picks, 4 Signals, one Onboard technique for context control, and a Playbook move for wiring Claude's output into a repeatable git workflow.

---

[Repo] turbovec, A Rust-based vector index built on TurboQuant, with Python bindings. 8,705 stars. If you're running local RAG or semantic search and the bottleneck is index speed, this replaces the Python-native options and cuts query overhead hard. Worth benchmarking against FAISS before your next production decision.

[Repo] google/skills, Agent skills for Google products and technologies, 12,333 stars. Google's own curated skills layer for agents touching Workspace, Cloud, and Maps. If your agent stack touches any Google product, this is the canonical integration reference, not a third-party wrapper.

[Skill] antfu/skills, Anthony Fu's curated collection of agent skills, 5,223 stars. Antfu ships high-signal tooling, and the curation bar here is visible: these aren't prompt templates, they're composable skills built for Claude Code operators who already know what they're doing. Pull the ones relevant to your stack before building your own.

[Skill] geo-seo-claude, A GEO-first SEO skill for Claude Code, 8,010 stars. Covers citability scoring, AI crawler analysis, brand authority, and schema markup in one pass. The angle is optimizing for how AI systems reference your content, not just how Google indexes it. Relevant if you're building content pipelines or any site that needs to surface in LLM-driven search.

[Repo] Claude-Code-Remote, Control Claude Code remotely via email, Discord, or Telegram, 1,249 stars. Start a task locally, close your laptop, and receive a notification when Claude finishes. Reply to the email or message to send the next command. The async loop this enables is the real unlock: Claude runs overnight, you direct it from your phone.

[Repo] claude-code-log, Converts Claude Code transcript JSONL files into readable HTML or Markdown, 1,084 stars. Your sessions accumulate fast. This gives you a human-readable audit trail of what Claude actually did, what tools it called, and what it decided. Useful for debugging agent behavior and documenting workflow decisions.

[Repo] ClaudeNightsWatch, Autonomous task execution for Claude CLI that monitors usage windows and runs predefined tasks automatically, 361 stars. Lower star count, but the use case is specific: queue work to run when your usage window resets, hands-free. The name says it.

[Repo] haystack, Open-source orchestration framework for building production-ready LLM applications, 25,496 stars. Modular pipelines, explicit control over retrieval and generation, battle-tested in production across enterprise deployments. If you're building anything context-engineered beyond a single-turn call, Haystack is the architecture reference to check against.

[Repo] skyvern, AI-driven browser workflow automation, 21,856 stars. Not a scraper. Skyvern navigates real browser sessions the way a human would, which means it handles dynamic pages, login flows, and multi-step forms that break every headless script you've written. Drop it into the workflows where human-in-browser was still the fallback.

---

[MCP] plumb-mcp, A local Figma MCP server with no REST rate limits, no metered tool-call quotas, and a built-in verification loop. Drop-in alternative to Figma's Dev Mode MCP and Framelink for Claude Code, Cursor, and Windsurf. The non-obvious config detail: running local means your tool calls don't count against Figma's metered API, relevant the moment you start looping Claude over a complex design file.

[MCP] line-oa-mcp-ultimate, 27 tools for managing a LINE Official Account through Claude: broadcasts, audiences, rich menus, Flex messages, coupons, and insights. Works with Claude Code and any MCP-compatible client. If you're operating in Southeast Asia or running any LINE-based business automation, this is the integration that replaces the custom API wrapper you were going to build.

[MCP] resale-agent-skill-hub, Eight Claude Code skills plus an MCP server built for multi-platform C2C resale automation: listing, pricing, cross-posting, and tracking across second-hand marketplaces. Narrowly useful, but an honest example of what a domain-specific agent toolkit looks like when it ships complete. Worth studying the architecture even if you're not in the resale space.

---

Claude Code shipped a fallbackModel setting. You can now configure up to three fallback models that Claude Code tries in order when your primary is overloaded or unavailable. Small change, real operator impact: the "model overloaded" wall that stalls a run mid-task becomes an automatic detour instead of a hard stop. If you run long autonomous sessions, set a cheaper or alternate model as the fallback so work keeps moving through peak-load windows. (Claude Code release notes)

The skills.sh API opened to queries. Vercel's skills.sh index now has a public API against 600,000+ open-source agent skills. You can authenticate, search by capability, and pull detailed specs programmatically. This changes how you discover and compose skills: instead of browsing repos, you query a catalog and pull exactly what fits your agent's tool spec. (Vercel)

Simon Willison shipped datasette-agent-edit 0.1a0. Early alpha, but the capability is specific: collaborative Markdown editing and live SQL query updates, driven by an agent inside Datasette. If you're running any data review or annotation pipeline, this pattern of letting an agent edit structured documents in place is worth watching. The 0.1a0 label means it's not production-ready, but the primitive is the interesting thing. (Simon Willison)

Anthropic filed a confidential S-1. The frontier labs are moving toward the public markets: Anthropic confirmed its confidential IPO filing on June 1, with OpenAI reported to have filed its own weeks earlier. The operator-relevant consequence holds either way: once these companies answer to public shareholders, quarterly earnings calls and analyst pressure on margins create a structural incentive to monetize API access harder. Not imminent, but the cost structure that keeps today's API pricing where it is now has a clock on it. (TechCrunch)

---

This week: Context and cost control. The technique most operators learn too late.

Claude Code compacts your context automatically when it gets long, but by then the window is already noisy, expensive, and prone to drift. The operator move is controlling this yourself, not waiting for compaction to trigger.

1. Know your window. Run /status mid-session to see how much context you've consumed. When you're past roughly 60-70% and the task has changed, you're paying to carry dead context. 2. Clear deliberately. Run /clear when a subtask is done and the next one is unrelated. This isn't losing work, your files are on disk, your CLAUDE.md still loads, your session starts clean with full memory of what the project is. 3. Use compaction for continuity, /clear for pivots. Compaction summarizes the session and continues. /clear resets entirely. Use compaction when you need the agent to remember the thread; use /clear when you're switching jobs and the thread is just cost.

You'll know it's working when your cost-per-session drops and Claude stops referencing context from three tasks ago that's no longer relevant.

Claude Code docs: context and cost control

---

Move: Git-checkpoint loop with Claude as the committer.

The problem: Claude edits across multiple files and you lose track of what changed when. The fix is a structured checkpoint pattern that keeps the history clean without adding friction.

1. Add this to your CLAUDE.md: After completing any discrete task, run: git add -A && git commit -m "[claude] ". Claude will commit its own work at each natural break. 2. At the start of a session, run git log --oneline -10 and paste it into the context. Claude can now see what it already shipped and won't duplicate work. 3. If a Claude commit breaks something, git revert HEAD is one command. No archaeology required.

You'll know it's working when your git log reads like a clean task list and you can bisect a regression in under two minutes.

This pairs directly with Claude-Code-Remote from today's Drops: Claude runs async overnight, commits at each checkpoint, and you wake up to a legible history of exactly what shipped.

---

There's a specific visual tell that marks most AI-generated video ads as fake within two seconds. This Friday's kit is Ad Factory, and the spine of it is one technique that kills that tell: The AI-avatar talking-head ad you shoot without a camera, plus the bokeh trick that kills the AI look. The question this kit answers is what makes the difference, because understanding the mechanism is what lets you apply it across every clip you produce, not just the template. Friday drop, full kit, the whole method. Upgrade to access it here.

---

The poisoned packages story is the one I keep coming back to today. It's not a new attack class, but the vector is new: the agent as the unwitting installer. Every automation that fetches a dependency without human review is a potential exposure point. Worth thirty minutes of your day to audit what your agents can install and where those installs happen.

See you Wednesday.