WEBVTT NOTE The Rundown — nextbig.dev daily audio edition, 2026-05-20 1 00:00:00.000 --> 00:00:06.384 Hey everyone, welcome to the Builder's Briefing for May 20th, 2026. I'm Alex, here with Sam, and we've got a packed show today — a major hire shaking up the AI ecosystem, some gnarly supply chain attacks, and the AI coding stack is consolidating fast. 2 00:00:06.384 --> 00:00:10.530 Yeah, there's a lot happening. And honestly, the lead story today might be one of the most significant talent moves we've seen in AI in a while. Let's get into it. 3 00:00:10.530 --> 00:00:18.821 So, the big one — Andrej Karpathy has announced he's joining Anthropic. This is arguably the highest-profile AI researcher move since he left Tesla. And the reason this matters for builders specifically is that Karpathy has always been the person who bridges hardcore ML research with what developers actually need day to day. 4 00:00:18.821 --> 00:00:28.079 Right, and what's wild is — this isn't just a prestige hire. Think about his track record. minGPT, his Stanford courses, the YouTube deep dives. Everything he touches becomes more accessible to the developer community. So having him inside Anthropic, advocating for better developer experience at the research level? That's a big deal if you're shipping on Claude. 5 00:00:28.079 --> 00:00:36.294 Exactly. And if you've been hedging between OpenAI and Anthropic for your stack, this is a pretty strong signal that Claude's developer ergonomics are about to get meaningfully better over the next six to twelve months. More transparent model behavior, more predictable outputs in production — that's Karpathy's wheelhouse. 6 00:00:36.294 --> 00:00:42.297 The timing is interesting too, because this lands right alongside ECC trending on GitHub — that's the agent harness optimization system — and Cursor shipping Composer 2.5. The whole AI coding layer is professionalizing at the same time. 7 00:00:42.297 --> 00:00:50.512 Speaking of ECC, let's dig into that. It's an open-source project that adds skills, instincts, memory, and security layers on top of AI coding agents — Claude Code, Codex, Cursor, you name it. If your agent outputs have been unpredictable, this is basically a performance optimization layer that makes them more consistent. 8 00:00:50.512 --> 00:00:58.752 That's interesting because it's solving the problem everybody complains about but nobody had a clean answer for — agents that work great sometimes and then just go off the rails. Having a harness that adds consistency is a real production need. It's got forty-five hundred plus engagements on GitHub so clearly people agree. 9 00:00:58.752 --> 00:01:06.637 Also worth flagging — Simon Willison dropped a five-minute LLM recap covering everything that changed in the last six months. If you've been heads-down building and missed the macro shifts, treat it as mandatory reading, especially if you're making model selection decisions this quarter. Link in the briefing. 10 00:01:06.637 --> 00:01:14.648 Simon's recaps are always gold. Five minutes well spent. There's also a cool piece on using LLMs to write TLA+ formal verification specs instead of learning the syntax from scratch. If you're doing distributed systems work, apparently LLMs are surprisingly good at formal spec generation when you prompt them right. 11 00:01:14.648 --> 00:01:21.032 Alright, dev tools. Cursor shipped Composer 2.5 with improved multi-file editing. The diff quality and context handling are reportedly better. If you're on Cursor, update and test. If you're building competing AI code tools, this is the bar right now. 12 00:01:21.032 --> 00:01:28.434 And there's a neat little tool called fff — fastest file search — it's a Rust-based file search toolkit purpose-built for AI agents. Bindings for Node, C, and Neovim. If your agents are slow at navigating codebases, it's a drop-in improvement over grep or ripgrep for structured code search. 13 00:01:28.434 --> 00:01:34.843 Also, n8n continues to trend as the self-hostable AI workflow platform. It's basically the open-source Zapier with native AI capabilities. Over four hundred integrations, no vendor lock-in. If you're stitching together LLM calls and APIs, worth a look. 14 00:01:34.843 --> 00:01:40.794 And a quick shout-out to nektos slash act — it lets you run GitHub Actions locally before you push. Still one of the most underused dev tools out there. If you're burning CI minutes debugging YAML, this saves real time and real money. 15 00:01:40.794 --> 00:01:47.738 Okay, security. And this one's rough. Three hundred and fourteen npm packages were compromised in a supply chain attack called Mini Shai-Hulud. Run npm audit today, review your lockfiles, and seriously consider a private registry or tools like Socket if you aren't already. 16 00:01:47.738 --> 00:01:52.825 Three hundred and fourteen packages — that's not a small incident. And the attack surface in the npm ecosystem is just not getting smaller. This feels like it's becoming a monthly event at this point. 17 00:01:52.825 --> 00:02:00.963 And then there's this — a CISA administrator accidentally pushed AWS GovCloud credentials to a public GitHub repo. If you needed a reminder to set up git-secrets or truffleHog or GitHub's secret scanning on every repo in your org, here it is. Government infrastructure is not immune to basic credential hygiene failures. 18 00:02:00.963 --> 00:02:08.899 Yikes. Also, there's a smart doorbell vulnerability where a researcher found unauthenticated API endpoints that let anyone on the internet ring your bell remotely. It sounds funny, but the lesson is real — if you're building IoT products, auth on every endpoint is not optional, even the ones that seem harmless. 19 00:02:08.899 --> 00:02:16.682 Quick hits before we wrap up. There's a gorgeous Gaussian splat of a strawberry making the rounds — beautiful demo of 3D reconstruction tech. Someone built a chess engine entirely from eighty-four thousand six hundred and eighty-eight regular expressions, which is just — chef's kiss in terms of absurdity. 20 00:02:16.682 --> 00:02:24.719 Ha! I love the regex chess engine. Also, there's a virtual OS museum where you can run nearly every operating system in your browser, which is a fantastic rabbit hole. And on a more somber note, Peter Neumann and Peter Salus, pioneers in Unix and computer security, have passed away. Huge contributions to the field. 21 00:02:24.719 --> 00:02:31.891 Yeah, rest in peace to both of them. And quick mention — Google I/O 2026 is live right now. Watch for Gemini API updates, Android AI announcements, and Firebase changes. If you're on Google's stack, the next forty-eight hours will shape your roadmap for the second half of the year. 22 00:02:31.891 --> 00:02:40.869 So here's the takeaway. The AI coding stack is consolidating fast. Karpathy at Anthropic strengthens Claude's developer story, ECC gives you a harness layer across all the major agents, Cursor raises the bar with Composer 2.5. If you're building AI-assisted dev workflows, bet on Claude getting better and invest in agent harness tooling now, not later. 23 00:02:40.869 --> 00:02:45.854 And on the security side — if you haven't adopted lockfile pinning and dependency scanning, today's three-hundred-fourteen-package compromise is your forcing function. Don't wait for the next one. 24 00:02:45.854 --> 00:02:48.906 That's the briefing for May 20th. All the links are in the show notes. Thanks for listening, and we'll see you tomorrow. 25 00:02:48.906 --> 00:02:50.000 See you tomorrow. Go update your lockfiles.