WEBVTT NOTE The Rundown — nextbig.dev daily audio edition, 2026-05-22 1 00:00:00.000 --> 00:00:08.257 Good morning! Welcome to Builder's Briefing for May 22nd, 2026. I'm Alex, joined as always by Sam. We've got a big security story today — nearly four thousand GitHub repos breached through a malicious VSCode extension — plus OpenAI doing actual math, their IPO filing, and a wave of new dev tools worth knowing about. 2 00:00:08.257 --> 00:00:10.132 Yeah, that VSCode story stopped me cold this morning. Let's get into it. 3 00:00:10.132 --> 00:00:17.633 Alright, the hero story. GitHub has confirmed that thirty-eight hundred repositories were compromised through a trojanized Visual Studio Code extension. The attack was painfully simple — a malicious extension in the marketplace harvested credentials and injected code directly into repos. 4 00:00:17.633 --> 00:00:27.348 And here's what makes this so much worse than a typical supply chain attack. If you're running any AI coding agent — Claude Code, Copilot, Cursor — inside VSCode, those extensions have deep access to your filesystem, your terminal, your git credentials. A compromised extension in that workflow doesn't just steal your code, it potentially poisons every AI-assisted commit. 5 00:00:27.348 --> 00:00:34.954 Exactly. We spent years hardening npm, PyPI, container registries — and now the IDE extension marketplace is the soft underbelly. So here's your action item: audit your installed extensions today. Remove anything you're not actively using. Check publisher verification on everything you keep. 6 00:00:34.954 --> 00:00:43.002 And if you're running a team, enforce an allowlist of approved extensions through your MDM or settings sync. For CI/CD pipelines touching dev containers, review your Dockerfiles — hardcoded extension IDs without version pinning are a supply chain risk. Treat your extension list like your dependency lockfile. 7 00:00:43.002 --> 00:00:49.461 Well said. Alright, shifting to AI news — this one's wild. An OpenAI model generated a valid counterexample that disproves a long-standing conjecture in discrete geometry. Not assisting a mathematician — actually producing novel mathematical proof. 8 00:00:49.461 --> 00:00:57.978 That's a huge deal because it's concrete evidence of creative mathematical reasoning, not just pattern matching. The Hacker News thread has like seven hundred and fifty comments debating the methodology. If you're building AI-assisted research or formal verification tools, this is the kind of result that changes your roadmap. 9 00:00:57.978 --> 00:01:03.812 Also on the infrastructure side, Anthropic is scaling to xAI's Colossus2 cluster with NVIDIA GB200 GPUs. If you're building on Claude's API, capacity constraints should loosen and latency should improve in the coming months. 10 00:01:03.812 --> 00:01:10.975 Oh, and there's a fun one — a developer indexed a full year of video content locally using Gemma 4 31B on a 2021 MacBook with fifty gigs of swap. If you're building local-first media search, that's a real practical benchmark for what's possible without cloud inference today. 11 00:01:10.975 --> 00:01:19.336 Love that. Okay, dev tools — there's a clear theme emerging here. First up, Understand-Anything. It's an open-source tool that converts codebases into interactive knowledge graphs you can query with natural language. Works with Claude Code, Codex, Cursor, Copilot, Gemini CLI — over forty-two hundred engagements already. 12 00:01:19.336 --> 00:01:27.280 Right, and what's interesting is when you pair that with two other launches today. Microsoft shipped dotnet-skills, which gives AI coding agents structured knowledge about .NET patterns to reduce hallucinated API calls. And there's ccusage, a CLI tool that tracks your AI coding agent token costs locally. 13 00:01:27.280 --> 00:01:31.708 So you've got understand, govern, and observe — all in one day. The AI coding ecosystem is clearly maturing past just 'generate code' into something much more structured. 14 00:01:31.708 --> 00:01:38.740 Totally. And quick shoutout to Python 3.15 having some under-the-radar improvements worth checking if you maintain libraries, and GCC 16 shipping SARIF output — which means you can pipe compiler warnings directly into GitHub Code Scanning. Link in the briefing for both. 15 00:01:38.740 --> 00:01:41.944 Alright, startups. The big one — OpenAI is expected to file its S-1 confidentially, possibly today. This is the IPO filing. 16 00:01:41.944 --> 00:01:49.002 And for builders on the OpenAI API, here's the practical angle: an IPO means pressure to grow revenue, which historically means pricing changes and enterprise feature gates. If you're happy with your current pricing tier, lock it in and start tracking your usage closely. 17 00:01:49.002 --> 00:01:56.425 Meanwhile, Intuit laid off over three thousand people to, quote, refocus on AI. The subtext is clear — large incumbents are restructuring entire product orgs around AI-native workflows. If you're building in fintech or accounting SaaS, the competitive landscape is about to shift hard. 18 00:01:56.425 --> 00:01:59.342 Yeah, when Intuit ships aggressively with AI, that's a different kind of competitor than the Intuit we've known. 19 00:01:59.342 --> 00:02:10.542 Quick hits before we wrap. Flipper One was announced — full specs published, and they're asking the community for help building Linux kernel drivers. If you do embedded work, the call is out. Google's testing new ad formats in Search, which is another squeeze on organic click-through rates — worth reading the Hacker News thread on SEO impact. And Waymo paused its Atlanta service after robotaxis kept driving into flooded roads. 20 00:02:10.542 --> 00:02:15.543 That Waymo one is a real-world reminder for anyone building autonomous or agent systems — edge cases in physical environments will humble your model every time. Invest in graceful degradation. 21 00:02:15.543 --> 00:02:21.273 Also, there's a FreeBSD local privilege escalation in fourteen-dot-x kernels. If you're running FreeBSD in production, especially for network appliances or storage, patch immediately. Details at the link in the briefing. 22 00:02:21.273 --> 00:02:32.707 So the takeaway for today — your IDE is now a supply chain attack surface. Audit your VSCode extensions the way you audit your dependencies, especially with AI agents that trust extensions with broad access. And the bigger trend: the AI coding agent ecosystem is maturing into understand, observe, and govern — not just generate. If you're building developer tools, the opportunity is in that observability and control layer around agents. 23 00:02:32.707 --> 00:02:36.145 The agents are getting powerful enough that the next wave of value is in managing them responsibly. That's the story of 2026 so far. 24 00:02:36.145 --> 00:02:38.984 Well put. That's your Builder's Briefing for May 22nd. Go audit those extensions, and we'll see you tomorrow. 25 00:02:38.984 --> 00:02:40.000 Stay safe out there. See you next time.