Slopsquatting & Remote Prompts: Why I Built a 38,000 Ticker Engine with Zero NPM Dependencies

#nextjs #typescript #security #architecture

The Dependency Trap is Snapping Shut

The developer ecosystem in May 2026 has reached peak vulnerability.

Over the last few weeks, the technical community has been hit by a series of alarming realizations:

Slopsquatting: Researchers verified that AI coding agents regularly hallucinate package names (e.g., fastapi-turbo, torch-lightning-easy). Attackers are preemptively registering these names on npm/pip, waiting for developers to run AI-suggested npm install commands and compromise their local machines.
Claude Code Remote Prompts: Hacker News discovered that Anthropic can remotely inject system prompts into local terminal sessions via api.anthropic.com/api/claude_cli/bootstrap using hidden feature flags.
The Railway GCP Suspension: Google Cloud suddenly suspended the entire platform infrastructure of Railway, proving that reliance on centralized cloud giants is a single point of failure.

When I was building DividendFlow—a tax-aware compounding engine for 38,000+ US tickers—I decided to reject this dependency hell.

Here is how I designed a high-scale financial utility to be immune to slopsquatting, remote execution scandals, and cloud provider lock-in.

1. Defeating "Slopsquatting" with Zero NPM Math Dependencies

If you let an AI agent generate your imports, you are eventually going to import malware.

Many financial calculators rely on heavy third-party libraries for compound interest or currency conversion. But more dependencies mean more supply-chain risk.

For DividendFlow, I wrote the recursive compounding and tax-brackets logic from scratch in vanilla TypeScript.

// Deterministic, zero-dependency tax logic
export function calculateNetDividend(payout: number, taxRate: number, isQualified: boolean): number {
  const applicableRate = isQualified ? taxRate * 0.75 : taxRate; // Simplified Qualified Dividend logic
  return payout * (1 - applicableRate);
}

By keeping the runtime dependencies of our core engine at zero, we eliminated the risk of malicious package injection entirely. We don't use arbitrary npm utilities. If the browser API can solve it, we don't install a library.

2. Rejecting Claude Code and Remote Telemetry

The discovery that Anthropic can remotely modify local terminal behavior on the fly has raised massive questions about developer data sovereignty.

Why are we trusting black-box remote execution for our local code and financial logic?

This is why DividendFlow is built on a No-Login, No-Auth, and No-Database architecture:

We do not want your API keys.
We do not harvest your email.
Your data and calculations are processed on Next.js 15 Server Components and rendered in your browser.

There is no remote telemetry or growth-hacking feature flags to modify how your financial snowball is calculated. The code on our server is the exact code executing your compounding math.

3. Host-Agnostic State: The Cure for GCP Suspensions

The GCP/Railway incident proved that if your app's state is locked inside a proprietary cloud database, you don't actually own your product. You are just renting it until a cloud provider's automated moderation bot decides to flag your account.

By keeping DividendFlow’s state completely inside URL parameters, the app is entirely stateless.

If Vercel bans our account tomorrow, we can redeploy the static Next.js bundle to Netlify, Cloudflare Pages, or a Japanese VPS on bare metal in 5 minutes. The logic is portable because the state belongs to the user’s browser address bar, not our database.

Conclusion: The Case for Hand-Crafted Code

We’ve reached a tipping point where AI agents can write shitty code faster than humans can debug it.

But when you are building software where trust and mathematical accuracy are the only value propositions, you cannot afford "vibes." You cannot afford dependency bloat. And you certainly cannot afford platform lock-in.

Sometimes, the most modern, scalable architecture is simply writing deterministic code, keeping your dependencies at zero, and respecting your user's privacy.