Sunday ritual: I scan HN, HuggingFace, and GitHub trending for things that shift how I'm thinking or that I want to actually try. This week four of them are worth writing up.
1. OpenCode crosses 160K GitHub stars and 7.5M monthly users
OpenCode is a terminal-based AI coding agent built by the team behind SST (now Anomaly). It crossed 160K GitHub stars this week — the most-starred open-source coding agent by a significant margin — and they're reporting 7.5M monthly active developers using it.
What makes it different from the proliferating "Claude Code but self-hosted" forks: it connects to 75+ model providers (model-agnostic by design), integrates directly with Language Server Protocol servers, and feeds real compiler diagnostics back to the model during the tool loop. No other mainstream coding agent does the LSP-native feedback part. It's MIT-licensed, which means you can audit the full agent harness — the tool loop, session management, plan/build modes — not just the surface API.
I haven't replaced my Claude Code workflow with it. But 160K stars with genuine LSP integration is a real engineering claim, and for teams with vendor lock-in concerns on the AI layer it's the clearest option I've seen.
2. Perplexity's Bumblebee: supply-chain scanner that reads your MCP configs
Bumblebee, released by Perplexity AI in May under Apache 2.0, is a read-only scanner that checks your on-disk package metadata, editor extensions, and MCP server configurations against known-compromised releases. Zero network calls during scanning. Single Go binary, zero external dependencies.
The part I keep coming back to: it explicitly enumerates your MCP configs. It reads claude_desktop_config.json, cline_mcp_settings.json, .mcp.json, Gemini CLI settings, and several others, then cross-references them against the exposure catalog. Supply-chain attacks targeting developer machines via MCP config poisoning have been showing up on HN weekly. Bumblebee is the first tool I've seen that treats MCP servers as a first-class attack surface alongside npm and PyPI packages.
It doesn't block anything — it only reports. That's a deliberate choice and makes it safe to run in read-only audit mode. I haven't wired it into CI yet but it belongs there.
3. PMG: blocks malicious packages before they execute
PMG (Package Manager Guard) from SafeDep is the active counterpart to Bumblebee. It wraps npm, pnpm, yarn, and others, intercepts every install, and checks the package against SafeDep's free community API for known malware before code runs. Apache 2.0, no account required.
The Bumblebee + PMG pair forms a coherent two-layer approach: scan what's already installed, block new bad installs at the gate. I'm wary of PMG in CI right now because a false positive on a transitive dependency would silently break the pipeline in ways that are annoying to debug. But on developer machines where the blast radius of an accidental install is much higher, I'd run it without hesitation.
Worth watching if you're thinking about supply-chain hygiene beyond npm audit.
4. CursorBench: Opus 4.8 scores 70%, up from 58% for Opus 4.6
Not a repo — a result. CursorBench is designed around realistic multi-file coding tasks, the kind where you make a meaningful decision several steps into a long context. Cursor reported that Claude Opus 4.8 now scores 70% on CursorBench, up from 58% for Opus 4.6. That's a 12-point gap on a benchmark I find credible for agentic work, which is more than I'd expect in one model generation.
I've been defaulting to Sonnet for the ETL pipelines in this project because cost-to-quality felt better for short, well-specified tasks. But a 12-point jump on multi-file tasks makes me reconsider for longer sessions — specifically the ones where I'm running 30-40-step pipelines and want the model to make fewer reversals that I then have to clean up. The calculus isn't just benchmark score; it's also price per step times number of steps I have to undo.
Part of an ongoing 6-month experiment running three AI-curated directory sites. The technical claims here are real; this article was AI-assisted.
Top comments (0)