Gradland
← GitHub Hot
🔥

GitHub Hot — 24 May 2026

24 May 2026·18 min readGitHubOpen SourceTools

Top 10 repos trending on GitHub this week — what they do, why they matter, and how to use them in your projects.

1. FoundZiGu/GuJumpgate

2,300 stars this week · JavaScript

Use case

Why it's trending

How to use it

How I could use this

2. perplexityai/bumblebee

2,044 stars this week · Go · golang package-inventory supply-chain-security

A zero-dependency Go binary that inventories on-disk package metadata across lockfiles, extension manifests, and MCP configs so security teams can instantly find which developer machines match a supply-chain advisory — without executing any package manager.

Use case

When a supply-chain compromise drops (think xz utils, tj-actions, or polyfill.io), the first responder question is: which engineer laptops actually have the affected version installed right now? SBOM tools tell you what shipped; EDR tells you what ran — but neither answers 'who has lodash@4.17.20 in their node_modules today?' Bumblebee scans local lockfiles and package metadata, emits structured NDJSON, and flags exact version matches against a known-bad catalog. Concrete scenario: advisory flags @lottiefiles/lottie-player@2.0.2 as backdoored; you run bumblebee scan --profile=project --catalog=advisory.json across dev machines and get a hit list in seconds with no package manager execution and no network calls.

Why it's trending

Two timing factors: the MCP (Model Context Protocol) ecosystem is exploding and Bumblebee explicitly parses MCP host configs — which can carry credentials in their env blocks — making it the first tool that surfaces MCP server inventory as part of a supply-chain scan. That, combined with the tj-actions and reviewdog compromise fallout still fresh in CI pipelines, makes this the right tool at the right moment.

How to use it

  1. Install the static binary (no deps): go install github.com/perplexityai/bumblebee@latest or grab the release binary for macOS/Linux.,2. Run a project scan against your repo: bumblebee scan --profile=project --root=./gradland --out=inventory.ndjson — reads package-lock.json, yarn.lock, pnpm-lock.yaml, go.sum, *.dist-info, and any MCP JSON configs it finds.,3. Query the NDJSON output directly: jq 'select(.name == "next" and (.version | test("^14\\.")))' inventory.ndjson — find all packages matching a name/version pattern.,4. Build an exposure catalog (a JSON list of tuples from OSV.dev or your own advisory feed) and pass it: bumblebee scan --profile=project --catalog=osv-matches.json — flagged records gain an exposure field.,5. Automate in CI: add a GitHub Actions step that runs the scan on push, uploads the NDJSON as an artifact, and fails the build if any flagged records appear — gives you a per-PR supply-chain gate with zero runtime overhead.

How I could use this

  1. Write 'I scanned Gradland's supply chain with Bumblebee' as a live walkthrough post: run it against the repo, embed the NDJSON output, annotate what each ecosystem field means, and show how the MCP config parsing caught the Claude Code config in ~/.claude — extremely timely content for AI developers nervous about MCP credential exposure, and a credibility signal that Henry takes security seriously.
  2. Add a 'Dependency Risk Check' tool to Gradland's career platform: let users paste their package-lock.json or requirements.txt, hit the OSV.dev batch API (same advisory data Bumblebee catalogs against), and return a structured risk report with severity, CVE links, and one-line fix commands. Frame it as 'prove to your employer you ship secure code' — directly relevant to 482/485 visa applicants who need to differentiate on technical rigour.
  3. Build a Claude-powered SBOM narrative generator: pipe Bumblebee's NDJSON output into a prompt that asks Claude Haiku to produce a plain-English 'security posture summary' (X packages across Y ecosystems, Z advisories matched, top 3 risks with remediation steps). Expose this as a Gradland API endpoint so engineers can drop it into their own CI pipelines and get a shareable security badge — a novel AI use case that combines structured tool output with LLM summarisation rather than asking the model to hallucinate package data.

3. thananon/9arm-skills

1,982 stars this week · Shell

A collection of modular, YAML-defined productivity and engineering workflows designed for automation and personal use, useful for enhancing developer efficiency.

Use case

This repo provides structured workflows for common engineering and productivity tasks, such as debugging, post-mortems, and translating technical content for management. For example, Henry could use the 'debug-mantra' skill to standardize his debugging process, ensuring consistent and thorough issue resolution in his Next.js blog project.

Why it's trending

It's gaining attention due to its unique approach to organizing developer workflows as modular 'skills' that can be easily loaded and automated, coupled with its integration with AI tools like Claude Code.

How to use it

Clone the repo: git clone https://github.com/thananon/9arm-skills.git,Navigate to the repo directory: cd 9arm-skills,Run the script to link skills to your local setup: ./scripts/link-skills.sh,Explore available skills by listing them: ./scripts/list-skills.sh,Customize or create your own skills by editing or adding directories under skills/ and defining a SKILL.md file with YAML frontmatter.

How I could use this

  1. Henry could create a custom skill under skills/personal/ for automating blog post debugging, including steps to validate API responses from Supabase and check React component rendering issues.
  2. Build a skill for rewriting technical blog posts into concise summaries for LinkedIn or portfolio updates, leveraging the 'management-talk' skill as a template.
  3. Develop an AI-powered skill that uses Claude Code to analyze user comments on his blog and automatically generate responses or follow-up blog topics based on sentiment and content.

4. Doorman11991/smallcode

1,375 stars this week · JavaScript

SmallCode enables local AI coding agents to work effectively on consumer hardware by optimizing for smaller language models (8B-35B parameters).

Use case

SmallCode solves the problem of running AI coding agents on smaller, less powerful models without sacrificing functionality. For instance, if you want to use an AI assistant for code generation or debugging on your local machine without relying on expensive cloud APIs or high-end GPUs, SmallCode provides a resource-efficient solution.

Why it's trending

The repo is gaining traction due to the increasing interest in running AI models locally for privacy and cost reasons, especially as developers explore alternatives to cloud-based solutions like OpenAI's GPT. Its focus on small models aligns with the growing accessibility of consumer-grade hardware.

How to use it

Install SmallCode globally via npm: npm install -g smallcode.,Alternatively, run it directly using npx: npx smallcode.,Navigate to your project directory: cd my-project.,Start the SmallCode agent: smallcode.,Optionally, use prebuilt binaries for your OS by running the provided install script (e.g., bash <(curl -fsSL https://raw.githubusercontent.com/Doorman11991/smallcode/master/install.sh) for Linux/Mac).

How I could use this

  1. Integrate SmallCode into Henry's blog backend to auto-generate TypeScript code snippets based on user input or examples, showcasing AI-assisted coding workflows.
  2. Use SmallCode to build a resume parser tool that analyzes job descriptions and generates tailored resumes or cover letters locally, ensuring privacy and reducing reliance on external APIs.
  3. Create an AI-powered code review feature for Henry's blog where users can upload their code, and SmallCode provides local, privacy-preserving feedback and suggestions for improvement.

5. sapientinc/HRM-Text

700 stars this week · Python · hierarchical-reasoning-model hrm large-language-models pretraining

HRM-Text proves you can pretrain a competitive 1B foundation model from scratch for ~$1000 using a hierarchical recurrent architecture that needs 130-600x less compute than transformer scaling.

Use case

The real problem: foundation model pretraining has been gated behind millions of dollars and thousands of GPUs, making it unreachable for indie researchers, startups, or domain specialists who need a custom base model. HRM-Text changes that — if you have a narrow domain (Australian immigration law, niche job market data, medical records) you can now pretrain a base model fine-tuned to that domain's vocabulary and reasoning patterns for the cost of a used laptop. Concrete example: a visa consultancy could pretrain on 10 years of DIBP policy documents and case notes, producing a model that reasons about subclass rules more reliably than a general LLM prompted with RAG.

Why it's trending

The arXiv paper dropped this week (2605.20613) with benchmark numbers that beat expectations for a 1B model — 84.7% on GSM8k matches models 5-10x larger, which is the kind of result that makes the ML community stop scrolling. The $1000 pretraining claim is also provocative at a moment when everyone is debating whether scaling is hitting a wall.

How to use it

  1. Spin up 8× H100s on Lambda Labs or RunPod (~$16/hr), clone the repo, and run pip install -r requirements.txt to get the FSDP2 + FlashAttention 3 stack.,2. Prepare your domain corpus using the companion data_io pipeline — it handles cleaning, tokenisation (tiktoken-compatible), and stratified sampling into the binary format HRM-Text expects.,3. Launch pretraining with the L config (0.6B, single node): torchrun --nproc_per_node=8 train.py --config configs/hrm_L.yaml --data_dir /path/to/tokenized — checkpoint saves every N steps to resume if a node drops.,4. Convert the checkpoint to HuggingFace format using the bundled conversion tool: python convert_checkpoint.py --ckpt runs/step-50000 --out hrm-finetuned-hf — now it's compatible with transformers and PEFT.,5. Evaluate against your domain holdout set using the included eval harness (wraps lm-evaluation-harness), then push to HuggingFace Hub and serve via vLLM or llama.cpp for inference.

How I could use this

  1. Write a technical deep-dive post titled 'I pretrained a 1B model for $1000 — here's what the HRM architecture actually does differently' — walk through the hierarchical recurrent design vs transformer attention, explain latent space reasoning without CoT tokens, and benchmark it on Australian English text. This is exactly the kind of original AI research content that ranks on Google and positions you as a credible AI engineer, not just a blogger.
  2. Pretrain or fine-tune an HRM-Text L model (0.6B) on a corpus of Australian tech job descriptions + 482/485 visa policy documents scraped from DIBP — then use it as the backbone for Gradland's resume analyser and visa checker. A locally-hosted specialist model eliminates per-call Anthropic API costs for high-volume features like resume scoring, and it would give you a genuine product differentiator: 'built on a model trained specifically on Australian IT immigration data' is a real marketing claim.
  3. Build a 'Train Your Own LLM' interactive explainer feature on the Gradland learn path — use HRM-Text's architecture diagrams and your own pretraining run logs as the curriculum content. Pair it with a quiz (generated via claude-haiku-4-5-20251001) that tests understanding of FSDP2 sharding, FlashAttention kernels, and PrefixLM packing. This targets ML engineers on 485 visas who need to demonstrate AI infrastructure skills to Australian employers — a high-intent segment you're not currently serving.

6. kageroumado/phosphene

650 stars this week · Swift · animated-wallpaper desktop-wallpaper macos macos-wallpaper

Phosphene plugs custom video files into macOS's native wallpaper system using Apple's private WallpaperExtensionKit — the same framework behind Apple's own Aerials — so videos survive app quits and appear in System Settings like first-party wallpapers.

Use case

The real problem is that every previous macOS video wallpaper app (Plash, HiDock, etc.) renders via a window sitting behind your desktop, which means it breaks on lock screens, burns CPU when occluded, and disappears on sleep. Phosphene sidesteps this by attaching to the OS wallpaper extension point itself, so the video is managed by the system process — not your app. Concretely: you import an MP4, it shows up in System Settings → Wallpaper next to Sonoma/Tahoe Aerials, and it keeps playing through lock, sleep, and display changes without you doing anything.

Why it's trending

macOS 26 (Tahoe) just entered developer beta this week at WWDC 2026, and WallpaperExtensionKit's XPC interface changed enough that existing hacks broke — Phosphene is the first public project to reverse-engineer the new surface and document the dlopen + Mirror introspection pattern for the Tahoe ABI, making it a reference for anyone building macOS system-level extensions right now.

How to use it

  1. Clone and open in Xcode 26 beta — requires macOS 26 and a paid Apple Developer account for the wallpaper extension entitlement.
  2. Build the WallpaperExtension target first (it's a separate bundle that registers with the system), then build the menu bar app target.
  3. On first launch, grant the wallpaper permission prompt; the extension registers itself with WallpaperExtensionKit via its bundle ID.
  4. Drop an MP4 into the app's import sheet — Phosphene pre-renders adaptive variants (e.g. 1080p@30 for battery, 4K@60 for AC) using AVAssetExportSession.
  5. Open System Settings → Wallpaper — your video now appears as a selectable option alongside Apple's Aerials, with per-display and per-Space persistence handled by macOS.
// The core trick: dlopen the private framework, then use Mirror to
// access XPC types without importing the framework directly
let handle = dlopen("/System/Library/PrivateFrameworks/WallpaperExtensionKit.framework/WallpaperExtensionKit", RTLD_NOW)
let cls: AnyClass = NSClassFromString("WEWallpaperExtensionContext")!
let ctx = Mirror(reflecting: cls).descendant("shared") // runtime-safe access

How I could use this

  1. Write a deep-dive post titled 'How to talk to Apple's private frameworks without importing them' — the dlopen + Mirror pattern Phosphene uses is directly applicable to any macOS tool that needs to hook into private system APIs. This is catnip for the Swift/Apple dev audience and would perform well on Hacker News; embed a code walkthrough of the WallpaperExtensionKit XPC introspection with your own annotations.
  2. Build a 'WWDC signal tracker' career tool for Gradland: every year Apple introduces new private frameworks (WallpaperExtensionKit, etc.) that become public APIs 1-2 years later. Scrape WWDC session titles + open-source repos like Phosphene to surface which Apple platform skills are about to go mainstream — useful for 485/482 visa holders deciding which iOS/macOS specialisation to pursue before the job market catches up.
  3. Apply Phosphene's graduated PlaybackPolicy pattern to your Claude API calls: instead of a binary 'use Haiku or Sonnet' decision, implement a cost-pressure ladder (Haiku → Sonnet → Opus) that steps up only when the previous tier returns low-confidence output — similar to how Phosphene steps from 1080p@30 to 4K@60 only when thermal and battery state allow it. This would cap your Anthropic spend while preserving quality for users who trigger the expensive path.

7. lynote-ai/humanize-text

634 stars this week · Python · ai-detection ai-humanize ai-humanizer ai-tools

Free open-source AI text humanizer to convert AI-generated content into undetectable, human-like writing. Bypass Turnitin, GPTZero, and all major AI detectors. No sign-up required. Try our unlimited free online tool

Use case

Free open-source AI text humanizer to convert AI-generated content into undetectable, human-like writing. Bypass Turnitin, GPTZero, and all major AI detectors. No sign-up required. Try our unlimited free online tool

Why it's trending

How to use it

How I could use this

8. open-gsd/get-shit-done-redux

518 stars this week · JavaScript · claude-code context-engineering meta-prompting spec-driven-development

Getting Shit Done, the Aftermath

Use case

Getting Shit Done, the Aftermath

Why it's trending

How to use it

How I could use this

9. basketikun/infinite-canvas

476 stars this week · TypeScript

An open-source infinite-canvas workbench that wires AI image generation, node-based canvas orchestration, and a curated prompt library into a single self-hostable UI — essentially a local, privacy-first alternative to Miro × Midjourney.

Use case

The core problem: iterating on AI-generated visuals is fragmented across a chat interface, a download folder, and a separate design tool. infinite-canvas keeps every generation as a node on a persistent canvas, so you can branch variants, connect reference images to downstream generations, and replay the full creative chain. Concrete scenario: a designer generating brand moodboards can drop a reference photo node, pipe it into an img2img node, annotate with text, and fork three style directions — all without leaving the canvas or losing provenance.

Why it's trending

It's spiking this week because the OpenAI-compatible interface means it works out-of-the-box with the flood of newly released open-weight image models (FLUX.1, SD3.5) via local Ollama or ComfyUI API shims — people are wiring it up as a free, self-hosted alternative to paid canvas tools like Ideogram's workspace or Adobe Firefly.

How to use it

  1. Clone and configure: git clone https://github.com/basketikun/infinite-canvas && cd infinite-canvas && cp .env.example .env — edit .env to set your admin credentials and OpenAI-compatible API base URL (e.g. point at a local ComfyUI or Together.ai endpoint).,2. Spin up with Docker: docker-compose up -d — this starts the Go/Gin backend, Next.js frontend, and a Postgres instance on port 3000.,3. Seed the prompt library: visit http://localhost:3000/admin/prompts and trigger the GitHub scraper — it pulls hundreds of categorised prompts from open-source repos so you're not starting from scratch.,4. Create a canvas project, drop a text-to-image node, and wire its output into a reference-edit node — the canvas assistant (围绕选中节点) lets you chat about selected nodes and inject generated results back as new nodes inline.,5. Export the canvas as JSON for version control or re-import into a fresh instance — useful for reproducible creative pipelines.

How I could use this

  1. Use the canvas JSON export format as inspiration for a 'learning path visualiser' on Gradland: render skill nodes (e.g. React → TypeScript → Next.js) as a draggable graph where Henry's AI can annotate each node with estimated time-to-learn and relevant ACS skill codes — stored in Supabase, rendered with a lightweight React-flow canvas (no Go backend needed).
  2. Borrow the 'node wired to upstream context' pattern for the interview prep tool: each interview question becomes a canvas node; when the user selects it, Claude gets the full upstream chain (job description node → role node → question node) as context — richer than a flat chat, and the visual graph gives the user a clear mental model of what the AI knows about them.
  3. Self-host infinite-canvas as a private creative tool for generating blog header images and social cards: point it at FLUX.1-schnell via a Together.ai OpenAI-compatible endpoint, build a small prompt template library tuned to the Eastern Ink × Comic Panel brand palette, and use the img2img node to consistently apply the comic-book hard-shadow aesthetic across auto-generated post thumbnails — eliminating the manual Figma step for every githot/ai-news post.

10. evilsocket/audit

464 stars this week · Python

A runnable 8-stage multi-agent pipeline that hunts real vulnerabilities in a codebase using Claude Pro — no API key required, just claude login.

Use case

Static analysis tools report thousands of potential issues; this solves the signal-to-noise problem by gating every finding behind a reachability trace — a bug only surfaces if an attacker-controlled input can demonstrably reach the vulnerable sink. Concretely: you point it at a Node.js API codebase, Stage 1 (Recon/Opus) maps trust boundaries, Stage 2 (Hunt/Sonnet) fires parallel agents each scoped to one attack class (e.g. SQL injection in a specific route), Stage 3 (Disprove) runs a second model trying to invalidate the finding, and only survivors with a proven call path become actionable reports.

Why it's trending

It shipped the same week Cloudflare published Project Glasswing — so it's the open-source materialisation of a blog post that went viral in the security community. It also happens to be the first prominent example of the Claude Code Agent SDK used as an orchestration backbone for a non-trivial multi-agent workflow, which gives it a second audience beyond security researchers.

How to use it

  1. Install Claude Code CLI and authenticate: npm install -g @anthropic-ai/claude-code && claude login — your Pro/Max subscription covers the model calls, no separate API key.
  2. Clone the repo: git clone https://github.com/evilsocket/audit && cd audit && pip install -r requirements.txt
  3. Point it at your target repo: python audit.py --target /path/to/your/project
  4. Watch the pipeline: Stage 1 emits scoped Hunt tasks to stdout; each Hunt agent writes a finding JSON; the Disprove agent annotates each finding with a reachability verdict.
  5. Read findings/ — only findings with reachable: true and a surviving disproval need your attention. Review the call-path trace in each file to confirm before acting.

How I could use this

  1. Run audit against Gradland's own API routes before each deploy — wire it into your pre-push hook as an optional npm run security-scan that calls python audit.py --target app/api and fails if any reachable: true findings appear. Given you already have auth, rate-limit, and RLS rules documented in AGENTS.md, the Recon stage will pick those up as trust boundaries and scope Hunt agents specifically to your Supabase query layer and Claude-calling routes.
  2. Build a 'Portfolio Code Reviewer' feature for your career tools audience: international grad uploads a GitHub repo URL, your backend clones it, runs a stripped-down 2-stage version of the audit pipeline (Recon + Hunt only, skip Disprove for cost), and returns a plain-English security summary they can reference when an interviewer asks 'have you thought about security in this project?' — directly differentiates your platform from every generic resume tool.
  3. Steal the deliberate-disagreement pattern (Stage 3 Disprove) for your Interview Prep tool: after Claude evaluates a candidate's behavioural answer, fire a second Claude call with the explicit instruction to argue why the answer is weak or missing key elements. Show both perspectives side-by-side. This is more honest feedback than a single-model score and maps directly to how real panel interviews work — two interviewers who sometimes disagree.
← All issuesGo build something