Gradland
← GitHub Hot
🔥

GitHub Hot — 25 May 2026

25 May 2026·20 min readGitHubOpen SourceTools

Top 10 repos trending on GitHub this week — what they do, why they matter, and how to use them in your projects.

1. perplexityai/bumblebee

2,524 stars this week · Go · golang package-inventory supply-chain-security

A zero-dependency static binary that inventories every installed package, extension, and dev-tool on a developer machine and flags matches against a known-compromise catalog — without running any package managers.

Use case

When a supply-chain advisory drops (e.g., a malicious npm package, a backdoored VS Code extension), security teams need to answer 'which of our 200 dev laptops has version X installed?' in minutes, not hours. Bumblebee reads raw lockfiles and package-manager metadata on disk — no npm ls, no pip show — and emits structured NDJSON you can grep or pipe into a SIEM. Concrete scenario: the xz-utils backdoor (CVE-2024-3094) broke in March 2024; a tool like this would let a platform team run a fleet scan and get a match list before developers even heard about it.

Why it's trending

CISA and GitHub's 2025 SBOM mandates have pushed supply-chain tooling into the mainstream, and the MCP ecosystem explosion (bumblebee explicitly inventories MCP host configs) means there's a new attack surface most teams haven't audited yet. A single static Go binary with no runtime dependencies is exactly what security-conscious teams want to push via MDM without touching package managers.

How to use it

  1. Download the latest static binary for your platform from the GitHub releases page (no install, no dependencies).
  2. Run a baseline scan: ./bumblebee scan --profile baseline --output inventory.ndjson — this reads lockfiles and package metadata under your home directory.
  3. Optionally point it at a specific project: ./bumblebee scan --profile project --root ./my-app --output project.ndjson.
  4. To check against a compromise catalog, pass an exposure file: ./bumblebee check --inventory inventory.ndjson --catalog exposures.json — flagged matches are emitted as NDJSON with matched: true.
  5. Pipe into jq for quick triage: cat inventory.ndjson | jq 'select(.matched == true) | {name, version, ecosystem, path}'

How I could use this

  1. Write a 'Career Edge' post titled 'Supply Chain Attacks: What Every Aussie Dev Needs to Audit Before Their Next Job' — use bumblebee as the hands-on demo, walk through scanning a Node/Python project, and tie it to Australian Government IRAP and ASD Essential Eight compliance requirements that 482/485 visa holders working in government contracts will encounter.
  2. Add a 'Dev Security Posture' section to the resume analyser tool: when a user uploads their resume and lists packages or frameworks, cross-reference against a curated list of recently-compromised packages (maintained as a static JSON file updated by a daily GitHub Action) and surface a callout like 'Your resume mentions [package] — there was a supply-chain advisory in [month]. Worth auditing your projects before interviews with security-conscious employers.'
  3. Build a lightweight API endpoint at /api/tools/sbom-check that accepts a pasted package-lock.json or requirements.txt, parses it server-side with a Claude Haiku call, extracts name/version pairs, and checks them against the OSV.dev vulnerability API — returning a structured risk summary the user can reference in job applications or include in their GitHub README as a badge.

2. FoundZiGu/GuJumpgate

2,522 stars this week · JavaScript

Use case

Why it's trending

How to use it

How I could use this

3. thananon/9arm-skills

2,125 stars this week · Shell

A structured, installable library of Claude Code slash-command skills covering debugging discipline, post-mortems, code scrutiny, and management comms — ready to symlink into ~/.claude/skills/ in one command.

Use case

Claude Code supports custom /skills that act as reusable, opinionated prompt templates with bundled scripts. Without a shared library, every developer rebuilds the same 'how do I debug this systematically' or 'write me a post-mortem' prompts from scratch, losing consistency across sessions. This repo gives you drop-in skills like /debug-mantra (four-step reproduce→trace→falsify→cross-reference loop that runs before any fix), /scrutinize (outsider-perspective plan review that questions intent before touching code), and /management-talk (rewrites eng-to-eng content for JIRA, Slack, async standups) — all with a clean directory taxonomy so you can fork and extend without tangling your personal skills with shared ones.

Why it's trending

Claude Code's custom skill ecosystem hit critical mass in mid-2026 as the CLI moved from power-user toy to daily driver, and this is one of the first public repos with a real install script, directory taxonomy, and lifecycle stages (in-progress / deprecated) — it's circulating as the reference structure for 'how to ship Claude Code skills as a repo.'

How to use it

  1. Clone the repo: git clone https://github.com/thananon/9arm-skills && cd 9arm-skills
  2. Symlink all shippable skills: ./scripts/link-skills.sh — this drops symlinks into ~/.claude/skills/
  3. Open any Claude Code session and invoke a skill: /debug-mantra starts the four-mantra debugging loop, /scrutinize kicks off an outsider plan review
  4. Fork and add your own: create skills/engineering/my-skill/SKILL.md with name: and description: YAML frontmatter plus any bundled scripts in the same directory
  5. Run ./scripts/list-skills.sh to audit everything in the repo — useful before symlinking a fork you're inheriting

How I could use this

  1. Build a githot-write skill that encodes the exact JSON schema and senior-developer voice Henry uses for these repo analyses — so the daily githot GitHub Action can invoke /githot-write with raw trending data and get a consistent, on-brand digest entry without re-specifying the prompt each time.
  2. Create a visa-plain-english skill under skills/career/ that takes a raw DIBP/Home Affairs policy excerpt and rewrites it into the plain-language format used on Gradland's visa-news pages — invoke it from scripts/fetch-visa-news.ts so the Haiku-powered pipeline has an opinionated rewrite stage baked in rather than relying on a raw system prompt.
  3. Add a pr-review-international skill that scrutinizes code changes with an extra lens on auth flows, RLS policies, and rate-limiting — matching the security rules in AGENTS.md §5 — so the autonomous developer GitHub Actions workflow can self-review PRs touching lib/auth-server.ts or lib/subscription.ts before flagging them for human review.

4. open-gsd/get-shit-done-redux

803 stars this week · JavaScript · claude-code context-engineering meta-prompting spec-driven-development

Getting Shit Done, the Aftermath

Use case

Getting Shit Done, the Aftermath

Why it's trending

How to use it

How I could use this

5. kageroumado/phosphene

666 stars this week · Swift · animated-wallpaper desktop-wallpaper macos macos-wallpaper

Phosphene hooks into macOS Tahoe's native wallpaper picker via Apple's private WallpaperExtensionKit to play your own video files as system wallpapers — same pipeline Apple's own Aerials use.

Use case

The real problem is that macOS has never let you use arbitrary video as a live wallpaper without janky third-party hacks that render inside a window sitting behind your desktop. Phosphene solves this by running out-of-process inside the OS's own wallpaper extension slot, so it survives app quits, integrates with the lock screen lifecycle, and responds to thermal/battery state exactly like Apple's built-ins. Concrete scenario: you want a looping Blender render or a custom ambient video to play on your studio Mac without tanking battery on a MacBook when you unplug.

Why it's trending

macOS 26 Tahoe was announced at WWDC 2026 and WallpaperExtensionKit is a newly surfaced (still private) framework that most developers didn't know existed — Phosphene is the first open reverse-engineering of it, so the Swift and macOS communities are racing to read the source before Apple either documents or locks it down.

How to use it

  1. Clone the repo and open Phosphene.xcodeproj in Xcode 26 beta — the project requires macOS 26 SDK and a paid Apple Developer account for the wallpaper extension entitlement.
  2. In WallpaperExtension/WallpaperProvider.swift, find the dlopen call that loads WallpaperExtensionKit — read how it uses Mirror-based introspection to construct the XPC-bridged WEWallpaperConfiguration type without a public header.
  3. Build and run the menu bar target; grant the extension permission in System Settings → Wallpaper → the app's section will appear.
  4. Drop an MP4 into the import sheet — Phosphene writes metadata to ~/Library/Application Support/Phosphene/ and registers the asset with the system picker via the extension's XPC service.
  5. To study the PlaybackPolicy scheduler (the most reusable piece), look at Engine/PlaybackPolicy.swift — it's a clean state machine mapping (thermalState, batteryLevel, acPowered, gameMode, displayState)(resolution, fps, paused) that you could adapt for any resource-aware background task.

How I could use this

  1. Write a teardown post titled 'How Phosphene reverse-engineered Apple's private WallpaperExtensionKit' — walk through the dlopen + Mirror introspection pattern with annotated Swift snippets. This is exactly the kind of deep technical content that ranks well for 'macOS internals' searches and signals serious engineering chops to senior hiring managers reading your blog.
  2. The PlaybackPolicy state machine — mapping (thermalState × batteryLevel × acPowered × gameMode) → resource tier — is a directly portable pattern for Gradland's Claude API calls. Adapt it as a TypeScript InferencePolicy that maps (subscriptionTier × requestsRemainingToday × timeOfDay) → (model: haiku | sonnet | opus, streaming: bool) to automatically downgrade to Haiku when a user is burning through their daily quota, reducing your API bill without a hard cutoff.
  3. Build a 'GitHub Project Explainer' AI feature for Gradland: paste a GitHub URL, and a Claude Sonnet call reads the README + key source files (via GitHub's raw API) and generates a structured breakdown — use case, architecture decisions, code patterns worth stealing, and interview talking points if the user wants to mention the project on their resume. Phosphene is a perfect demo input: its README is dense with technical decisions that make for great behavioural interview stories about 'a time you worked with an undocumented API'.

6. Tong89/smartNode

636 stars this week · Python

A Python Flask simulation platform for satellite relay networks — 3D visualization, REST API, and a scheduling engine for LEO constellations and ground stations, all runnable locally with no auth.

Use case

This solves the problem of prototyping satellite communication network logic without access to real orbital infrastructure. A concrete scenario: an aerospace researcher wants to test how adding two more LEO satellites changes data throughput to a ground station cluster — they can hit POST /api/update_leo_satellites, watch resource utilization shift in real time, and validate scheduling heuristics before writing a single line of embedded firmware. It's also useful as a teaching tool for systems engineers who need to demo relay coordination without a $2M simulator license.

Why it's trending

636 stars in a week for a niche Chinese-language satellite sim repo signals strong tailwind from the commercial space boom — Starlink, Amazon Kuiper, and Chinese mega-constellation announcements (Qianfan/G60) have engineers hunting for open-source orbital tooling. The open REST API with no auth dependency also makes it an instant playground for anyone wanting to build a custom dashboard on top.

How to use it

  1. Clone and set up: git clone https://github.com/Tong89/smartNode.git && cd smartNode && python -m venv .venv && source .venv/bin/activate && pip install -r requirements.txt
  2. Start the simulation server: python backend/app.py — Flask serves both API and the vanilla JS frontend at http://127.0.0.1:5000/frontend/
  3. Poll live simulation state: curl http://127.0.0.1:5000/api/data returns satellite positions, relay links, and task queue as JSON
  4. Submit a data relay task: curl -X POST http://127.0.0.1:5000/api/request -H 'Content-Type: application/json' -d '{"data_type": "imagery", "priority": "high"}'
  5. Dynamically reshape the constellation: curl -X POST http://127.0.0.1:5000/api/update_leo_satellites -d '{"count": 8}' — observe utilization shift via /api/resource_utilization

How I could use this

  1. Write a deep-dive blog post titled 'How satellite relay scheduling actually works — I built one in 200 lines of Python' — walk through core.py's scheduling engine, explain the discrete-event simulation model, and connect it to real LEO constellation design decisions (Starlink shell altitude tradeoffs). This is high-SEO content that hits both the 'explain complex systems simply' niche and the current space tech interest spike.
  2. Build a 'Tech Radar' career visualization for Gradland using the same canvas/WebGL rendering pattern SmartNode uses for its 3D spatial display — plot technologies as orbital bodies, skill adjacency as relay links, and user's current skills as 'ground stations' receiving signal. The SmartNode frontend (app.js) shows how to animate node graphs over a dark canvas background without a heavy library, directly applicable to career path visualization.
  3. Pipe SmartNode's /api/data JSON output into Claude Haiku on a polling interval and have it generate natural-language 'mission briefings' — 'Relay-7 is approaching optimal handoff window; ground station Canberra has 23% utilization headroom.' This is a clean demo of the structured-data-to-AI-narration pattern you can then repurpose in Gradland to narrate resume analysis results or visa timeline updates in plain English instead of raw data tables.

7. 0xSero/codex-shim

575 stars this week · Python

A local Python shim that intercepts Codex Desktop's API calls and reroutes them to any BYOK model (Claude, Gemini, DeepSeek, local proxies) without touching the app binary.

Use case

Codex Desktop's model picker is gated by OpenAI's server-side config — you can't just point it at Claude or DeepSeek without a rebuild. This shim runs a local aiohttp server that speaks OpenAI's Responses API inbound and translates to whatever upstream you configure outbound, including full protocol fidelity: streaming SSE, tool calls, reasoning blocks, and shell-command metadata all survive the translation. Concrete scenario: you have an Anthropic API key and want Codex Desktop's agent loop — file editing, shell commands, multi-turn context — running against claude-sonnet-4-6 instead of GPT-4o, without any Electron patching beyond a one-line config change.

Why it's trending

OpenAI shipped GPT-5.5 inside Codex this week, spiking interest in Codex Desktop as a serious coding agent — and immediately surfacing frustration that non-OpenAI models are locked out. This shim is the cleanest escape hatch available, and its 575-star week is a direct reflection of that pent-up demand.

How to use it

  1. Clone and install: git clone https://github.com/0xSero/codex-shim && pip install aiohttp
  2. Create ~/.codex-shim/models.json mapping model slugs to upstream providers and API keys — e.g. { "claude-sonnet": { "provider": "anthropic", "model": "claude-sonnet-4-6", "api_key": "sk-ant-..." } }
  3. Run the shim: python shim.py — it binds to loopback on a configurable port
  4. In Codex Desktop settings, point the API base URL at http://localhost:<port>
  5. (macOS only) Apply the ASAR patch from the repo's instructions to surface your custom model slugs in the Codex model picker UI without them being filtered out

How I could use this

  1. Build a 'model face-off' interactive blog post: wire the shim's provider-agnostic routing into a Next.js API route that sends the same coding prompt to Claude Sonnet, GPT-4o, and DeepSeek in parallel, then render a side-by-side diff of their outputs — high SEO value for 'best AI coding assistant 2026' queries and directly relevant to your international dev audience choosing tools for the Australian job market.
  2. Adopt the shim's routing-layer pattern for your career tools' AI calls in app/api/: create a single lib/ai-router.ts that selects Haiku vs Sonnet vs Opus based on user subscription tier and prompt token count, so every route handler calls one function instead of hardcoding model strings — when a model is deprecated or rate-limited, you swap it in one place, not across a dozen route files.
  3. Build a local prompt-caching proxy for development using the shim's 'put a local proxy in front' architecture note: intercept all Claude API calls during local dev, cache responses keyed by prompt hash, and replay them instantly — slashes dev iteration time on AI features and eliminates accidental API spend when hot-reloading triggers repeated identical requests to Anthropic.

8. run-liyi/wechatpay

495 stars this week · JavaScript

An Electron desktop app that parses WeChat Pay CSV/Excel exports and gives you interactive spending dashboards — no server, no data leaves your machine.

Use case

WeChat Pay is the dominant payment rail in China, but its built-in bill view is a flat list with zero analytics. This app solves the 'where did my money go?' problem for Chinese users (and Australian-based Chinese migrants) by turning the raw exported CSV into merchant rankings, daily spend curves, and payment-method breakdowns. Concrete scenario: an international student wants to know how much they spent on food delivery vs. rent vs. transfers home over the last 12 months — one CSV import, done.

Why it's trending

WeChat Pay just updated its export flow (the '用于个人对账' path now generates cleaner CSVs), making local parsers newly viable without brittle PDF scraping. It's also riding the broader wave of 'local-first finance tools' — people are increasingly skeptical of uploading bank data to cloud apps after several high-profile data leaks from fintech aggregators.

How to use it

  1. Export your WeChat bill: WeChat → Me → Services → Wallet → Bills → ... → Download Bill → select '用于个人对账' → choose date range → receive encrypted zip by email, unzip with the password sent via WeChat notification.,2. Clone and install: git clone https://github.com/run-liyi/wechatpay && cd wechatpay && npm install,3. Run in dev mode: npm start — the Electron window opens with a file-picker welcome screen.,4. Drop the unzipped Excel/CSV file into the app. It auto-detects and skips the ~16-row WeChat header block, then populates all dashboard tabs.,5. Export a summary report: use the 'Export to Excel' button to get a multi-sheet workbook (summary, categories, daily, full ledger) you can open in Numbers or Google Sheets.

How I could use this

  1. Build a 'Financial Year in Review' blog post generator: pipe a user's anonymised category totals (food/transport/transfer/subscriptions) into Claude Haiku and auto-draft a personal finance retrospective post — same format as Spotify Wrapped but for spending. Fits Gradland's 'international student life in Australia' content angle perfectly.
  2. Add a WeChat Pay import path to the Gradland salary/cost-of-living tool: let users upload their bill CSV to automatically populate a 'actual monthly expenses' baseline in their visa tracker profile, so the 482/485 salary adequacy check uses real spend data instead of generic ABS household averages.
  3. Train a Claude Sonnet prompt on the merchant + category taxonomy from this repo's parser to build a cross-platform spend categoriser — paste any bank statement (CommBank, ANZ, WeChat, Alipay) and get a normalised JSON of categories. Ship it as a Gradland API endpoint so the resume analyser can eventually cross-reference 'claimed salary' on a resume against 'plausible lifestyle cost' as a sanity-check feature.

9. MoonshotAI/kimi-code

450 stars this week · TypeScript

Kimi Code is a Claude Code-style terminal AI coding agent from Moonshot AI that ships as a single binary, backed by Kimi models with optional third-party provider support.

Use case

Solves the 'AI coding agent with no Node.js setup overhead' problem — you can drop it onto a fresh VPS or CI runner without npm install gymnastics. Concrete scenario: a junior dev SSHes into a staging server to debug a broken deployment; instead of context-switching to a web IDE, they run kimi in the terminal, describe the bug, and let the agent read logs, edit files, and run shell commands in a single focused session.

Why it's trending

Trending because it's a direct open-source competitor to Claude Code and GitHub Copilot Workspace, released by a well-funded Chinese AI lab (Moonshot AI) with video input support — a capability gap that Claude Code still lacks publicly. The single-binary distribution is also a sharp contrast to Claude Code's npm-based install that trips up new developers.

How to use it

  1. Install the binary: curl -fsSL https://code.kimi.com/kimi-code/install.sh | bash
  2. Open a project: cd your-project && kimi
  3. Authenticate inside the TUI: run /login and paste a Moonshot AI API key (get one at platform.moonshot.cn)
  4. To use it with an OpenAI-compatible provider (e.g., your own Anthropic key), set OPENAI_API_KEY and point the base URL to your provider's endpoint in ~/.kimi/config.json
  5. Try a first task: Audit this codebase for security issues and list the top 3 findings

How I could use this

  1. Write a blog post titled 'Kimi Code vs Claude Code: I ran both on the same codebase for a week' — use Kimi Code on the Gradland repo, document where it hallucinated vs where it excelled, include side-by-side terminal screenshots. This is high-SEO content for developers evaluating AI coding tools.
  2. Use Kimi Code's video input feature to build a career tool demo flow: record a 30-second Loom of a broken resume upload, drop it into Kimi Code, and have it generate the fix. Then write a 'how I ship faster with video-driven debugging' post — directly relevant to your international dev audience who may not be native English speakers and find video easier than writing a bug report.
  3. Since Kimi Code supports configurable OpenAI-compatible providers, wire it up to Claude Sonnet via an Anthropic-compatible proxy and benchmark response quality on Gradland-specific tasks (resume analysis, visa Q&A generation) — then expose the benchmark results as a /tools/ai-benchmark page on the blog. Generates useful SEO content while giving you real data on which model to use for each Gradland feature.

10. zhaoyue4810/pianke

392 stars this week · Python

A privacy-first local AI tool that clusters burst photos by visual similarity (DINOv2 + face recognition + EXIF) and lets you cull them via A/B keyboard tournament — no cloud upload, no subscription.

Use case

Wedding and event photographers routinely end up with 400+ near-identical burst frames from a single ceremony moment. Pianke auto-groups them by scene using DINOv2 semantic embeddings, face identity, and EXIF timestamps, then presents each group as a head-to-head bracket. You tap ← or → to eliminate losers and surface one keeper per group in minutes — instead of star-rating 400 frames in Lightroom. RAW+JPG pairs and .xmp sidecars stay in sync automatically throughout.

Why it's trending

Privacy-first local AI is peaking right now: DINOv2 and lightweight vision models are finally fast enough on consumer M-series and mid-range Windows hardware that cloud upload is no longer a necessary trade-off for AI curation. The A/B tournament UX is also getting traction as a concrete alternative to the broken '5-star rating' mental model most photographers abandon after day one.

How to use it

  1. Clone the repo and install deps for your chosen mode: Fast (~200MB), Expert (~3GB including DINOv2 weights auto-downloaded on first run), or Tycoon (5MB + your own API key for GPT-4V/Qwen).
  2. Launch the web UI: python app.py — it opens at localhost.
  3. Point it at a photo directory; it fingerprints every image, runs quality screening (blur, overexposure, closed eyes), and groups similar frames into 'moments'.
  4. Work through each group using ← / → to run A/B matchups — the winner advances to the next round bracket-style.
  5. Commit your selections: Pianke moves keepers and syncs paired RAW + JPG + XMP files. Progress auto-saves so you can quit mid-session and resume.

How I could use this

  1. Build an A/B tournament UI for blog post draft selection: when Henry has written 3-4 intros or title variants for the same post, embed them with Claude's embeddings API to cluster semantically similar drafts, then present head-to-head matchups in the admin panel — same ← / → pattern, no scrolling through a long list of options.
  2. Apply the tournament-selection pattern to resume bullet points in the Resume Analyser: let users paste 6-8 versions of a single bullet, pre-rank them by cosine similarity to the target job description using an embedding model, then run A/B pairs so the user picks the winner through felt preference rather than abstract star ratings.
  3. Steal the DINOv2 multi-signal grouping logic for a 'content cluster' feature in the blog dashboard: embed all of Henry's existing posts, group them by semantic similarity, and surface clusters that have only one post — those are underserved topic areas worth writing more on, essentially a gap-detection tool built on the same vector-grouping pipeline Pianke uses for photos.
← All issuesGo build something