🛠️ Hacker News Tools

[Other] Show HN: MCP Security Scanning Tool for CI/CD

[DevOps] Show HN: Superglue – OSS integration tool that understands your legacy systems If you&#x27;ve ever worked in a large company, you&#x27;ve probably encountered &quot;shadow infrastructure&quot;: scripts nobody understands or custom connectors written once and never touched again. This glue layer isn&#x27;t documented, isn&#x27;t owned by anyone, and tends to break when systems are upgraded or someone leaves. It&#x27;s also the part everybody dreads working on, because it&#x27;s hard to understand, painful to work with, and full of unknown unknowns.<p>We built superglue so that engineers stop wasting time on deciphering legacy APIs and documentation.<p>superglue ingests existing glue code, SQL, configs, docs, OpenAPI specs and reverse-engineers what the system is actually doing. It then maps dependencies and regenerates everything as clean javascript code that can run directly or be exposed via MCP or SDK. It also monitors API changes and schema drift, and automatically repairs integrations when upstream systems change.<p>In short: It turns legacy integrations into code you can easily understand, test, and update. So that engineers can do more exciting feature work, and companies can migrate and upgrade systems faster.<p>Think of it as: a context engine + code generator + integration runtime for legacy glue.<p>What we&#x27;d love feedback on<p>- How do you deal with &quot;nobody knows what this script does&quot; situations?<p>- What would you want to know about your legacy systems?<p>OSS&#x2F;community version: <a href="https:&#x2F;&#x2F;github.com&#x2F;superglue-ai&#x2F;superglue" rel="nofollow">https:&#x2F;&#x2F;github.com&#x2F;superglue-ai&#x2F;superglue</a><p>More info: <a href="https:&#x2F;&#x2F;superglue.ai">https:&#x2F;&#x2F;superglue.ai</a><p>Happy to go deeper on the technical details.

[Other] Show HN: Sparse Matrix-Vector Multiplication that works at 30–90% sparsity To get benefits from sparsity, you usually need to have very sparse matrices, impose some structure on the sparsity pattern or have specialized hardware. None of it is the case if you want to rune pruned LLMs on consumer devices. I wanted to see how far can you push it on a GPU and ended up with this. Blog: <a href="https:&#x2F;&#x2F;www.grizzlytech.dev&#x2F;blog&#x2F;macko-spmv" rel="nofollow">https:&#x2F;&#x2F;www.grizzlytech.dev&#x2F;blog&#x2F;macko-spmv</a> Paper: <a href="https:&#x2F;&#x2F;arxiv.org&#x2F;abs&#x2F;2511.13061" rel="nofollow">https:&#x2F;&#x2F;arxiv.org&#x2F;abs&#x2F;2511.13061</a> Code (example with torch): <a href="https:&#x2F;&#x2F;github.com&#x2F;vlejd&#x2F;macko_spmv" rel="nofollow">https:&#x2F;&#x2F;github.com&#x2F;vlejd&#x2F;macko_spmv</a>

[DevOps] Show HN: Deft-Intruder – Real-time malware detection daemon for Linux I built an open-source malware detection daemon that monitors all running processes in real-time using ML + heuristics. No kernel modules or eBPF required.<p>Key points:<p>- Polls &#x2F;proc for new processes (works on any Linux kernel 2.6+)<p>- Random Forest model trained on EMBER 2018 dataset (2.3M samples)<p>- Heuristic rules for crypto miners, ransomware, rootkits<p>- ~20MB RAM, &lt;1% CPU, sub-millisecond scan latency<p>- Pure C, zero runtime dependencies<p>- Model embedded directly in binary (50KB)<p>Why I built this: Existing solutions either require modern kernels (eBPF) or are heavy&#x2F;proprietary. I wanted something lightweight that works everywhere - servers, containers, old distros.<p>Detection approach: Extract features from executables (entropy, imports, sections), run ML prediction, apply heuristic rules, combine scores. If above threshold, kill the process.<p>Happy to discuss implementation details or Linux security in general.

[Other] Show HN: Axe - A Systems Programming Language with Builtin Parallelism and No GC I&#x27;m writing a compiler for a systems language focused on concurrency and parallelism. It’s a re-engineering of a prior work, with an explicit emphasis on memory management and type safety, plus first-class parallel primitives at the language level.<p>The language is now capable of compiling a substantial portion of its own source code to tokens using a single-pass C back-end. The self-hosted compiler includes a handwritten lexer and a parser, with an arena-based allocator to support fast compilation and eliminate GC complexity.<p>The primary goals for the project are: First-class parallel and concurrent constructs built directly into the language, strong static memory and type guarantees, and a toolchain suitable for building high-performance software<p>Example:<p><pre><code> def main() { parallel local(mut arena: Arena) { arena = Arena.create(1024); val tid = Parallel.thread_id(); val result = worker(ref_of(arena), tid); println $&quot;Thread {tid} computed {result}&quot;; Arena.destroy(ref_of(arena)); } } </code></pre> You can find the repository here: <a href="https:&#x2F;&#x2F;github.com&#x2F;axelang&#x2F;axe" rel="nofollow">https:&#x2F;&#x2F;github.com&#x2F;axelang&#x2F;axe</a>

[Other] Show HN: I built an interactive map of jobs at top AI companies I built a live interactive map that shows where top AI companies hire around the world. I collected this data for a hackathon project. Many ATS providers have a public API that you can hit with the slug of the companies to get open jobs. The hardest part was finding the companies. I tried Firecrawl but it returned around 200 companies per provider which wasn’t enough for me. Then, I tried SERPAPI but it was expensive. I ended up using SearXNG to discover companies by ATS type and fetch their job postings. This produced a large dataset of 200k+ jobs (I only use a subset as it would have taken too much time processing). A few days ago, I decided to build a visualization of the data as I didn’t know what to do with it and wanted people to benefit.<p>I kept catching myself wanting to ask simple questions like “show only research roles in Europe” or “filter for remote SWE positions” (and had plenty of free ai credits) so I added a small LLM interface that translates natural language into filters on the map.<p>The map is built with Vite + React + Mapbox. Live demo: <a href="https:&#x2F;&#x2F;map.stapply.ai" rel="nofollow">https:&#x2F;&#x2F;map.stapply.ai</a> GitHub (data): <a href="https:&#x2F;&#x2F;github.com&#x2F;stapply-ai&#x2F;jobs" rel="nofollow">https:&#x2F;&#x2F;github.com&#x2F;stapply-ai&#x2F;jobs</a><p>Would love feedback, ideas for improvement, or contributions.

[Other] Show HN: Explore what the browser exposes about you I built a tool that reveals the data your browser exposes automatically every time you visit a website.<p>GitHub: <a href="https:&#x2F;&#x2F;github.com&#x2F;neberej&#x2F;exposedbydefault" rel="nofollow">https:&#x2F;&#x2F;github.com&#x2F;neberej&#x2F;exposedbydefault</a><p>Demo: <a href="https:&#x2F;&#x2F;neberej.github.io&#x2F;exposedbydefault&#x2F;" rel="nofollow">https:&#x2F;&#x2F;neberej.github.io&#x2F;exposedbydefault&#x2F;</a><p>Note: No data is sent anywhere. Everything runs in your browser.

[Other] Cool-retro-term: terminal emulator which mimics look and feel of the old CRTs

[Other] Show HN: Numr – A Vim-style TUI calculator for natural language math expressions Features:<p>Natural language math: percentages, units, currencies Live exchange rates (152 currencies + BTC) Vim keybindings (Normal&#x2F;Insert modes, hjkl, dd, etc.) Variables and running totals Syntax highlighting<p>Stack: Ratatui + Pest (PEG parser) + Tokio Install: # macOS brew tap nasedkinpv&#x2F;tap &amp;&amp; brew install numr<p># Arch yay -S numr GitHub: <a href="https:&#x2F;&#x2F;github.com&#x2F;nasedkinpv&#x2F;numr" rel="nofollow">https:&#x2F;&#x2F;github.com&#x2F;nasedkinpv&#x2F;numr</a> Would love feedback on the code structure—it&#x27;s a workspace with separate crates for core, editor, TUI, and CLI.

[Other] Show HN: WireMD – Design Wireframes in Markdown Hi HN! I built WireMD, a text-first wireframing tool that lets you design UIs as fast as you can type.<p>The core idea: wireframes should be version-controlled, reviewable in PRs, and editable without leaving your code editor&#x2F;markdown editor.<p>Outputs in multiple formats including for example html (different styles), tailwind and json<p>Curious what HN thinks about the syntax design and whether this fills a gap in your workflow!

[Other] Trifold is a tool to quickly and cheaply host static websites using a CDN

[Other] Build a Compiler in Five Projects

[Other] Syd – An offline-first, AI-augmented workstation for blue teams Hi HN, I’m Paul. I’m building Syd, an offline-first forensic workstation that orchestrates tools like YARA and Nmap through a GUI, using a local LLM to analyze the results without leaking data. It runs completely offline on localhost—no data is ever sent to the cloud, making it safe for sensitive investigations.<p>Here&#x27;s a demo: <a href="https:&#x2F;&#x2F;www.youtube.com&#x2F;watch?v=8dQV3JbLrRE" rel="nofollow">https:&#x2F;&#x2F;www.youtube.com&#x2F;watch?v=8dQV3JbLrRE</a>.<p>I built this because while tools like YARA are powerful, managing rule sets and decoding hex strings is slow. AI is great at explaining malware signatures, but I couldn&#x27;t use ChatGPT for my work because pasting potential malware or sensitive logs into a web form is a massive security risk. I needed the intelligence of an LLM but with the privacy of an air-gapped machine.<p>Under the hood, it’s built on Python 3. I use subprocess to manage the heavy lifting of the scanning engines so the UI (built with CustomTkinter) doesn&#x27;t freeze. The &quot;secret sauce&quot; isn&#x27;t the AI itself, but the parser I wrote that converts the unstructured text output from YARA into a structured JSON format that the local LLM can actually understand and reason about.<p>I’ve been using it to triage files for my own learning. In one case, Syd flagged a file matching a &quot;SilentBanker&quot; rule and the AI pointed out specific API calls for keylogging, saving me about 20 minutes of manual hex-editing. In the demo video linked, you can see this workflow: scanning a directory, hitting on a custom YARA rule, and having the local AI immediately analyze the strings.<p>Through this process, I learned that &quot;AI wrappers&quot; are easy, but AI orchestration is hard—getting the tools to output clean data for the LLM is the real challenge. I&#x27;d love to hear if there are other static analysis tools (like PEStudio or Capa) you consider essential for a workstation like this, or how you currently handle the privacy risk of using AI for log analysis.

[CLI Tool] Show HN: WeatherOrNot a maximal weather app in the terminal A RETRO TERMINAL WEATHER EXPERIENCE

[Other] Build desktop applications using Go and Web Technologies

[Other] Show HN: Stun LLMs with thousands of invisible Unicode characters I made a free tool that stuns LLMs with invisible Unicode characters.<p>*Use cases:* Anti-plagiarism, text obfuscation against LLM scrapers, or just for fun!<p>Even just one word&#x27;s worth of “gibberified” text is enough to block most LLMs from responding coherently.

[CLI Tool] A ncurses-based command line torrent client for high performance

[Code Quality] Show HN: I wrote a minimal memory allocator in C A fun toy memory allocator (not thread safe, that&#x27;s a future TODO). I also wanted to explain how I approached it, so I also wrote a tutorial blog post (~20 minute read) covering the code which you can find the link to in the README.

[Package Manager] Show HN: Safe-NPM – only install packages that are +90 days old This past quarter has been awash with sophisticated npm supply chain attacks like [Shai-Hulud](<a href="https:&#x2F;&#x2F;www.cisa.gov&#x2F;news-events&#x2F;alerts&#x2F;2025&#x2F;09&#x2F;23&#x2F;widespread-supply-chain-compromise-impacting-npm-ecosystem" rel="nofollow">https:&#x2F;&#x2F;www.cisa.gov&#x2F;news-events&#x2F;alerts&#x2F;2025&#x2F;09&#x2F;23&#x2F;widesprea...</a>() and the [Chalk&#x2F;debug Compromise](<a href="https:&#x2F;&#x2F;www.wiz.io&#x2F;blog&#x2F;widespread-npm-supply-chain-attack-breaking-down-impact-scope-across-debug-chalk" rel="nofollow">https:&#x2F;&#x2F;www.wiz.io&#x2F;blog&#x2F;widespread-npm-supply-chain-attack-b...</a>). This CLI helps protect users from recently compromised packages by only downloading packages that have been public for a while (default is 90 days or older).<p>Install: npm install -g @dendronhq&#x2F;safe-npm Usage: safe-npm install react@^18 lodash<p>How it works: - Queries npm registry for all versions matching your semver range - Filters out anything published in the last 90 days - Installs the newest &quot;aged&quot; version<p>Limitations: - Won&#x27;t protect against packages malicious from day one - Doesn&#x27;t control transitive dependencies (yet - looking into overrides) - Delays access to legitimate new features<p>This is meant as a 80&#x2F;20 measure against recently compromised NPM packages and is not a silver bullet. Please give it a try and let me know if you have feedback.

[Other] Show HN: I just fixed .env once and for all – better-env .env files have always felt archaic, insecure, clunky and honestly just not fun to work with. I see my friends (and myself) accidentally committing them all the time. Managing secrets across projects becomes a mess of copy-pasting keys into scattered env files with no real way to sync anything.<p>So I built better-env: a secure, developer-friendly alternative to .env.<p>Store your secrets once in a global encrypted store, and load them per-project at runtime.<p>I’d love feedback on whether this feels useful beyond solo devs, and what you’d want for teams or CI setups.<p>Fully open source: <a href="https:&#x2F;&#x2F;github.com&#x2F;HarishChandran3304&#x2F;better-env" rel="nofollow">https:&#x2F;&#x2F;github.com&#x2F;HarishChandran3304&#x2F;better-env</a>