Hello friends!
Welcome to this week’s Sloth Bytes. I hope you had a great week.
🦥 No sponsor this week, just vibes.
But if you want to reach 50,000+ developers, founders, and tech lovers who actually open their emails — this is the place.
“F”s in the chat for Sora app
OpenAI just killed Sora. An AI-powered TikTok where everyone's feed was AI-generated videos. (I wonder why it failed…)
Critics warned the tool could fuel a surge in nonconsensual content and hyper-realistic deepfakes, plus cause endless doom scrolling. The memes were beautiful at least.
Their official goodbye was just a tweet.
No big announcement. Just a quiet shutdown of a product they hyped less than a year ago.
You might be thinking: Finally no more AI videos. no more Fruit Love Island videos, the slop is gone!
Well… no. AI videos will still be a thing since there’s alternatives like Veo 3.1, and other local models.
Why it matters: Sora shutting down overnight with zero warning is probably the first of many. As the AI hype cools down and investors start asking "okay but where's the profit?", expect more apps, tools, and maybe even some bigger names to quietly disappear or start charging a lot more.
Someone Snuck a Virus Into One of the Most Popular JavaScript Libraries
Axios is a a tool that every JavaScript developer has used at least once. It’s a simple library for data fetching that’s very flexible and lightweight.
Someone hacked into one of Axios’s lead maintainers npm account and used it to push two poisoned updates: versions 1.14.1 and 0.30.4.
Those versions have already been taken down.
Check your dependencies and lockfiles for:
If your project contains any of these versions, update them and change any credentials/api keys within the project.
Here's what made it so sneaky:
The malware wasn't inside Axios itself, it was hiding in a fake "helper package" that got pulled in automatically
The moment you ran
npm install, it silently called home to the attacker's serverThen it deleted all evidence of itself, so if you checked your files afterward, everything looked totally clean
It targeted Mac, Windows, and Linux: all three, with separate payloads pre-built for each
The malicious versions were pulled from the internet within about 3 hours. But 3 hours is a long time when 100 million people download your package every week.
Anthropic Accidentally Leaked Their Own Source Code
So this is a fun one.
Claude Code is a closed source (remember that) AI agent for programming.
One of the developers was pushing an update to it and they forgot to exclude the source map file. This file essentially contains ALL the source code. Nearly 2,000 files. Over 500k+ lines of code.
Basically, Claude code was now open source.
A security researcher spotted it, posted about it on Twitter, and it blew up, over 28 million views.
The creator of Claude Code Boris Cherny responded with this:
Which honestly, was a great response. I respect it.
Now of course, people dug into the code and found some fascinating stuff:
There are 187 hardcoded spinner verbs
They filter out 25 swear words
They track when you swear at claude code to their internal analytics
It has 60+ built in tools
A secret "Undercover Mode" where Claude makes contributions to open source projects without revealing it's from Anthropic. The prompt literally says "do not blow your cover." Very sus.
There’s also now an open source version that was rewritten into Python to prevent copyright issues.
It’s the fastest GitHub repo to hit 100k stars and they’re now porting it into Rust.
Also worth knowing: if you updated Claude Code via npm on March 31st, double-check your setup. A separate issue with a related package means you should rotate any API keys or credentials just to be safe.
Why it matters: This accidental open source moment is kind of priceless. Developers now have a rare, unfiltered look at how one of the most advanced AI coding tools in the world actually works under the hood. Expect the community to learn from it, build on top of it, and ship things that wouldn't have existed otherwise. Sometimes the best things happen by accident.
Stripe new tool: Stripe Projects
Every time you start a new project, you go through the same ritual.
Sign up for hosting. Sign up for a database. Sign up for auth. Copy API keys into a .env file. Each tool has its own dashboard, its own billing page, and its own way of doing things.
Stripe developers must’ve gotten tired of that because they launched Stripe Projects (developer preview), a CLI tool that lets you provision your entire stack: hosting, databases, auth, AI services, analytics. In a few commands.
stripe projects init my-app
stripe projects add vercel/project
stripe projects add supabase/databasePick what you need, and it spins everything up in accounts you own, then automatically drops the credentials into your local environment.
Billing works the same way: set it up once and manage every service's subscription from the CLI. And because everything lives in your own accounts, you're not locked into anything.
Why it matters: Spinning up infrastructure has always been the boring-but-annoying part of starting a project. Now we have a easier way to do it. We may enter an era where we don’t have to hop between dashboards and copy api keys.
OpenClaw Vs Claude Cowork
Two tools are leading the AI agent conversation right now.
OpenClaw is a free, open-source AI agent built by Austrian developer Peter Steinberg that blew up almost overnight, it hit 100,000 GitHub stars in its first week, which almost never happens.
Claude's Cowork is Anthropic's version, built directly into their ecosystem.
Reddit and X/ have been going back and forth comparing OpenClaw and Claude's Cowork. Both are aiming to be your AI "desktop employee."
Here is a quick breakdown of what is actually the difference between the two:
OpenClaw | Claude Cowork | |
|---|---|---|
Cost | Free (you pay for the AI model) | Included with Claude plans |
Runs on | Mac, Windows, Linux (anywhere you can self-host) | Mac & Windows (computer use feature is Mac M1+ only for now) |
Flexibility | Highly customizable, open source | Tightly integrated with Claude |
Setup | More technical, self-hosted | Ready-to-use |
Best for | Developers who want full control | Regular users who want it to just work |
Works with | Claude, ChatGPT, DeepSeek, local models | Claude |
Why PHP in 2026?
I know. I know. Stop laughing.
PHP gets dunked on constantly: it's practically a meme at this point. "PHP is dead." "Nobody uses PHP." "Real developers don't do PHP."
But here’s a fun fact: In 2025, WordPress powered 43.4% of all websites on the internet. (WordPress websites uses php bw)
Safe to say PHP is not “dead” even in this AI era.
Additionally, there's a site called whyphp.dev and the argument it makes is actually pretty compelling.
PHP has quietly had a complete glow-up over the past few years and most people missed it.
It now has a proper type system to catch mistakes before they become bugs
Built-in support for more modern coding patterns
Performance improvements that make it blazingly fast.
Will PHP make you cool at a meetup? Probably not. Will it get the job done reliably, quickly, and with minimal tooling overhead? Absolutely.
Why it matters: The best tool is usually the one that lets you actually ship something. If you've written off PHP because you heard it was bad in 2012, it might be worth a second look. And if nothing else, it's a good reminder that the "cool" language and the "right" language for a job aren't always the same thing.
The Feedback Loop Is All You Need - writing rules for your coding agent in a text file is nice, but automated code checkers that actually enforce those rules are the only thing that stops your codebase from quietly turning into a mess
How we rewrote 130K lines from React to Svelte in two weeks - A team got fed up with React constantly re-rendering every time a token streamed in.
Agent responsibly - Vercel's (cloud platform) honest internal warning to their own engineers: a PR from a coding agent can look perfect, pass every test, and still silently destroy your infrastructure in production
Scaling a monolith to 1M lines of code: 113 lessons - a CTO documents every hard-won lesson from growing a real production codebase from small to massive
A look at modern news websites - a breakdown of how today's news sites became unusable: bloated with ad scripts, hostile UX patterns, and payloads so heavy they'd make a 2003 Flash game blush
numpy-ts - If you know Python's NumPy (the go-to library for math and number crunching) and want the same thing in JavaScript/TypeScript, this is it.
convert - A file converter that actually lives up to the word "universal". You can convert a video to a PDF, because why not
pgmicro - This tool gives you PostgreSQL's familiar language on top of SQLite's simplicity, perfect for small apps, AI agents, or quick experiments where you don't want to spin up a full database server
pretext - A JavaScript library that figures out how text will wrap and how tall it'll be on screen, without actually rendering it first, which makes it significantly faster for UIs that need to do a lot of text layout calculations.
Bro DIY’d RAM just to play csgo
@technic_alex This guy made his own computer memory because it was cheaper #gaming #pcgaming #gamer
That’s all from me!
Have a great week, be safe, make good choices, and have fun coding.
If I made a mistake or you have any questions, feel free to comment below or reply to the email!
See you all next week.
What'd you think of today's email?
Want to advertise in Sloth Bytes?
If your company is interested in reaching an audience of developers and programming enthusiasts, you may want to advertise with us here.
