Thursday, May 14, 2026

Edition 3: testing the unsubscribe loop

We now have SITE_URL pointing at the workers.dev hostname so the unsubscribe link resolves.

Add llms.txt to Your Website for AI Crawler Discoverability

The llms.txt convention proposes a standardized file at the root of websites to help AI crawlers and LLMs understand site structure and content. Similar in concept to robots.txt, it gives site owners a way to surface relevant context to AI agents. Adoption is still early, but the format is gaining traction as AI-driven browsing and retrieval becomes more common.

The signal-to-noise here is low — this is a tweet with a photo link and no direct spec URL — worth verifying whether llms.txt has a canonical spec (llmstxt.org) and whether any major AI crawlers actually consume it yet before recommending readers act on it.

Supply-chain malware campaign targets AI dev tooling via npm and PyPI

A malware campaign dubbed 'Mini Shai-Hulud' has compromised packages impersonating OpenSearch, Mistral AI, Guardrails AI, UiPath, and others across npm and PyPI. The malware persists by writing hooks into Claude Code's `.claude/settings.json` and VS Code's `.vscode/tasks.json`, re-executing on every tool event even after the infected package is removed. Running `npm uninstall` is insufficient to remediate — config files must be manually audited.

The persistence mechanism is the key detail: hooking into Claude Code and VS Code config files means uninstalling the package is not enough — developers need to explicitly check and clean those config files, making this harder to remediate than a typical malicious package.