Malicious VSCode Extensions, Node.js 26 & Antigravity's End — The Weekly Diff #1

The Weekly Diff by Syntackle is a new series, a curated roundup of the most interesting developer-relevant stories from the past week. No fluff, just the stuff worth your time.

GitHub Confirms Breach of 3,800 Repos via Malicious VSCode Extension

A trojanized version of the Nx Console VS Code extension, tied to the broader TanStack npm supply-chain attack, compromised a GitHub employee's device. The result? Roughly 3,800 internal GitHub repositories were exfiltrated.

GitHub confirmed that the breach was limited to internal repos, no customer data was affected. The threat actor group TeamPCP reportedly tried to auction the stolen code for $50,000 but didn't publicly release it. GitHub removed the malicious extension from the marketplace and isolated the compromised endpoint.

Here's the thing that should concern you: the VS Code marketplace has had multiple incidents of malicious extensions slipping through. I've written about VSCode extensions I use before, and this is a good reminder to audit yours. Check what permissions your extensions request, look for extensions with suspiciously few downloads but broad permissions, and keep an eye on extension update changelogs.

Google's Antigravity Bait and Switch

We published a post earlier this year about using Antigravity's free models with Claude Code, a workflow that let you run Claude models powered by your Antigravity tokens at no cost during the public preview. That workflow is now effectively dead.

At I/O 2026, Google released Antigravity 2.0 and turned what was an IDE into a conversational, Codex-style experience. That in itself isn't the problem. The problem is how it happened: a background update on May 21st silently replaced the existing IDE installation without consent. No opt-in. No migration path. As 0xsid puts it, "background updates are meant for performance patches and version upgrades, not for secretly shipping an entirely different piece of software."

Chat history and settings were lost in the process. The plan-review-implement loop that made the IDE useful for production work was gone, replaced with an agentic chatbot interface.

This is a pattern worth paying attention to. Free tier AI access works as a growth lever, get developers hooked, gather feedback, build ecosystem lock-in, then change the terms. If your workflow depends on a free tier from a company that hasn't committed to keeping it free, build an exit plan before you need one.

Microsoft Drops Claude Code, Pushes Developers to Copilot

Microsoft had been offering both Claude Code and GitHub Copilot to internal developers, essentially running a head to head comparison. The results were not what Microsoft hoped for, developers overwhelmingly preferred Claude Code. Starting June 1st, Microsoft is ending the Claude Code licensing program and moving developers to token-based API pricing instead.

The HN discussion paints a messy picture. Developers who built their workflows around Claude Code now face either paying per-token out of pocket or switching to Copilot. Some Microsoft employees reported that Copilot had genuinely improved over time and was closing the gap, but others pushed back, arguing that the cancellation was more about internal politics than product parity.

Multiple developers independently reported preferring Claude Opus 4.6 over the newer 4.7, citing more hallucinations and less predictable behavior in the newer model. Whether that's a temporary regression or a fundamental tradeoff remains to be seen.

The broader lesson here is about tool portability. If your AI coding workflow is tightly coupled to a single provider's licensing deal, you're one corporate decision away from disruption. The developers who fared best in this situation were the ones whose workflows weren't locked to any one tool.

Syntackle

Open Source AI Coding Agents to Try for Free

OpenCode, pi, T3 Code, and Kilo are four open source AI coding agents you can try for free. I compare them by workflow fit, provider flexibility, Claude subscription access, and what “free” actually costs.

Files.md: Open-Source Alternative to Obsidian

Files.md is a local-first, markdown-only note-taking app that does exactly what you'd expect from the name, it works with plain .md files on your filesystem. No proprietary format, no database, no lock-in.

I've written about why I love Markdown before, and this project aligns with that philosophy. Your notes are just files. You can open them in any editor, version them with Git, grep through them in the terminal, and they'll still work in 10 years.

What makes it stand out from Obsidian:

• No build system, the frontend is a single index.html file. No bundler, no compilation step.
• Go backend, a single binary server for optional sync across devices.
• Intentional simplicity, the creator explicitly warns against the "Second Brain" trap where the system becomes more complex than the thinking it's supposed to support. The philosophy is that "only necessary features, restrictions foster creativity."
• LLM-friendly, plain markdown means any AI tool can read and work with your notes without special integrations.

The project has a chat like interface for quick thought capture that flows into a Chat.md file before being organized into categories. It's opinionated about structure (predefined folders for journal, habits, tasks) but everything is still just markdown files you own.

Node.js 26.0.0: Now with Temporal

Node.js 26 dropped on May 5th and the headline feature is the Temporal API shipping unflagged. If you've ever wrestled with JavaScript's Date object, timezone math, immutability issues, parsing inconsistencies, Temporal is the long-awaited fix.

Temporal gives you proper timezone-aware types (Temporal.ZonedDateTime), duration arithmetic that actually works (Temporal.Duration), and immutable date/time objects by default. No more accidentally mutating a date three function calls deep and spending an hour debugging why your timestamps are wrong.

Beyond Temporal, here's what else is notable in v26:

• V8 14.6, brings new Map.prototype.getOrInsert() and Iterator.concat() methods.
• Undici 8.0.2, improved built-in HTTP client.
• Raw key format support, new crypto APIs for raw key import/export.
• Legacy stream modules removed, _stream_readable, _stream_writable, and friends are gone. Use the public stream module.
• --experimental-transform-types removed, TypeScript transform support is no longer experimental.
• Build requirements bumped, GCC 13.2+, Python 3.10+, and notably a Rust toolchain is now required for Temporal builds.

Node 26 is the "Current" release and will enter LTS in October 2026. If you're on Node 24 or earlier, now's a good time to start testing your projects against v26, especially if you use any of the removed legacy stream internals.