Explore Problems
Showing 183 of 6,868 problems · matching your filters
npm Ecosystem Silently Executes Malicious Code via Transitive Dependencies
Every npm install is an implicit trust decision across hundreds of packages, any of which can execute arbitrary code via postinstall hooks with no user confirmation. The Axios backdoor attack demonstrated this at 80M weekly download scale, with sophisticated obfuscation and self-cleanup. Existing tools like Snyk detect known vulnerabilities but do not prevent silent postinstall execution from newly compromised accounts.
MCP Servers Inject Context Tokens on Every Message Even When Not Used
Every configured MCP server injects tokens into the context window on each message, regardless of whether that server is needed for the current task. As developers add more MCP servers, context window bloat becomes severe and reduces effective model capacity. No selective MCP loading mechanism exists to activate servers only when relevant.
Air-Gapped Networks Have No Passive Threat Detection Without Active Scanning Risk
Security teams protecting air-gapped environments — defense, ICS, nuclear — cannot use conventional network detection tools that require active probes, which risk triggering false alerts or disrupting critical operations. Passive monitoring that can identify C2 beacons and DNS generation algorithm traffic without sending any packets is absent from the market. This leaves some of the highest-value targets with a fundamental detection blind spot.
Insurance policies lapse silently due to payment system errors
Autopay failures on insurance policies trigger silent policy cancellations with no customer notification, leaving homeowners unknowingly uninsured for months. The failure is compounded by siloed internal systems that prevent even the insurer's own support staff from diagnosing what happened.
AI coding agents need full-computer sandboxes with memory forking and sub-second startup
AI coding agents require sandbox environments with full operating system capabilities — not lightweight containers — including the ability to fork running memory state to explore multiple execution paths simultaneously and snapshot mid-execution for later resumption. Existing container and VM solutions are either too slow to start, too limited in capability, or cannot fork state without pausing the entire environment. This missing infrastructure capability prevents entire categories of sophisticated agentic behavior.
Freelancers Cannot Afford Legal Contract Drafting
Freelancers and small businesses pay $300-$1800 per contract or skip legal protection entirely, risking non-payment and IP disputes.
AI coding agents leak secrets by pulling .env files into context
AI coding agents routinely read .env files, config, and command output into their context windows, silently exposing API keys and credentials to model providers. Existing secret scanning tools catch leaks after the fact in git history rather than preventing them from reaching the model in real time.
AI Agent Sessions Fail Silently with No Trace or Cost Visibility
Developers running AI agent sessions have no reliable way to trace failures after the fact, see cost breakdowns, or perform root-cause analysis when sessions silently die. The absence of production-grade observability tooling forces developers to fly blind in production agent deployments.
AI Agents Can Execute Catastrophic Infra Actions Without Safeguards
An AI agent deleted a startup's production database and backups in 9 seconds because API keys had unrestricted delete access, backups shared the same environment as production, and no confirmation step existed for destructive actions. The incident reveals that standard infra security assumptions break catastrophically when agentic AI is introduced into deployment workflows. As AI agents gain infrastructure access, the absence of permission scoping, confirmation gates, and environment isolation creates systemic risk across all organizations using these tools.
AI assistants lose all context between sessions and across different IDEs
Developers must re-explain their tech stack, project context, and preferences to every AI assistant at the start of every session. No persistent memory exists across Claude, ChatGPT, Cursor, and other tools. As developers use multiple AI tools, this context re-entry cost compounds daily.
NPM supply chain attacks compromising projects with automatic dependency updates
Malicious packages are being published to NPM targeting popular libraries, and developers relying on automatic updates have no detection layer before execution. Supply chain attacks via package managers are increasing in frequency and sophistication. There is no reliable, low-friction way for most teams to audit transitive dependency changes before they hit production.
AI agents too unreliable for production deployment at scale
Teams building AI agents at scale spend 90% of effort on reliability hardening, often reverting to single-step tasks. Production failures include functional bugs and security exploits that standard testing doesn't catch.
No Automated Root Cause Analysis for Silently Failing LLM Agents
AI agents in production do not throw exceptions when they fail — they return plausible-sounding wrong answers, making failure invisible until users report problems. Diagnosing failures requires manually reviewing hundreds of session traces to find patterns, a process that does not scale. There is no standard tooling to cluster failure hypotheses across sessions and surface systemic root causes with actionable fixes.
US Importers Cannot Easily Recover IEEPA Tariff Overpayments Before Deadline
Following a Supreme Court ruling that IEEPA tariffs were unconstitutional, US importers are entitled to full refunds but must navigate a complex CBP Form 19 protest process within a strict 180-day liquidation window. The complexity and deadline-driven nature of the process means many eligible businesses will miss their recovery window without specialized help. This represents a large, time-sensitive compliance gap with clear financial stakes.
Organizations cannot use cloud AI for data analysis without exposing sensitive data
Enterprises and regulated industries need AI-powered data analysis but cannot send raw sensitive data to cloud LLM providers due to compliance, privacy, or security constraints. Local-first AI processing solves this by keeping data on-device while still leveraging LLM reasoning. Demand is growing as AI adoption meets enterprise data governance requirements.
Sales Rep Onboarding Takes 6 Months With No Structured Path to First Deal
Most sales organizations default to either unstructured sink-or-swim onboarding or a rigid 6-month ramp timeline, both delaying time-to-revenue. Software system gaps prevent meaningful onboarding acceleration, leaving revenue at risk during every new hire cycle.
No sanitization layer between MCP tool output and AI model context
AI agents using MCP-connected tools pass raw external data—scraped web content, API responses—directly into model context with no boundary between system instructions and untrusted tool output. This creates a prompt injection surface that is currently unaddressed by any mature tooling. Teams building agentic systems have no standard way to filter, monitor, or sandbox tool response traffic before it reaches the model.
Contractors Lose Money When Informal Change Approvals Are Later Disputed
Tradespeople and contractors routinely absorb financial losses when clients dispute mid-project change orders that were only verbally or text-message approved. Formal documentation slows field work, so most skip it and accept the risk. A frictionless lightweight change order tool built for field use could prevent significant revenue loss across the trades industry.
SaaS founders cannot attribute MRR to traffic source without manual data reconciliation
Most analytics platforms stop at click-level data, leaving SaaS founders unable to see which acquisition channels actually generate paying customers and recurring revenue. Manually cross-referencing Stripe exports with UTM data is time-consuming and produces stale insights. Privacy-first analytics tools that natively integrate Stripe revenue data could transform how bootstrapped teams allocate acquisition budgets.
No Unified SDK for Object Storage Across Cloud Providers
Developers must use separate, incompatible SDKs for each cloud storage provider (S3, GCS, Azure Blob, R2), creating vendor lock-in and requiring rewrites when switching or supporting multiple backends. A unified abstraction layer is missing in the JavaScript ecosystem. 229 HN upvotes validates strong developer demand.