HackEurope 2026: A short rant on AI and hackathons
Source: Hacker News
TL;DR
- Front‑end is almost everything. There’s no burden of proof that a project is functional or has a practical application; as long as it looks cool, investors and non‑technical people will bite.
- Choose your track wisely. Make sure the track sponsor is actually present in your location. Many assumed tracks were per‑country, but the €1,000 prize was shared across three countries and the sponsor wasn’t operating everywhere.
- Pick an easy‑to‑explain problem. You only have two minutes to pitch. Non‑technical judges will tune out if they can’t follow the context. We were lucky that 2/3 of the evaluators knew about open‑source supply‑chain attacks and liked our solution.
- Follow the trends. All winners had “AI” as a significant part of their solution.
Personal note: I wouldn’t follow my own advice. I entered the hackathon aiming to build something I’d maintain long‑term, not just “AI slop” (I fucking hate “Lovable”).
So what did we actually build?
Context
Over the past year we’ve seen a wave of supply‑chain attacks—from the Shai‑Hulud worm to a compromised Notepad++ binary. Developers are the most vulnerable: many install packages without any verification. Meanwhile, large corporations spend heavily on security teams that perform manual reviews, leading to duplicated effort across companies.
Note: We’re not focusing on CVEs or known vulnerabilities. Tools like Snyk or Wiz already handle those. There are legitimate cases for using insecure but non‑malicious software internally.
The MVP
Our MVP is a secure package registry that can be used as a drop‑in replacement for npm:
npm config set registry https://secure-registry.example.com- Pull packages from the public npm registry.
- Generate a suite of tests that would trigger typical malicious behaviors.
- Collect behavioral data with eBPF (file accesses, DNS queries, network connections, executed commands, etc.).
- Deduplicate the data against a known set of safe behaviors from trusted packages to improve the signal‑to‑noise ratio.
- Use either a simple AI model (required by the hackathon theme) or historical data to flag malicious or anomalous behavior.
- If the package passes, it is uploaded to our secure registry.
Ongoing work & future features
- Reproducible builds – track behavioral changes over time to define a “normal” deviation range.
- Support for additional ecosystems – PyPI, Maven, Cargo, etc.
- Automatic tracing of behavior back to source lines, commits, or reverse‑engineered code.
- Registry‑to‑commit matching – ensure releases correspond to exact source code snapshots.
- Use
eCaptureto decrypt HTTPS traffic for deeper inspection. - Honeypot data to detect exfiltration attempts.
Development started last September (code not reused for HackEurope). The goal is to spin up a running startup by May. Feedback is welcome—feel free to reach out via email.
AI encourages conformity and kills creativity
Roughly 90 % of the projects were “vibe‑coded” slop, and many ideas were directly lifted from AI‑generated suggestions. You can spot clones when multiple teams present identical titles, descriptions, and implementations.
I’m not a Luddite and I don’t hate AI as a tool. My concern is that AI has lowered the bar for certain project types, nudging participants toward a narrow mold dictated by what the models can generate. Truly novel ideas—those outside the training data distribution—rarely surface at hackathons anymore because AI labels them “too hard,” and participants avoid them.
There’s more I’d like to say, but I’m boarding a flight now. I’ll return when I have time.
Disclaimer: This post may affect future job prospects, but I’m indifferent. Those opportunities probably aren’t worth it anyway.