Uninstall GSD AI Tool Now: Creator Ran a Crypto Rug Pull, Still Has NPM Access

The "Get Shit Done" (GSD) AI tool has been abandoned by its creator, who launched a $GSD cryptocurrency token tied to the project, collected the proceeds, and disappeared. If you have the original NPM packages installed, remove them now. The original developer still has publish rights to those packages, which means they can push a malicious update that runs silently on your machine the next time you install or upgrade.

This is the actual risk, and it's not theoretical. NPM packages can receive automatic updates depending on how your project is configured. An untrustworthy maintainer with active publish access is an open door.

What Happened

GSD was a Claude-based productivity and coding tool built to help users move faster on tasks. Alongside the project, the creator launched a $GSD crypto token. After the token launch generated interest, the creator walked away - a pattern in crypto circles commonly called a rug pull. The community has since forked the project under the name get-shit-done-redux, conducted a security audit of the codebase, and published migration instructions.

But the original packages on NPM are still live. No one can force a takedown quickly. Until NPM acts, those packages are a live risk.

Steps to Take Right Now

• Uninstall the original GSD packages from any project or global install. Run npm uninstall get-shit-done (check the exact package name in your package.json).
• Check your lockfiles. Open package-lock.json or yarn.lock and search for any GSD package names to catch transitive dependencies.
• Review recent installs. If you ran npm install or npm update in the past few weeks without reviewing what changed, audit your installed packages.
• Migrate to get-shit-done-redux if you want to keep using the tool's functionality. The community fork has been security-reviewed.

This Happens More Than It Should

The NPM ecosystem has a documented history of package hijacking - sometimes through account compromise, sometimes through the original author retaining access after abandoning a project. High-profile cases include event-stream in 2018 and colors in 2022, both of which pushed malicious or broken updates to millions of projects.

For anyone building AI-assisted workflows around tools like Claudee Code](/tools/claude-code/) or other Claude-based utilities: the quality of the underlying model does not protect you if the package delivering it has a compromised publisher. Check who maintains your dependencies, and watch for any project that launched alongside a token.

The risk window here is open until NPM removes the original packages. Don't assume that's coming soon.