
Research
/Security News
jscrambler npm Package Compromised in Supply Chain Attack
A compromised jscrambler npm release added a malicious preinstall hook that runs hidden native binaries on Linux, macOS, and Windows.
practicode
Advanced tools
Offline-first programming language lessons and coding practice in a Rust terminal UI.
Learn a programming language in 15 focused minutes a day—without leaving your terminal.
Practicode is an offline-first Rust TUI for developers moving between Python, TypeScript, Java, and Rust. It combines short, executable lessons, delayed review, a real local compiler/judge, and optional AI help. No account, streak, or telemetry is required.
npm install -g practicode
practicode
The npm launcher downloads the matching prebuilt binary, verifies its SHA-256 checksum, and caches it in your user directory. Rust is not needed for the npm install path.
Then choose Continue today's session and press Enter. Core lessons and progress work locally; network access is only needed for the first binary download, update checks, and AI features you explicitly invoke.
| Step | What you do | What Practicode records |
|---|---|---|
| Review | Recall the objective of up to two due lessons | Due order; attempts begin when the review exercise is judged |
| Language delta | Compare this language with ones you already know | Nothing yet—reading is not mastery |
| Predict | Pause and decide what the example or edge case will do | Nothing—this is a deliberate recall step |
| Exercise | Edit the starter and run real local cases | Pass/failure kind and attempt count |
| Reflect | Read the transfer trap after a passing run | Next 1/3/7-day review |
/progress shows a privacy-safe summary with no paths or submitted code. Labs remain optional; the 12-item core path in each language determines course completion.
| Language | Core path | Optional labs | Total |
|---|---|---|---|
| Python 3.12 | 12 | 13 | 25 |
| TypeScript 5.9 / Node 22 | 12 | 16 | 28 |
| Java 21 | 12 | 16 | 28 |
| Rust 2024 | 12 | 17 | 29 |
The courses are designed for experienced developers switching languages, not for memorizing isolated syntax. Every record includes a concept, worked example, common mistakes, self-checks, observable objective, language delta, prediction prompt, exercise, and transfer trap.
Press / outside the editor to open the command palette. The most useful controls are:
| Key or command | Action |
|---|---|
F1 | Open contextual help |
F5 or /run | Compile/run and judge the current exercise |
F6 | Cycle Lesson/Code/Result in Learn or Problem/Code in Practice |
/next | Advance the guided step or open the next item |
/lesson | Open the complete lesson reference |
/progress | Show the shareable mastery summary |
/ask <question> | Ask optional AI about the current learning context |
/doctor | Check the installed language runtimes |
/home | Return to the Learn/Practice chooser |
See the command reference for practice mode, aliases, generation, and profile settings.
The Practicode binary is prebuilt, but local judging needs the runtime for the language you exercise:
tsc 5.9.3javac and java)Install only what you plan to study, then run /doctor inside Practicode.
brew install python@3.12 node@22
npm install -g typescript@5.9.3
brew install --cask temurin@21
curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh
winget install -e --id Python.Python.3.12
winget install -e --id OpenJS.NodeJS.LTS
npm install -g typescript@5.9.3
winget install -e --id EclipseAdoptium.Temurin.21.JDK
winget install -e --id Rustlang.Rustup
Restart the terminal after installation.
Use your distribution packages or the vendors' repositories for Python 3.12, Node 22, and JDK 21, then install the pinned TypeScript checker and Rust:
npm install -g typescript@5.9.3
curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh
Verify the toolchain:
python3 --version
node --version
tsc --version
javac -version
rustc --version
To get all four supported language toolchains and keep submissions out of normal host processes:
practicode --docker
The npm launcher builds a local image with Python 3.12, Node 22, TypeScript 5.9.3, JDK 21, and stable Rust. It runs without network access, drops Linux capabilities, uses a read-only root filesystem, limits CPU/memory/processes, mounts the current workspace read-only, and gives the container write access only to the Practicode data directory.
Docker is shared-kernel isolation, not a guarantee against every container escape. Check the image with:
practicode --docker --smoke
cargo install practicode
practicode
git clone https://github.com/baba9811/practicode.git
cd practicode
cargo run --
Prebuilt npm binaries support macOS Intel/Apple Silicon, Linux x64/arm64, and Windows x64. On another target, use Cargo or Docker.
Every native npm launch revalidates the cached binary against its stored SHA-256 checksum. A failed or partial download is removed before execution.
| Platform | Default cache root |
|---|---|
| macOS | ~/Library/Caches/practicode/ |
| Linux | $XDG_CACHE_HOME/practicode/ or ~/.cache/practicode/ |
| Windows | %LOCALAPPDATA%\practicode\ |
Set PRACTICODE_CACHE_DIR to choose another cache. Once a version has been verified, it can launch offline from that version-and-platform-specific cache.
Update npm installs with:
npm update -g practicode
Practicode checks npm for newer versions in the background. Disable that check with PRACTICODE_NO_UPDATE_CHECK=1.
User data lives under ~/.practicode by default (%USERPROFILE%\.practicode on Windows):
| Path | Purpose |
|---|---|
problem-state.json | Settings, history, and learning mastery |
problem_bank.json | Local, custom, and generated problems |
problem_notes.md | Optional generation preferences |
problems/ | Generated problem statements and indexes |
submissions/ | Your source files |
Set PRACTICODE_HOME=/another/path to relocate all user data.
/run executes local source as a normal child process unless Docker mode is active. When invoked, /ask and /hint send the current problem or lesson, submission code, latest result, and your question to the selected provider CLI. AI-backed /next and /generate run that CLI from PRACTICODE_HOME; they may read the local state, bank, notes, problem index, and submissions and may create or update generated problem files under the CLI's configured workspace-write/acceptEdits permissions. Custom ai_next_command programs inherit the access you give them. Review your provider and custom-command settings before enabling AI. Environment variables are scrubbed before judging, and hidden expected values are not printed in failure logs. See SECURITY.md.
The second home option keeps classic stdin/stdout coding-test work beside the guided curriculum. It includes a local problem bank, gradual difficulty, exact-output judging, problem history, and optional AI generation. Learn mode and Practice mode share the editor and judge but keep their progress rules separate.
The fastest contributions are a precise lesson correction, a reproducible terminal bug, or a focused accessibility improvement.
Run the full local gate with make test. Changed lesson content additionally requires executable cases, a refreshed content hash, and an independent agent review recorded in the lesson review manifest; a human reviewer is not required.
Practicode is MIT licensed. Third-party dependency notices are in THIRD_PARTY_LICENSES.md.
FAQs
Offline-first programming language lessons and coding practice in a Rust terminal UI.
The npm package practicode receives a total of 2,047 weekly downloads. As such, practicode popularity was classified as popular.
We found that practicode demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 1 open source maintainer collaborating on the project.
Did you know?

Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.

Research
/Security News
A compromised jscrambler npm release added a malicious preinstall hook that runs hidden native binaries on Linux, macOS, and Windows.

Research
/Security News
A malicious .NET package is typosquatting the Braintree SDK to steal live payment card data, merchant API keys, and host secrets from production apps.

Security News
/Research
Compromised Injective SDK npm version 1.20.21 exfiltrates wallet private keys and mnemonics through fake telemetry functionality.