don't wanna read this, did they vibe code a crypto investment platform and deposited their own money in it?
this post was submitted on 29 Aug 2025
171 points (99.4% liked)
TechTakes
2134 readers
263 users here now
Big brain tech dude got yet another clueless take over at HackerNews etc? Here's the place to vent. Orange site, VC foolishness, all welcome.
This is not debate club. Unless it’s amusing debate.
For actually-good tech, you want our NotAwfulTech community
founded 2 years ago
MODERATORS
It's like a one-and-a-half-page article that also comes in audio and video form, don't be lazy.
spoiler
They vibe coded a bash injection vulnerability in their devops code, which was used to gain access to the repo and push out a release with malicious code, which prompted any installed LLM wrappers like cursor to gather anything that looked like a configuration or text file in the infected machine and presumably leak them to the attacker.
don’t wanna read this
what a coincidence!
Have a LLM summarize it for you. That fits with the article context quite nicely ;)
I know it's been said thousands of times before, but as a software developer I've never felt a greater sense of job security than I do right now. The amount of work it's going to take to clean up all this slop is going to be monumental. Unfortunately, that kind of work is also soul-deadening.
A lot of companies use "vibe coding" an excuse to offshore software development work to cheaper countries without anyone noticing.
But yeah it's not gonna work out in the long term for a business that:
- Encourages people to submit random nonsense to the codebase instead of doing actual work
- Removes all entry-level positions
- Lays off anyone who knows what they're doing
That's how you get a codebase that kinda sorta works in a way but is more evolved than designed, full of security holes, slow as heck, and disorganized to the point where it's impossible to fix bugs, adds features, or understand what's going on.
That’s how you get a codebase that kinda sorta works in a way but is more evolved than designed, full of security holes, slow as heck, and disorganized to the point where it’s impossible to fix bugs, adds features, or understand what’s going on.
Well, one of the ways *glancing at the code I'm responsible for, sweating profusely*
Just vibe code a solution, and then when that goes wrong vibe code the solution to that. Should keep you in work for decades.
At a new job I asked about the crash rate of the mobile app during the interview, and they brought up a dashboard showing it was very low. I wasn't paying enough attention, but they were showing me the daily crash rate, and the day rolled over in UTC time, and had apparently just rolled over in the middle of our day, so not a lot of crashes yet. It actually had an abysmal crash rate. Structured / designed poorly at the core.
Fixing that app took years. Some of it was definitely soul deadening, but there was also something good about turning it all around and people seeing the positive impact as things kept getting better.
I like tackling a spaghetti garbage dump of code, and bringing it some structure and crash resistance.
It can be good, but depending on how much it is, can get pretty monotonous fixing the same problem repeatedly. This was a multi year thing in this case.
Hopefully you at least got some measure of free reign with it. The main times I find cleanup jobs soul-destroying is when I'm getting micromanaged or otherwise harassed by clueless managers.
But given space to breathe and work, I often enjoy tidying up code messes. Gives me the same sensation as when I used to rewire spaghetti data closets in college.
Ya, they let me do it how i wanted and I mostly got to choose what I'd work on next for the clean up task.
It was great to start, but it's size just eventually made it tedious. Oh, I'm doing this again, and I know exactly what my week is going to look like, because the other screen I just did is wrong in exactly all the same ways from top to bottom.
If a new feature was needed in an area and it wasn't urgent I'd say I'm fixing that area first, and then make the new feature. If there were serious bugs that needed fixing, unless it was a easy hotfix with other priorities, I'd fix that whole area instead first.
Edit: Watching the crash rate tick down with all the progress though was great.
It reminds me of the people still being paid to clean up or maintain the large Fortran and COBOL codebases
By my guess, its gonna take about a decade to fully clean up the mountains of slop code that this AI bubble's gonna leave. It'll certainly be lucrative (and soul-deadening, as you note), but as someone else has noted before, the riches are exclusively going to experienced devs and senior programmers - for anyone trying to break into the industry, they're probably gonna have to find work somewhere else.
Thanks for this write-up, I just saw the advisory and didn't realize just how dumb the entire thing was.
absolutely appalling figuring it out, it really was "it can't be this stupid, I must be understanding it wrong"
then I got to the bash injection
and the proud "Generated by Claude Code"
and welp
More than two decades ago, I dabbled a bit in PHP, MySQL etc. for hobbyist purposes. Even back then, I would have taken stronger precautions, even for some silly database on hosted webspace. Apparently, some of those techbros live in a different universe.
The malware stole a lot of people’s login keys and, apparently, their crypto wallets.
Seinfeld "Shame".gif
Most successful AI company.
A pull request is when someone submits new code to a software project. On 21 August, NX added some configuration to look at the titles of pull requests and check they were correctly formatted.
I find it immensely hilarious that this security hole was blown open on my 25th birthday. Its almost poetic.