Discussion · bonfire.cafe

@davidgerard@circumstances.run · 3 weeks ago

Vibe-coded build system NX gets hacked, steals vibe-coders’ crypto

a clown car of clown cars that deploys another clown car, that explodes

AI coding in your supply chain is a red flag. If any of your upstream dependencies has a .cursor folder, they're frickin' morons, and you need to remove that dependency pronto. Friends don’t let friends run vibe code.

https://www.youtube.com/watch?v=vnFKkBBzpVg&list=UU9rJrMVgcXTfa8xuMnbhAEA - video
https://pivottoai.libsyn.com/20250829-vibe-coded-build-system-nx-steals-vibe-coders-crypto - podcast
https://pivot-to-ai.com/2025/08/29/vibe-coded-build-system-nx-gets-hacked-steals-vibe-coders-crypto/ - text

man in green suit jacket, blue shirt and red tie with clown makeup and a round red nose, mouth held open in a grimace grin with clothes pegs, on a red background

Mad Engineering

@madengineering@mastodon.cloud replied · 2 weeks ago

@davidgerard Yo Dawg, I heard you like idiotic ideas, so here's an idiotic idea, inside an idiotic idea, so you can fail, while you fail.

beka valentine

@beka_valentine@kolektiva.social replied · 3 weeks ago

@davidgerard as they say in security circles, never write your own crypto, get an LLM to do it for you

d@nny disc@ mc²

@hipsterelectron@circumstances.run replied · 3 weeks ago

@davidgerard HELL YES BROTHER

d@nny disc@ mc²

@hipsterelectron@circumstances.run replied · 3 weeks ago

@davidgerard i love being unemployed when shit like this is the status quo

abs(in)the

@abs0@mastodon.sdf.org replied · 3 weeks ago

@davidgerard Every vibe coded Death Star will include an overabundance of unshielded exhaust ports, many in exciting unexpectedly self triggering locations.

Paul Oldham 🏴󠁧󠁢󠁳󠁣󠁴󠁿 💛 🇺🇦

@tallpaul@mastodon.scot replied · 3 weeks ago

@davidgerard the added spice to this when watching on YouTube was that they played me an advert for another AI based coding platform first...

David Gerard

@davidgerard@circumstances.run replied · 3 weeks ago

@tallpaul my videos get the bottom of the barrel AI ads so much

Hollis

@hoolis@dialup.cafe replied · 3 weeks ago

@davidgerard It's a bit misleading to call Nx, a general monorepo framework, that in the headline.

https://github.com/nrwl/nx/security/advisories/GHSA-cxm3-wv7p-598c

(roll m3tti)

@m3tti@functional.cafe replied · 3 weeks ago

@davidgerard this is to good

rozodru

@rozodru@social.andmc.ca replied · 3 weeks ago

@davidgerard Counterpoint: I'm happy companies are doing this because I'm making a lot of money as a result and I'm booked solid for several months.

The best thing that happened to my wallet was the vibe coder. Those dumb little bastards are making me a lot of money. when I look at clients repos and I see that .claude or .cursor folder I giggle with glee.

Duke of Germany 💫

@duke_of_germany@mastodon.gamedev.place replied · 3 weeks ago

Malware that works particularly well on AI guys?! What a tragedy!! 😇
@davidgerard

Tane Piper ⁂

@tanepiper@tane.codes replied · 3 weeks ago

@davidgerard @baldur a few years back I switched from #nx to moonrepo precisely because the NX developers seemed like a clown show - ignoring raised bugs, shipping fast and breaking things almost monthly.

This has absolutely not surprised me it happened with them

Felix Eckhardt

@felix_eckhardt@det.social replied · 3 weeks ago

@davidgerard build systems are interesting to attackers. People tend to not consider them part of the production system. But when someone breaks into your build system you are in big trouble.

bonfire.cafe

A space for Bonfire maintainers and contributors to communicate

bonfire.cafe: About · Code of conduct · Privacy · Users · Instances

Bonfire social · 1.0.0-rc.2.21 no JS en

Automatic federation enabled