@musalbas

PSA: vibe coding can mass produce CVEs I had Claude Code build and deploy a Next.js app on an isolated VM. pnpm resolved to 15.5.12 - patched against the React2Shell RCE (CVSS 10.0). Build failed. So Claude downgraded to next@15.1.0. pnpm printed "WARN deprecated". Claude ignored it and deployed to a public IP. 51 minutes later: cryptominer. One unauthenticated HTTP request via CVE-2025-66478 gave the attacker full RCE inside the Next.js process. The miner ran from memory, installed 4 persistence mechanisms in under a second. The secure version was already installed. The AI chose the vulnerable one because it made the build pass. No harm done - this was a throwaway VM. But imagine this on real infrastructure. AI will always choose working over secure. Review your deps before deploying.

6.5 years. cooking...

a rollup is simply a verifiable server

https://t.co/Wg8RpehCce

https://t.co/m91scdYkkG