385
Vibe-coded build system NX gets hacked, steals vibe-coders’ crypto (pivot-to-ai.com)
submitted 1 day ago by Cris_Color@lemmy.world to c/nottheonion@lemmy.world
31 comments fedilink hide all child comments

cross-posted from: https://lemmy.bestiver.se/post/605285

Comments

you are viewing a single comment's thread
view the rest of the comments
[-] addie@feddit.uk 33 points 1 day ago

Oh sweet baby Jesus. That is some astonishing code for validating the title and body of a PR.

      - name: Create PR message file
        run: |
          mkdir -p /tmp
          cat > /tmp/pr-message.txt << 'EOF'
          ${{ github.event.pull_request.title }}
          
          ${{ github.event.pull_request.body }}
          EOF

Put a single-line EOF in your pull request body, follow it up with a completely arbitrary set of Bash commands, whatever you damn well like, put all the environment variables with the repository secrets into a webhook request and send them off somewhere, make sure you terminate it with another cat > /dev/null << 'EOF' to match the other EOF. Now you can compromise the entire project by raising a pull request.

this post was submitted on 08 Sep 2025
385 points (100.0% liked)

Not The Onion

17964 readers
1189 users here now

Welcome

We're not The Onion! Not affiliated with them in any way! Not operated by them in any way! All the news here is real!

The Rules

Posts must be:

  1. Links to news stories from...
  2. ...credible sources, with...
  3. ...their original headlines, that...
  4. ...would make people who see the headline think, “That has got to be a story from The Onion, America’s Finest News Source.”

Please also avoid duplicates.

Comments and post content must abide by the server rules for Lemmy.world and generally abstain from trollish, bigoted, or otherwise disruptive behavior that makes this community less fun for everyone.

And that’s basically it!

founded 2 years ago
MODERATORS
kescusay@lemmy.world