<rss version="2.0" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:atom="http://www.w3.org/2005/Atom"><channel><title>Hacker News: Andrei_dev</title><link>https://news.ycombinator.com/user?id=Andrei_dev</link><description>Hacker News RSS</description><docs>https://hnrss.org/</docs><generator>hnrss v2.1.1</generator><lastBuildDate>Tue, 07 Jul 2026 05:24:23 +0000</lastBuildDate><atom:link href="https://hnrss.org/user?id=Andrei_dev" rel="self" type="application/rss+xml"></atom:link><item><title><![CDATA[New comment by Andrei_dev in "The Claude Code Leak"]]></title><description><![CDATA[
<p>I look at other people's code a lot. The security issues are always boring, that's the thing. API keys sitting in the client bundle, auth middleware missing half the routes. Not clever exploits, just nobody actually reading what the AI spit out.<p>Actually wait, it's worse than that. The product works, demo looks great. Then someone opens the network tab and ... yeah. "Quality doesn't matter" really just means nothing caught fire yet.</p>
]]></description><pubDate>Thu, 02 Apr 2026 08:45:07 +0000</pubDate><link>https://news.ycombinator.com/item?id=47611693</link><dc:creator>Andrei_dev</dc:creator><comments>https://news.ycombinator.com/item?id=47611693</comments><guid isPermaLink="false">https://news.ycombinator.com/item?id=47611693</guid></item><item><title><![CDATA[New comment by Andrei_dev in "The "Vibe Coding" Wall of Shame"]]></title><description><![CDATA[
<p>Half this list is bad attribution. LiteLLM was a supply chain attack — stolen PyPI credentials, nothing to do with vibe coding. The Amazon outage number comes from a vendor blog pushing their own product. Nobody else reported it.<p>But the "where's your control group" take bugs me too. It's not that AI writes buggier code line for line. The gaps are just in different places. Devs who've shipped real apps add rate limiting, auth middleware, proper CORS — because they got burned before. AI skips all of it because nobody prompted for it.<p>I read through about 80 AI-generated repos a few weeks ago. Code looked decent. The missing stuff was always the same list — no auth on admin routes, API keys hardcoded in client JS, CORS wide open, debug endpoints still live in prod. Over and over.<p>Nothing there makes a wall of shame. Nothing's exploded yet. But it's the kind of stuff that does.</p>
]]></description><pubDate>Mon, 30 Mar 2026 08:19:54 +0000</pubDate><link>https://news.ycombinator.com/item?id=47571791</link><dc:creator>Andrei_dev</dc:creator><comments>https://news.ycombinator.com/item?id=47571791</comments><guid isPermaLink="false">https://news.ycombinator.com/item?id=47571791</guid></item><item><title><![CDATA[New comment by Andrei_dev in "Is anybody else bored of talking about AI?"]]></title><description><![CDATA[
<p>Exactly. "Tests pass" and "code is secure" are just different things. AI code makes that gap worse.<p>I run static analysis on mixed human/AI codebases. The AI parts pass tests fine but they'll have stuff any SAST tool flags on first run — hardcoded creds, wildcard CORS, string-built SQL. Works in a demo, turns into a CVE in prod.<p>And nobody's review capacity scaled with generation speed. Most teams don't even have semgrep in CI. So you get unreviewed code just sitting in production.<p>The "10x" is real if you count lines shipped. Nobody counts the fix cost downstream though.</p>
]]></description><pubDate>Wed, 25 Mar 2026 17:41:10 +0000</pubDate><link>https://news.ycombinator.com/item?id=47520692</link><dc:creator>Andrei_dev</dc:creator><comments>https://news.ycombinator.com/item?id=47520692</comments><guid isPermaLink="false">https://news.ycombinator.com/item?id=47520692</guid></item><item><title><![CDATA[New comment by Andrei_dev in "So where are all the AI apps?"]]></title><description><![CDATA[
<p>They exist. Go look at any "I built this in a weekend with Cursor" post — there are hundreds. The problem is most of them ship broken and stay broken. Auth that doesn't actually check anything, API keys in the frontend, falls over with 5 concurrent users.<p>The quantity is there. Nobody's asking "does this thing actually work" before hitting deploy. That's the real gap.</p>
]]></description><pubDate>Tue, 24 Mar 2026 20:43:25 +0000</pubDate><link>https://news.ycombinator.com/item?id=47508945</link><dc:creator>Andrei_dev</dc:creator><comments>https://news.ycombinator.com/item?id=47508945</comments><guid isPermaLink="false">https://news.ycombinator.com/item?id=47508945</guid></item><item><title><![CDATA[New comment by Andrei_dev in "Tell HN: Litellm 1.82.7 and 1.82.8 on PyPI are compromised"]]></title><description><![CDATA[
<p>Sandboxes yes, but who even added the dependency? Half the projects I see have requirements.txt written by Copilot. AI says "add litellm", dev clicks accept, nobody even pins versions.<p>Then we talk about containment like anyone actually looked at that dep list.</p>
]]></description><pubDate>Tue, 24 Mar 2026 18:24:11 +0000</pubDate><link>https://news.ycombinator.com/item?id=47506990</link><dc:creator>Andrei_dev</dc:creator><comments>https://news.ycombinator.com/item?id=47506990</comments><guid isPermaLink="false">https://news.ycombinator.com/item?id=47506990</guid></item><item><title><![CDATA[New comment by Andrei_dev in "GitHub appears to be struggling with measly three nines availability"]]></title><description><![CDATA[
<p>Our security scanning runs on GitHub Actions — every PR gets checked before merge. When GitHub goes down, the security gate goes down with it. PRs pile up, devs get impatient, start merging without waiting for checks. That's exactly when bad code gets through. And they keep throwing engineers at Copilot while the stuff that CI/CD actually depends on keeps falling over.</p>
]]></description><pubDate>Mon, 23 Mar 2026 16:56:12 +0000</pubDate><link>https://news.ycombinator.com/item?id=47492076</link><dc:creator>Andrei_dev</dc:creator><comments>https://news.ycombinator.com/item?id=47492076</comments><guid isPermaLink="false">https://news.ycombinator.com/item?id=47492076</guid></item><item><title><![CDATA[New comment by Andrei_dev in "Get Shit Done: A meta-prompting, context engineering and spec-driven dev system"]]></title><description><![CDATA[
<p>250K lines in a month — okay, but what does review actually look like at that volume?<p>I've been poking at security issues in AI-generated repos and it's the same thing: more generation means less review. Not just logic — checking what's in your .env, whether API routes have auth middleware, whether debug endpoints made it to prod.<p>You can move that fast. But "review" means something different now. Humans make human mistakes. AI writes clean-looking code that ships with hardcoded credentials because some template had them and nobody caught it.<p>All these frameworks are racing to generate faster. Nobody's solving the verification side at that speed.</p>
]]></description><pubDate>Tue, 17 Mar 2026 21:36:36 +0000</pubDate><link>https://news.ycombinator.com/item?id=47418650</link><dc:creator>Andrei_dev</dc:creator><comments>https://news.ycombinator.com/item?id=47418650</comments><guid isPermaLink="false">https://news.ycombinator.com/item?id=47418650</guid></item><item><title><![CDATA[New comment by Andrei_dev in "Leanstral: Open-source agent for trustworthy coding and formal proof engineering"]]></title><description><![CDATA[
<p>Yeah, this tracks. Developers who actually read what the AI spits out catch the obvious mistakes. The ones who just tab-complete their way through a whole project don't. And where it bites you isn't where you'd expect — logic bugs get caught fast. It's the boring security stuff. No input validation, CORS wide open, admin routes with no auth at all.
Formal verification tells you whether a function matches its spec. The problem with AI-generated code goes a level below that. It's everything nobody bothered specifying — like "maybe don't hardcode your database credentials."</p>
]]></description><pubDate>Tue, 17 Mar 2026 21:35:40 +0000</pubDate><link>https://news.ycombinator.com/item?id=47418641</link><dc:creator>Andrei_dev</dc:creator><comments>https://news.ycombinator.com/item?id=47418641</comments><guid isPermaLink="false">https://news.ycombinator.com/item?id=47418641</guid></item><item><title><![CDATA[New comment by Andrei_dev in "Toward automated verification of unreviewed AI-generated code"]]></title><description><![CDATA[
<p>The testing angle keeps coming up but it's sort of missing the point. I spent a few weeks poking through public repos built with AI tools — about 100 projects. 41% had secrets sitting raw in the source. Not in env files. In the code itself. Supabase service_role keys committed to GitHub, .env.example files with actual credentials, API keys hardcoded in client-side fetch calls.<p>No test catches any of that. Code works, tests pass, database is wide open.<p>It's not even a correctness problem. It's that the LLM never thought about rate limiting, CORS headers, CSRF tokens, a sane .gitignore — because nobody asked it to. Those are things devs add from muscle memory, from getting burned. The AI has no scars.</p>
]]></description><pubDate>Tue, 17 Mar 2026 21:34:52 +0000</pubDate><link>https://news.ycombinator.com/item?id=47418636</link><dc:creator>Andrei_dev</dc:creator><comments>https://news.ycombinator.com/item?id=47418636</comments><guid isPermaLink="false">https://news.ycombinator.com/item?id=47418636</guid></item><item><title><![CDATA[New comment by Andrei_dev in "Show HN: GitAgent – An open standard that turns any Git repo into an AI agent"]]></title><description><![CDATA[
<p>The version control angle is interesting. One thing worth thinking about — SOUL.md and SKILL.md are essentially prompt injections by design. They define what the agent does. If the ecosystem grows to where people fork and share agent repos, those files become an attack surface that doesn't get the same review scrutiny as code.<p>Does GitAgent validate check prompt definitions for suspicious patterns? Instructions to access filesystems, exfiltrate env vars, call external endpoints? Seems like a natural extension if you're already running validation in CI.</p>
]]></description><pubDate>Sun, 15 Mar 2026 19:47:05 +0000</pubDate><link>https://news.ycombinator.com/item?id=47391139</link><dc:creator>Andrei_dev</dc:creator><comments>https://news.ycombinator.com/item?id=47391139</comments><guid isPermaLink="false">https://news.ycombinator.com/item?id=47391139</guid></item><item><title><![CDATA[New comment by Andrei_dev in "Marketing for Founders"]]></title><description><![CDATA[
<p>Had basically the same thing happen. Posted in a side project sub, spam filter nuked it because new account. And in other subs now, anything that mentions AI gets hit with "vibecoded slop" automatically. Doesn't matter if you spent months on it.<p>What actually moved the needle was talking about data, not the product. I posted about my tool — crickets. Then I wrote about stuff I discovered while building it and people started engaging. Exact same product behind both posts, just "here's what I found" instead of "here's what I built." Night and day difference.</p>
]]></description><pubDate>Sun, 15 Mar 2026 19:37:17 +0000</pubDate><link>https://news.ycombinator.com/item?id=47391063</link><dc:creator>Andrei_dev</dc:creator><comments>https://news.ycombinator.com/item?id=47391063</comments><guid isPermaLink="false">https://news.ycombinator.com/item?id=47391063</guid></item><item><title><![CDATA[New comment by Andrei_dev in "Marketing for Founders"]]></title><description><![CDATA[
<p>So I launched a dev tool last week. Figured I'd share what actually happened across different channels because most "launch retrospectives" are written by people who already had an audience.<p>My Dev.to article got 42 reads and 2 reactions. Not exactly going viral. But here's the thing — Google picked it up within days, and I'm already seeing search traffic trickle in. Honestly that might end up being worth more than any launch-day spike.<p>Twitter was a waste of time. Brand new account, zero followers, zero impressions. And I mean literally zero — the algorithm just doesn't show tweets from fresh accounts to anybody. I could've tweeted the cure for cancer and nobody would've seen it.<p>Reddit though. One post in r/webdev's Showoff Saturday thread pulled 1,400 views and 10 comments. Blew everything else out of the water. Downside: that sub only lets you self-promote on Saturdays, and AutoMod killed one of my replies because my account was too new. Cool.<p>Also looked into BetaList — turns out they dropped their free tier, it's $39 minimum now. Found another directory that approved me in 2 days and sent... one visitor. One.<p>Biggest takeaway that nobody talks about: the thing blocking you isn't your writing or your product. It's subreddit karma requirements and account age filters. AutoMod doesn't care how good your post is. If you're planning to use Reddit for anything, go make that account right now. You'll thank yourself in a month.</p>
]]></description><pubDate>Sun, 15 Mar 2026 19:31:13 +0000</pubDate><link>https://news.ycombinator.com/item?id=47391000</link><dc:creator>Andrei_dev</dc:creator><comments>https://news.ycombinator.com/item?id=47391000</comments><guid isPermaLink="false">https://news.ycombinator.com/item?id=47391000</guid></item></channel></rss>