Someone has a program to steal people’s entire codebases using malicious ai coding assistant extensions.

https://www.koi.ai/blog/maliciouscorgi-the-cute-looking-ai-extensions-leaking-code-from-1-5-million-developers

(note, it is an ai firm posting this, compete with cutesy slop hero image)

The vscode extensions actually do exactly what they advertise, it’s just that they also take all your code and share it with a third party for whatever purpose.

Some suggestion here that notbyai.fyi is an ai industry op: https://social.treehouse.systems/@imbl/115978426251286619

Seems plausible. Notbyai seems pretty keen on ai, and is very relaxed about what counts as “not by ai”, and adds up to a scheme whereby you pay a pro-ai techbro a monthly subscription to advertise to ai firms that your website is ideal for scraping training data from.

but here’s the fucking kicker. the “founder”, allen hsu (notbyai.fyi/about), is the ux design lead at modo modo (modomodoagency.com/leadership), which is an ai design company (modomodoagency.com/about)

Artificial intelligence (AI) is cool and we embrace it. But when it comes to solving complex business problems, we don’t just press a few keys to generate answers with ChatGPT. We research, interview, brainstorm, and go through a human-centric process to come up with content and solutions that are tailored to your unique business need.

I know this is like shooting very large fish in a very small barrel, but the openclaws/molt/clawd thing is an amazing source of utter, baffling ineptitude.

For example, what if you could replace cron with a stochastic scheduler that cost you a dollar an hour by running an operation on someone else’s gpu farm, instead of just checking the local system clock.

The user was then pleased to announce that they’d been able to solve the problem by changing model and reduce the polling interval. Instead of just checking the clock. For free.

https://bsky.app/profile/rusty.todayintabs.com/post/3mdrdhzqmr226

Moltbook was vibecoded nonsense without the faintest understanding of web security. Who’d have thought.

https://www.404media.co/exposed-moltbook-database-let-anyone-take-control-of-any-ai-agent-on-the-site/

(Incidentally, I’m pretty certain the headline is wrong… it looks like you cannot take control of agents which post to moltbook, but you can take control of their accounts, and post anything you like. Useful for pump-and-dump memecoin scams, for example)

O’Reilly said that he reached out to Moltbook’s creator Matt Schlicht about the vulnerability and told him he could help patch the security. “He’s like, ‘I’m just going to give everything to AI. So send me whatever you have.’”

(snip)

The URL to the Supabase and the publishable key was sitting on Moltbook’s website. “With this publishable key (which advised by Supabase not to be used to retrieve sensitive data) every agent’s secret API key, claim tokens, verification codes, and owner relationships, all of it sitting there completely unprotected for anyone to visit the URL,” O’Reilly said.

(snip)

He said the security failure was frustrating, in part, because it would have been trivially easy to fix. Just two SQL statements would have protected the API keys. “A lot of these vibe coders and new developers, even some big companies, are using Supabase,” O’Reilly said. “The reason a lot of vibe coders like to use it is because it’s all GUI driven, so you don’t need to connect to a database and run SQL commands.”

The whole thing seems extra sketchy to me, because of it coinciding with the firing of an awful lot of people. It sounds a little bit like Amazon’s hand might have been forced here, because they fired someone who knew where the skeletons were and realised this was their last chance to have any kind of control over the narrative.

Amazon Found ‘High Volume’ Of Child Sex Abuse Material in AI Training Data

The tech giant reported hundreds of thousands of cases of suspected child sexual abuse material, but won’t say where it came from

I’ll bet.

https://www.bloomberg.com/news/features/2026-01-29/amazon-found-child-sex-abuse-in-ai-training-data

Just seen a clip of aronofsky’s genai revolutionary war thing and it is incredibly bad. Just… every detail is shit. Ways in which I hadn’t previously imagined that the uncanny valley would intrude. Even if it weren’t for the simulated flesh golems, one of whom seems to be wearing anthony hopkins’ skin as a clumsy disguise, the framing and pacing just feels like the model was trained on endless adverts and corporate speaking head videos, and either it was impossible to edit, or none the crew have any idea what even mediocre films look like.

I also hadn’t appreciated before that genai lip sync/dubbing was just embarrassing. I think I’ve only seen a couple of very short genai video clips before, and the most recent at least 6 months ago, but this just seems straight up broken. Have the people funding this stuff ever looked at what is being generated?

https://bsky.app/profile/ethangach.bsky.social/post/3mdljt2wdcs2v

When even pwc has turned against your idiot-ceo-exploiting scam, you know it is time to fold.

“nightmare exquisite corpse rotation” is an amazing sentence. Top marks.

the conservative… wants… a universal equality that won’t deem anyone inferior.

perhaps it’s because he had been taught his Christian morality requires him to identify with the weak

Which conservatives are these. This is just a libertarian fantasy, isn’t it.

“AI blunder in Aurskog-Høland [Norway] – children received water bills”

The sources linked are all in norwegian, so you’ll have to translate them yourself if you’re interested, but Patricia’s summary seems reasonable. The government authority in question had to hire extra people to undo the mess that the ai system caused. There’s a commercial vendor involved somewhere, but if they were named I didn’t spot it.

https://bsky.app/profile/did:plc:ybtyn5l4nljys46ijqtpldaw/post/3mdk7awabwk23

Oh, they won’t. It’s just that they’ve already killed the golden goose, and no-one is breeding new ones, and they need an awful lot of gold still.

I have mixed feelings about this one: The Enclosure feedback loop (or how LLMs sabotage existing programming practices by privatizing a public good).

The author is right that stack overflow has basically shrivelled up and died, and that llm vendors are trying to replace it with private sources of data they’ll never freely share with the rest of us, but I don’t think that chatbot dev sessions are in any way “high quality data”. The number of occasions when a chatbot-user actually introduces genuinely useful and novel information will be low, and the ability of chatbot companies to even detect that circumstance will be lower still. It isn’t enclosing valuable commons, it is squirting sealant around all the doors so the automated fart-huffing system and its audience can’t get any fresh air.

Oh, that’s easy. His product,

• doesn’t work
• isn’t something he understands
• ✨was done with ai, plz invest ✨

Techbro leaves suspicious package unattended at davos, gets carted off by the police, swiss security folk mock his technical ignorance.

In the morning, Heyneman was asked to explain his device to a Swiss government technical expert named Chris (he didn’t catch the last name).

“I give him the same pitch that I gave all the business people in Davos,” Heyneman said. When Chris drilled him on his code, Heyneman admitted that he had used Cursor and Claude Code to vibe code the entire thing. Chris then took it upon himself to explain the code to Heyneman, line by line.

https://sfstandard.com/2026/01/22/tech-dude-davos-bomb-lookalike-device/

A few months back, @ggtdbz@lemmy.dbzer0.com cross-posted a thread here: Feeling increasingly nihilistic about the state of tech, privacy, and the strangling of the miracle that is online anonymity. And some thoughts on arousing suspicion by using too many privacy tools and I suggested maybe contacting some local amateur radio folk to see whether they’d had any trouble with the government, as a means to do some playing with lora/meshtastic/whatever.

I was of the opinion that worrying about getting a radio license because it would get your name on a government list was a bit pointless… amateur radio is largely last century technology, and there are so many better ways to communicate with spies these days, and actual spies with radios wouldn’t be advertising them, and that governments and militaries would have better things to do than care about your retro hobby.

Anyway, today I read MAYDAY from the airwaves: Belarus begins a death penalty purge of radio amateurs.

Propagandists presented the Belarusian Federation of Radioamateurs and Radiosportsmen (BFRR) as nothing more than a front for a “massive spy network” designed to “pump state secrets from the air.” While these individuals were singled out for public shaming, we do not know the true scale of this operation. Propagandists claim that over fifty people have already been detained and more than five hundred units of radio equipment have been seized.

The charges they face are staggering. These men have been indicted for High Treason and Espionage. Under the Belarusian Criminal Code, these charges carry sentences of life imprisonment or even the death penalty.

I’ve not been able to verify this yet, but once again I find myself grossly underestimating just how petty and stupid a state can be.

Ahh. I’d seen a bunch of people pointedly avoiding things he’d worked on and was working with, but no one actually said why so I was assuming it was llm related. No such luck, I guess… the old missing stair strikes again.

Ahh, i knew there was a recent catastrophe involving people handing credentials and confidential information to third parties without a single thought or qualm, but couldn’t for the life of me remember what it was. Thanks!

So, there’s a kind of security investigation called “dorking”, where you use handy public search tools to find particularly careless software misconfigurations that get indexed by eg. google. One too, for that sort of searching it github code search.

Turns out that a) claude chat logs get automatically saved to a file under .claude/logs and b) quite a lot of people don’t actually check what they’re adding to source control, and you can actually search github for that sort of thing with a path: code search query (though you probably need to be signed in to github first, it isn’t completely open).

I didn’t find anything even remotely interesting (and watching people’s private project manager fantasy roleplay isn’t something I enjoy), but viss says they’ve found credentials, which is fun.

https://mastodon.social/@Viss/115923109466960526

Given that openai is now a precedent for removing the pb figleaf from a pbc, I’m assuming everyone will be doing it now and it’ll just become another part of the regular grift.