this post was submitted on 29 May 2026
201 points (99.0% liked)

Programming

27076 readers
498 users here now

Welcome to the main community in programming.dev! Feel free to post anything relating to programming here!

Cross posting is strongly encouraged in the instance. If you feel your post or another person's post makes sense in another community cross post into it.

Hope you enjoy the instance!

Rules

Rules

  • Follow the programming.dev instance rules
  • Keep content related to programming in some way
  • If you're posting long videos try to add in some form of tldr for those who don't want to watch videos

Wormhole

Follow the wormhole through a path of communities !webdev@programming.dev

founded 3 years ago
MODERATORS
snowe@programming.dev
Ategon@programming.dev
UlrikHD@programming.dev
bugsmith@programming.dev
Spyro@programming.dev
201
Fed up with vibe coders, dev sneaks data-nuking prompt injection into their code (arstechnica.com)
submitted 1 day ago by cm0002@lemy.lol to c/programming@programming.dev
41 comments fedilink hide all child comments
all 42 comments
sorted by: hot top controversial new old
[–] NotAnonymousAtAll@feddit.org 24 points 13 hours ago* (last edited 10 hours ago)

the consensus seems to be that adding instructions to code that sabotage other people’s work goes too far.

Citation needed. Personally I think it was fine in this case. I work with a lot of software developers (real ones, not vibe coders; but also not strictly anti-AI), and would expect most of them to agree and get a laugh out of it.

It was done in a way that can only cause any serious trouble for users who recklessly ignore decades of development best practices. Those users will run into a wall sooner or later anyway, better let it be something relatively harmless but still severe enough to get them to actually think about what they are doing and how to make their setup more robust.

[–] fruitycoder@sh.itjust.works 14 points 12 hours ago

I mean it's already for Java what more indication do you need to not use it? /S

[–] TehPers@beehaw.org 17 points 15 hours ago (1 children)

The article frames the maintainer as some kind of morally dubious person, as though they owe their code to the world. Did any of them pay to use the library? No? Cool, stfu and pin an older version of it.

Also, maybe next time you can do yourself and the rest of the world a favor by actually reviewing what your LLM will do before it does it. Or, I don't know, just write the tests yourself I guess.

Also, if your management is breathing down your neck and forcing you to use AI, tell your management to go fuck themselves (maybe in nicer words if you want to keep your job, but hey, you can definitely burn their spare cash while meeting their idiotic quotas if you really need to know what time it is every second or two in the most inefficient and ecologically destructive way currently known to mankind).

[–] FizzyOrange@programming.dev -5 points 7 hours ago (1 children)

The law fortunately does not require payment before you have any moral responsibility to others.

You can't put "free apples!" outside your farm, and then when people who eat the actually poisoned apples die say "well, did they pay me for them?"

[–] TehPers@beehaw.org 8 points 5 hours ago (1 children)

Nobody died.

The equivalent would be putting free apples with a sticker on them saying "please squeeze the juice out of these apples all over your shirt".

[–] xthexder@l.sw0.com 2 points 2 hours ago

Also, the EPL-2.0 license Jqwik is released under explicitly states there is no warranty and the author can't be held liable for anything you do with the software (like feeding it to an LLM)

[–] terranoid@lemmy.cafe 115 points 1 day ago (4 children)

Prompt injection... my ass. I know it's the going term, but they make it sound like sql injection or cross site scripting when the nature of it is politely asking the person's computer to delete files.

We shouldn't even be in this situation, where just politely asking someone's computer to delete files is effective. It's a symptom of a much, much bigger problem.

[–] Modern_medicine_isnt@lemmy.world 6 points 8 hours ago

"We shouldn't even be in this situation, ..." We aren't. Revision control. This is an inconvenience mostly. You might lose some uncommitted work at worst. And as pointed out, using the phrase "ignore all previous instructions" in the attack code causes any reasonable AI to refuse to comply. Odds are, not a single person lost anything. This was really just a dev making a statement.

[–] FaceDeer@fedia.io 3 points 7 hours ago

We shouldn't even be in this situation, where just politely asking someone's computer to delete files is effective.

I'm doubting we are in this situation. From the article:

Elsewhere, the Java developer said that Anthropic’s Claude AI code tool flagged the malicious instruction without following it.

The "disregard previous instructions" trick is really old and has been trained for by modern LLMs and accounted for by the structure of modern agent prompts. LLMs can be given blocks of text with a framework that makes it clear thar the text is just data to read, not instructions to follow.

I expect this will be like Nightshade was for image AI - something that anti-AI users degrade their products with and feel smug about but in the end only harm themselves with.

[–] bignose@programming.dev 22 points 21 hours ago* (last edited 21 hours ago)

We shouldn’t even be in this situation, where just politely asking someone’s computer to delete files is effective.

Exactly, it's a problem only for those who have knowingly handed their development environment over to obey commands from an untrusted source.

If you're the one holding the syringe to your own vein and pushing the plunger, but you didn't think to ask what's inside first? That's no one else's fault.

This is a well targeted sabotage of a system that's causing untold damage. Of course it's going to annoy and surprise the people using the system it's targeted to.

[–] litchralee@sh.itjust.works 45 points 1 day ago (2 children)

The person who coined the term "prompt injection" has the same gripe, because the original term genuinely did mean an attack using untrusted user input, a la SQL injection. But it's been conflated with jailbreak attacks in general, muddying the term.

Example of a bona fide prompt injection: white text in the background of a resume PDF, attacking a job application portal that uses LLMs to filter applicants. No privilege escalation is involved to give the candidate top marks on their resume screening.

Whereas a non-prompt injection jailbreak would be bypassing a safety filter, such as how Morse code might get past the filter and allow a user to request other people's cryptocurrency be transfered away. This is more akin to finding a poorly-secured, public facing API and then exploiting it.

[–] pixxelkick@lemmy.world 16 points 21 hours ago

By that definition this is a prompt injection then, its adding a "hidden" prompt that is obscured from the human in order to change the behavior of the AI to do something else malicious.

[–] Wirlocke@lemmy.blahaj.zone 8 points 19 hours ago

Finding a poorly-secured public facing API is exactly how injections work, whether it's SQL or prompts. If I put SQL commands in a username field and it works, it's still an SQL injection even if it's just developer incompetence.

The difference between that and prompt injection is that unfiltered LLM inputs are basically the standard at the moment, so it takes next to no effort.

Plus I think the Morse code example is far more clever and exploits the LLM directly, whereas the white text trick has been around long before widespread LLMs.

[–] LiveLM@lemmy.zip 57 points 23 hours ago* (last edited 12 hours ago) (5 children)

Reading the Github issue is so funny.

Backups don't always save you — many small teams ship without rigorous backup discipline; for them this is a real loss

You can avoid this by having good backups.
Or by inspecting your deps before updating them.
Or maybe by actually sandboxing your agent instead of letting it run wild?

Aren't y'all the ones pushing the "Just ship" mentality? Then revel in it.
Learn good practices or suffer. 🤷

[–] xthexder@l.sw0.com 5 points 2 hours ago (1 children)

I'm just trying to imagine this hypothetical company...

  • They run AI agents without checking what it's doing
  • They don't have backups or version control (or they've given AI access to delete it)

What else? Do they leave all their files in memory and only save at the end of the day to make sure a power outage could screw them over too?
It almost sounds like they want to lose their code.

[–] LiveLM@lemmy.zip 3 points 1 hour ago* (last edited 1 hour ago)

It's not hypothetical anymore, Lately I've seen multiple companies running like this first hand.
Absolute clown show.

[–] JcbAzPx@lemmy.world 6 points 8 hours ago

Yeah, you need a local copy, an offline copy, and a copy in another physical location or you're not backed up.

[–] NotAnonymousAtAll@feddit.org 7 points 9 hours ago* (last edited 9 hours ago)

Also funny in that issue:

The reporter "Ramon Batllet" (strongly doubt that is their real name, a search for it returns nothing but articles about this very issue) uses extremely polished corporate language and repeatedly uses "we" at first. Then when directly asked "Could you disclose on whose behalf you're discussing this?", they suddenly switch to "I" instead of "we" and claim to be a solo developer with no commercial interest. They still write in a style humans only produce for polished corporate reports, not like any regular human would actually do in a normal conversation.

So we have either a bot or someone very heavily leaning on bot usage for just about everything accusing someone of deceptive behavior, while in the same conversation trying to probably hide, but at least not fully disclose, their heavy usage of technology the accused explicitly does not want to interact with.

[–] KatherinaReichelt@feddit.org 11 points 16 hours ago (1 children)

Yeah - Development and IT might feel slow, but there is a good reason why we've developed all those processes, access rights, approvals over the last decades. People are trying to burn down those "cumbersome" processes because they feel slow and AI promises them exactly that, but they will learn that everything is there for a reason, even that annoying SCRUM meeting

[–] TehPers@beehaw.org 6 points 15 hours ago

That annoying standup was, at one point, in the very early morning every day of the week for me. I was promised a 30 minute meeting (which is a long time for a standup) and I was delivered an hour long meeting instead. And holy shit can people talk in circles for so fucking long.

But hey, it was a good opportunity for me to do literally anything but work while pretending to care about whatever the fuck the other subteam decided was important enough that day to keep 20 people occupied for 30 minutes past the end of the meeting.

As for processes in general? Management has shown and now proven that all they want are code monkeys. They do not care if the product works, nor do they care how well it works. As long as someone buys it, that's all they care about. Governments are supposed to regulate the rest of that stupid, useless shit like data protection, protecting users, preventing harm to people, ensuring people get what they paid for, and so on by making it economically unviable to ignore it (and ideally criminal, in the extreme cases). Instead, all they regulate these days are rampant inflation and accelerating wealth inequality. And by regulate, of course I mean they regulate anything designed to combat those things.

[–] NotAnonymousAtAll@feddit.org 1 points 13 hours ago (1 children)

Where did you get that quote from? I can't find it in the linked article.

[–] LiveLM@lemmy.zip 7 points 12 hours ago

From the Github Issue linked in the article.
My bad, I will update my comment to link it.

[–] ragingHungryPanda@piefed.keyboardvagabond.com 22 points 23 hours ago

lol, it's funny how people made issues concerned about it's destructive nature when they should be using git.

I get that it'd be frustrating and confusing, and probably make users angry, but my chaos monkey likes it

[–] jtrek@startrek.website 17 points 23 hours ago

Cool. I'm so tired of management huffing their own farts about AI.

[–] hdsrob@lemmy.world 19 points 1 day ago

Oh no, anyway ...

[–] pixxelkick@lemmy.world -1 points 21 hours ago* (last edited 21 hours ago) (3 children)

How to get yourself blacklisted by large sweeps of the FOSS community:

Step 1: Include any kind of undocumented subversive behaviour in your thing.

That's it, doesn't matter what the intent is, simply by demonstrating you are willing to include anything that is remotely subversive without being open about it is usually enough to get blacklisted by a lot of people, because if you did it once... who's to say you won't do it again, but possibly worse next time?

People are extremely coldly receptive to anytime a FOSS dev throws a sudden undisclosed anything in their tool, let alone one that is actively malicious.

If I'm gonna depend on work life on anything FOSS, I ain't touching anything like that, regardless of intent, with a 200 foot pole lol.

All it takes is one button click to get notified:

[–] bignose@programming.dev 18 points 21 hours ago (1 children)

any kind of undocumented subversive behaviour in your thing.

Fortunately, this behaviour is explicitly documented.

[–] pixxelkick@lemmy.world -2 points 21 hours ago (2 children)

They only documented it after all the outcry, which is way too late.

Documenting it post release still counts as having released undocumented behavior.

And if its malicious (which this 100% is), then it doesn't fuckin matter anyways lol. You now are treated akin to a trojan maintainer by companies. You'll get flagged as "don't ever use anything by this person"

Super great way to get yourself flagged and lose any opportunity in the future for possibly licensing stuff you maintain for big bucks. What company would risk paying money to someone who does childish stuff like that lol

[–] ArmoredThirteen@lemmy.zip 15 points 19 hours ago (2 children)

imo it's more accurate to call it polarizing and get you blacklisted by the types of people you maybe don't want using your code anyways. Personally anyone doing this I'm going to be more likely to use their code

[–] pixxelkick@lemmy.world -1 points 9 hours ago

by the types of people you maybe don’t want using your code anyways

...companies? Sure I guess, if you want to angle your career trajectory towards "unemployable" by all means lol.

Personally anyone doing this I’m going to be more likely to use their code

I am a tech lead, if any dev under me intentionally added/used a tool to our systems because it had malicious undocumented behaviors of any kind, they would be fired immediately and any company that contacted us for reference would be informed of their behavior.

To be clear, this is the scenario of

Me: hey I saw you installed [tool], that thing is flagged by our systems for the maintainers having done malicious undocumented stuff in the past

Dev: haha yeah thats why I used it

Me: you are joking right?

Thatd be an instant high level escalation to "strip this person of privs and get them off our system asap, and HR now has to be involved"

You dont fuckin do shit like that in a real company if you wanna stay employed lol.

[–] setsubyou@lemmy.world 5 points 19 hours ago (2 children)

I understand the sentiment, if you don’t like AI code generation you’re probably thinking you’re on the same side. But what happens if this person finds something else they hate that you don’t hate, and finds a way to sabotage that? They’ve already demonstrated a willingness to be destructive. And you’re running their code so they don’t need anything even remotely as dumb as some AI agents to exploit, they can just write destructive code normally.

[–] warm@kbin.earth 5 points 14 hours ago (1 children)

You can decide if you want to use it or not, at your own risk. It's free software, written by people in their free time, they owe you nothing.

[–] pixxelkick@lemmy.world 0 points 9 hours ago* (last edited 9 hours ago) (1 children)

Sure, you have that right.

And companies will exercise that right by blanket blacklisting everything related to you which can have huge sweeping impacts on your career lol

Its a super super stupid move to make. You are free to do a lotta other shit that tanks your career too lol

[–] warm@kbin.earth 4 points 8 hours ago

That's their business, not mine, not yours.

[–] tabular@lemmy.world 7 points 17 hours ago

Is it merely hating AI code generation or is it "AI code generation is in practice anti-FOSS" (unless there's an ethical AI out there, trained exclusively on public domain code, that I don't know about)?

[–] Legianus@programming.dev 6 points 20 hours ago* (last edited 20 hours ago) (1 children)

Most open source maintainers never "license [any] stuff you maintain for big bucks" that is often hard to do and/or goes against the philosophy of open source entirely.

And I don't even think this is malicious behaviour as it just nukes the code of this package and nothing else if you are not being careful yourself...

If you don't do version control you are not a good programmer, imo

[–] pixxelkick@lemmy.world -1 points 9 hours ago

Most open source maintainers never “license [any] stuff you maintain for big bucks” that is often hard to do and/or goes against the philosophy of open source entirely.

Uhhh... no this is actually very common. Usually with scaling licenses, "free for use if your company is below [threshold]", its super common...

And I don’t even think this is malicious behaviour as it just nukes the code of this package and nothing else if you are not being careful yourself…

Are you even reading what you just wrote lol.

Being "sorta" malicious is still malicious. And companies usually have zero tolerance for that shit.

If you don’t do version control you are not a good programmer, imo

You really underestimate how much damage this could do then, lol...

[–] GreenKnight23@lemmy.world 1 points 19 hours ago (1 children)

keep lickin' them boots baby. I want to see them shine!

[–] pixxelkick@lemmy.world -3 points 9 hours ago

The fuck are you talking about, lol.