I picked up a new client's React Native app to help them ship on Android. Previous dev was an Upwork freelancer. 110 commits. Six months of real work. Clean looking codebase. Exactly the kind of project you'd clone, open in Cursor or VS Code, and start prompting on top of.

I asked Claude Code what it would take to get this on the Play Store. During that assessment it flagged the ESLint config file. Looked totally normal. Ten lines. Standard Expo boilerplate.

Except after the closing bracket on line 10, hidden behind 300 spaces on the same line, was an obfuscated remote code execution loader.

Every time ESLint ran — every time you saved a file, every time your editor auto-linted, every time CI ran — the loader executed. It fetched encrypted payloads from blockchain transactions, decrypted them, and ran whatever code the attacker had deployed that day. No servers involved. No domains. The command and control infrastructure is the Tron and Binance Smart Chain blockchains. Untakeable.

The attacker updated the payload 25 times over 12 months. Per-victim campaign identifiers in the code. This wasn't a one-off. The wallet was active 10 months before this client was even targeted. Estimated 10 to 30 or more Upwork clients could have this same loader sitting in their projects right now.

Why this matters if you vibe code:

You're not reading the codebase line by line. That's the whole point. You're prompting, generating, shipping. But when you clone a repo or inherit a project, you're trusting every file in it. And config files are the last thing anyone looks at.

eslint.config.js is not a config file. It's executable JavaScript. So is babel.config.js. So is metro.config.js. So is next.config.js. So is vite.config.ts. They all run code. They're all attack surface. And none of them show up in your prompts or your AI-generated diffs.

This payload was invisible in a normal code review. It was invisible in git diffs unless you scrolled horizontally past 300 characters. It was invisible to every linter and formatter. It was caught because an AI tool happened to dump the raw file contents during an unrelated task.

What you should do:

1. If you've inherited or cloned a codebase from anyone — a freelancer, an agency, a previous team — check your config files. Open them in a terminal with cat -A or xxd and look for anything after what appears to be the last line.
2. Before you start vibe coding on top of a new project, ask your AI tool to audit the config files specifically. "Read every config file in this project and flag anything unusual."
3. If you hired a JavaScript or React Native freelancer through Upwork, check your eslint.config.js right now. The attacker's GitHub handle is garrycha. The payload uses this exact pattern — whitespace padding after the closing bracket on the same line.

The full reverse engineering breakdown with wallet addresses, decryption keys, and a monitoring script is posted on r/cybersecurity if you want the technical details.

110 commits of real work. One line in a config file. That's all it takes.

first 1000 hits on my photo editing website!! This is so exiting because I've vibecoded this site completely for free.

I've learned more about terminal, IDE, programming, agents, in the last couple of weeks than I did my entire life. I knew basics since I am an animation student andI but couldn't really write any code.

Instead of copying and letting AI spoon feed me the code. I went with a different approch in the beggining..my questions were mainly about - 'Teach me this..' or 'What is ...' , learned how to navigate, create project folders, run dev server, setup agents, skills, github, etc.

go take a look at squarepic.io and let me know if theres any feedback !

wasn't planning on building a social platform. here we are.

ookubb is live. guilds, rankings, XP, leaderboards, communities. the whole thing.

no idea how it got this big. claude knows.

if you vibe with it, an upvote on product hunt would mean a lot

ookubb.com

→ producthunt.com/products/ookubb

hey r/VibeCodeDevs,
Best free subreddit stats checker,
Instantly analyze any subreddit's growth, engagement, best post times, and promotion friendliness — so you know exactly what you're walking into.

You can check it out here,
https://www.subdude.pro/free-tools/subreddit-stats

Testing my custom GPU open source video generation setup, post your video idea and I'll generate it (up to 30 seconds). Sfw only

https://reddit.com/link/1tu0844/video/3wd78vp2np4h1/player

You know how you can describe a UI in plain English and Cursor/Lovable just builds it?

I got frustrated that you can't do the same for demo videos. Every time I shipped something, I had to open Loom, record, mess up, re-record, edit. Hours gone.

So I built DemoFlow. Same energy as vibe coding. you give it a URL and a sentence, an AI agent opens a real browser, navigates your product (clicks, scrolls, fills forms), and renders a Screen Studio-quality MP4 automatically. Motion blur, cursor easing, cinematic zooms, all done.

Example prompt I used: "Open the dashboard, click New Project, type 'Q3 Campaign', hit save, zoom in on the success toast."

That's it. No recording. No editing. No designer.

Still early, we are accepting a waitlist for beta launch: demoflow-sigma.vercel.app

Curious what prompts you'd throw at it.

Going to confess: last month I spent $300 across Codex, Claude Code,Manus and Helio.

Is it just me or is this getting out of hand for everyone?

Genuinely curious to hear from you all: How much are you paying per month? What have you tried to cut the cost? Is anything actually working, or are we all just accepting the bleed? Just trying to figure out if I have a personal problem or if this is structural.

Shipped three things this month. Two of them work. One of them I genuinely cannot explain how it works to another human being.

I keep waiting for the moment this feels like cheating. It doesn't. It just feels like the new normal.

Anyone else hit the point where you stopped asking yourself if you're "really" coding and just started shipping?

Over 2 years ago, I was asking around for a subscription-free Splitwise alternative that did cross-project, person-based accounting.

Literally every single expense splitting platform out there seems to split expenses exclusively within groups / projects / whatever else they call it. This is quite an annoyance if you have multiple users that are in several different groups - you end up in a situation where you need to settle expenses with the same person multiple times because the platform cannot balance across several groups.

For the longest time, I used Splitwise for this one specific feature and suffered through their constant popups and timers. Last year, I discovered this newfangled Vibe Coding thingamadoodle and managed to get a prototype of this concept up and running in Cospend. And then upstream updated the code base xD

Today, I managed to get it built into the latest version of Cospend.

It's probably not perfect. It probably has lots of room for improvement. But for now, it works. Hopefully it won't cause my entire nextcloud instance to implode.

Hey everyone 👋

I’ve been working on a project called RoleVsMe 🚀

The idea is simple: upload your resume, choose a tech role you’re interested in, and the app shows how well your current profile matches that role.

It looks at things like:

• your role fit score
• skills you already cover
• important gaps
• market-demanded skills
• salary signals
• a roadmap for what to improve next
• CV optimization without inventing fake experience

I built it because job descriptions are noisy, and sometimes it’s hard to know what skills actually matter before applying. Also I just noticed that when I think of some role I go to Linkedin of course and start searching jobs's posts to check what companies actually require, so I could see if I'm good fit or not really : ) Each time when I think that I'm pretty good as position and I check job postings I quickly realize that I don't know more than half things they're asking candidate to know :D Once I see smth I don't know I then go google it etc. so now I can just click and get all the information!

Feel free to try, all signed up get 12 free credits so you can try it out without spending a cent.

Doing some vibe Android app, that do those (work in progress), offline and also doing some experience (bad patterns and good experience fixing) working with images on Android

Picture1 Picture2

Honestly didn’t expect this niche to move this fast.

I launched VibeToplist just a couple days ago as a small experiment to track and discover AI-generated and vibe-coded games, and somehow we’re already at 18 unique game listings.

What surprised me most is how different the projects already are:

- AI survival games

- Procedural RPGs

- Weird browser experiments

- Multiplayer projects

- Retro pixel games

- Completely unhinged prototypes

One thing I wanted to avoid from the start was having the same games dominate the rankings forever. Because of that, votes reset at the beginning of every month, giving new projects a fair chance to reach the top, get discovered, and grow their playerbase organically.

Feels a bit like the early internet and game-dev era again, where people are just building random creative stuff because they can.

I genuinely think this space is going to explode over the next year or two.

If anyone’s curious:

https://vibetoplist.com

Hi everyone,

I’m a non-technical founder building my first SaaS MVP.
I’ve managed to get surprisingly far on my own, but I’m now spending a lot of time fixing bugs, troubleshooting issues, and trying to work around technical problems that an experienced developer could probably solve much faster.
My goal is simple: launch the MVP, get real users, validate the idea, and learn whether it’s worth investing more time and money into.
A few questions for those who have been through this:
1. At what point did you decide to bring in a developer instead of continuing yourself?
2. Have you had good experiences hiring developers through Fiverr or similar platforms?
3. Are there communities where founders can find affordable developers for MVP work?
4. If you were trying to launch quickly, would you continue building yourself or hire someone to finish the product?
5. What mistakes should first-time founders avoid at this stage?
I’m self-funding the project, so I’m trying to balance speed, quality, and budget without overbuilding before validation.

Any advice or lessons learned would be greatly appreciated. 🙏

Its a daily puzzle game site similar to Wordle except about geography, maps, language, and countries. 6 games that refresh daily... I am blown away at how quick its popping off. I have attached a video of the gameplay of one of the games.. Still working out some bugs. All I did was post a few TikToks of the game play and BAM it exploded... Just wanted to share. If anyone has any feedback or advice lmk. The site is WorldsWire.com

https://reddit.com/link/1tu1xk0/video/i3o2iefjwp4h1/player

So we actually get a lot of founders coming to us saying "hey we built this thing on an AI builder and we can't get it to work the way we want to." And when we look at what's there, it's pretty consistently the same set of issues.

Auth tokens sitting exposed in the repo. Row level security is switched on but misconfigured on at least one table, so users can technically read data that isn't theirs. No rate limiting on any of the endpoints, so someone running a script can either take the whole thing down or run up a serious API bill in minutes. Payments confirming on the frontend while silently failing on the backend.

The thing is that your AI is building what you asked it to build. The problem is that nobody told it to do those imperative things especially if they do not have any prior experience or a technical background, and most first time builders just don't know to ask for them yet because there's no obvious signal anything is missing.

The app looks finished, it runs, it does what you built it to do.

I'd say it's roughly 50-50 whether we can fix what's there or need to scrap it and start over, and that really just depends on how deep the issues go.

Has anyone caught something like this before going live or did it surface after real users were already on it?

what would happen

I've been pair-programming with Cursor/Claude for 6 months on a side project. Here's what I've noticed:

After about 30–60 minutes in a chat session, the AI starts suggesting code that violates conventions I established an hour ago. It forgets:

• That I'm using hexagonal architecture (starts dumping logic in controllers)
• That all DB access goes through repository interfaces (suggests raw SQL in handlers)
• The custom error handling pattern I defined (starts throwing raw errors again)
• The testing requirements (stops writing tests, skips edge cases)

So I find myself restarting chats, re-pasting my README, re-explaining my stack, and watching my token budget burn on repetition.

I'm calling this "context rot" — the gradual degradation of an AI's understanding of your project as the session grows and tokens get pushed out of the window.

I'm curious: is this just me, or is this a universal pain?

Recently launched the landing page for QuickProof and looking for some honest feedback.

Mainly curious about:

-what you think the product does

-whether the value is clear

-if anything feels confusing

 https://www.quickproof.ai/

 We're also opening early access for teams interested in trying it out.

Cursor is giving new users 50% off their first month of Pro, Pro+ or Ultra when they sign up through a referral link.

Here’s the link to activate it:

https://cursor.com/referral?code=R65D4O6LZPYZ

I built a simple coloring app for kids and it made $118 in the last 30 days.

No venture funding.
No team.
No ads.

Just a small educational app I built for young children who love coloring and drawing.

The app has over 100 ratings, a 4.5-star average, and is slowly growing month after month.

One thing I've learned from building apps is that you don't always need a revolutionary idea. Sometimes solving a simple problem for a specific audience is enough.

Still experimenting, still shipping, and already working on the next app.

https://apps.apple.com/us/app/colouring-and-drawing-for-kids/id6446801004

One developer named forrest chang reads the post the next day, identifies the four failure modes karpathy named and converts them into a single CLAUDE(.md ) file. Drops it on github on 27 jan.

220,000 combined stars later, its one of the fastest-growing repos in GitHub history.

the problem it actually solves is that claude code starts every session cold with no memory of your stack, your past decisions, what you ruled out last week or why you chose one approach over another and so it guesses and refactors things that were not broken. Karpathy described it precisely that models make wrong assumptions on your behalf and barrel ahead without checking. They dont manage their own confusion, ask for clarification, surface inconsistencies or push back when they should.

CLAUDE. md is a plain text file claude code reads at the start of every session. Four rules inside it being

1. Ask, dont assume. If something's unclear, ask before writing a line and no silent guesses about intent, architecture, or requirements.
2. Simplest solution first and implement the minimum thing that works. No abstractions you didn't request.
3. Dont touch unrelated code and if a file isnt part of the current task, leave it.
4. Flag uncertainty explicitly or if you're not confident, say so before proceeding as confidence without certainty causes more damage than admitting a gap.

That's the whole file with like seventy lines

I have been using it on a project that integrates with Magichour's and klings api coz video generation pipelines get messy fast, lots of stateful logic and easy for claude to go rogue and start helpfully refactoring things mid session and the reason 220k developers starred this because every developer who has used claude code for more than a week has been burned by exactly these failure modes and had been patching them manually, one frustrated session at a time.

While everyone's debating which model to switch to next, the actual edge is in how precisely you instruct the one already in front of you.

Have you tried it? curious what failure modes you r still hitting that the four rules dont cover.

Only launched about 3 weeks ago and my strategy was to build 8 completely free, no sign-up tools as lead gen.

The App is called Hello PlayDate and it's basically calling cards for kids so that nascent playground friendships can mature into consistent playdates.

But in that niche of kids, playdates, birthdays, kids activities, emergency contacts, etc I built 8 free tools where the 'deliverable' is a printed document that is actually useful for the parent. The one that gets the most use is actually the toddler timer which is just a clean minimal hourglass timer.

Only 1 sub so far but man is it gratifying.

Hey guys I live in La and I am always sitting in my car not being able to code or work. So I created an app that lets me connect to my claude and cursor and lets me speak to them and they do the coding fro me. I showed this to my friends and they started paying too. Would love to hear if other people think this is useful