119 comments

[ 4.2 ms ] story [ 93.6 ms ] thread
I own a company and get contacted daily by tons of applicants who scammers took advantage of using fake similar domains and such. My opinion is that scammers, wherever they are in the world, should get bombed. Criminals only stop when the risks are higher than the rewards. And we need to stop victim blaming companies and individuals.
I’ve grown to depend on little snitch for this sort of thing. Always run in either Alert or Deny mode.

It is a little wild how many things expect to communicate with the internet, even if you tell them not to.

Example: the Cline plugin for vscode has an option to turn off telemetry, but even then it tries to talk to a server on every prompt, even when using local ollama.

> The scary part? This attack vector is perfect for developers. We download and run code all day long. GitHub repos, npm packages, coding challenges. Most of us don't sandbox every single thing.

Embedded into this story about being attacked is (hopefully) a serious lesson for all programmers (not just OP) about pulling down random dependencies/code and just yolo'ing them into their own codebases. How do you know your real project's dependencies also don't have subtle malware in them? Have you looked at all of them? Do you regularly audit them after you update? Do you know what other SDKs they are using? Do you know the full list of endpoints they hit?

How long do we have until the first serious AI coding agent poisoning attack, where someone finds a way to trick coding assistants into inserting malware while a vibe-coder who doesn't review the code is oblivious?

The article never really addresses if it was a totally fake setup or a real crypto company scamming interviewees. Does "Symfa" exist? Does the "Chief Blockchain Officer"?
why is this website `daviddodda` while the linkedin message mentions `arun`.

This might be the forth or fifth time I've seen this type of post this week, is this now a new form of engagement farming?

This article was written by an LLM.

I get that the author might be self-conscious about his English writing skills, but I would still much rather read the original prompt that the author put into ChatGPT, instead of the slop that came out.

The story - if true - is very interesting of course. Big bummer therefore that the author decided to sloppify it.

David, could you share as a response to this comment the original prompt used? Thanks!

What's crazy is that I only realised this after my Fiancée pointed it out. Up to that point I thought it was just meandering way too much, I just skipped through most of it.

I've not been using much LLM output recently, and generally I ask it to STFU and just give me what I asked as concisely as possible. Apparently this means I've seriously gotten out of practice on spotting this stuff. This must be what it looks like to a lot of average people ... very scary.

Advice for bloggers:

Write too much, write whatever comes out of your fingers until you ran out of things to write. It shouldn't be too hard to just write whatever comes out, if you save your self-criticism for later.

If you're trying to explain something and you run out of things to write before you manage to succeed at your goal. Do a bit more research. Not being able to write too much about a topic is a good indication that you don't understand it well enough to explain it.

Once you have a mess which somehow gets to the point, cut it way down, think critically about any dead meat. Get rid of anything which isn't actually explaining the topic you want.

Then give it to an LLM, not to re-write, but to provide some editorial suggestions, fix the spelling mistakes, the clunky writing. Be very critical of any major suggestions! Be very critical of anything which no longer feels like it was written by _you_.

At this point, edit it again, scrutinise it. Maybe repeat a subset of the process a couple of times.

This is _enough_ you can post it.

If you want to write a book, get a real editor.

Do not get ChatGPT to write your post.

"instead of the slop that came out."

This "slop" reads perfectly fine to me, and obviously a lot of others, except those who have now been conditioned to watch out for it and react negatively about it.

Think about it, why react negatively? The text reads fine. It is clear, even with my usual lack of attention I found it engaging, and read to the end. In fact, it doesn't engage in the usual hubris style prose that a lot of people think makes them look smarter.

1. It's bad prose. If you think it reads fine, you don't read good prose.

2. It's immediately recognized as AI Slop which makes people question its veracity, or intent

3. If the author can't take the time and effort to create a well-crafhed article, it's insulting to ask us to take the time and effort to read it.

4. Allowing this style of writing to become accepted and commonplace leads to a death of variety of styles over time and is not good for anyone. For multiple reasons.

5. A lot of people are cranking out shit just for money, so maybe they wrote this just for money and maybe it's not even true (related to point 3)

I genuinely think you're wrong and you're only seeing things this way because you have formed a dislike about AI. The prose was absolutely fine - and this sort of comment

> If you think it reads fine, you don't read good prose.

Is reductive and not in good spirit.

Good day.

I wonder if the difference of opinion is due to native English speakers versus those who learned as a second language?

I found the AI version to be really clear and it helped me understand everything that was going on.

I found the Google doc version harder to read and slightly difficult to understand.

Funny, first I thought I liked the brief style. Then I thought sounds very much like an AI.

And when I read the Google doc, I understood, that I would have preferred the Google doc as well :-D

my best learning- zero trust to employers, real or fake, bug or small. start your own business, big or small, better than being employed
> Last week, I got a LinkedIn message

Are there any moderators left at LinkedIn?

The pseudonym "Mykola Yanchii" on LinkedIn [1] doesn't look real at all.

Click "More" button -> "About this profile", RED FLAGS ALL OVER.

-> Joined May 2025 -> Contact information Updated less than 6 months ago -> Profile photo Updated less than 6 months ago

Funny things, this profile has the LinkedIn Verified Checkmark and was verified by Persona ?!?! -> This might be a red flag for Persona service itself as it might contain serious flaws and security vulnerabilities that Cyber criminals are relying on that checkmark to scam more people.

Basically, don't trust any profile who's been less than 1yr history even though their work history dated way back, who has Personal checkmark, that should do it.

[1] https://www.linkedin.com/in/mykola-yanchii-430883368/overlay...

>a "legitimate" blockchain company

When you lie down with dogs, you get up with fleas.

Have a separate machine just for banking and financial transactions. Not to hard to use an old laptop for this.
I had someone who was targeting junior developers posting on Who Wants to Be Hired threads here on Hacker news. They reached out saying they liked my projects and had something I might be interested in, then set up an interview where they tried to get me to install malware.
> sandbox everything. Docker containers

Docker is not a sandbox. How many times does this needs to be repeated? If you are lazy, I would highly suggest to use incus for spinning up headless VMs in a matter of seconds

Perhaps the reason people keep repeating it is that someone makes the statement without any reasons, provides an alternative again without any reasons.

"Why are you not using docker to sandbox your code?"

"Umm.. someone on HN told me docker is not a sandbox, to use randomtool instead"

Did you join the meeting?
Imagine how easy this is to embed into any npm package…
Just use QubesOS. It will save you from such headaches
I get "job" notification emails from LinkedIn saying "[company] is hiring 45,000 [type of engineer I am]" and I'm always like "Sure they are" and delete it. It's sad really.
I've gotten my fair share of fake job interview emails. I don't think any have ever tried to get me to download/run some code. Mostly, I think they are just trying to phish for information or get me to join their Slack.

I remember replying to a "recruiter" that I thought was legit. I told him my salary requirements and my skill set and even gave him a copy of my resume. I think that was the "scam" though. I gave a pretty highball salary and was told that there was totally a job that would fit. I think he just wanted my info and sharing my resume (with my email & phone) was probably want he wanted. I'm not sure if that lead to more spam calls/emails, but it certainly didn't lead to a job.

The worst is I get emails from people asking to use my Upwork account. They ask because their account "got blocked" and they need to use mine or they are in a "different country" and thus can't get jobs (or get paid less). Usually they say that they'll do the work, but they need to use my PC and Upwork account, and I'll get a cut.

Obviously, those are fake. There's no way I'm letting someone use my account or remote into my PC for any reason.

any web3 that sends you a test project is a scam and are super common on sites like upwork and linkedin
Being given a technical test for an unsolicited job interview to me would raise some flags. No way I'm doing that before we talk, you came to me remember?
I've been posting on HN's "who wants to be hired" and "freelancer" posts, and for the last couple months all I've got have been suspiciously similar emails from randoms asking me to schedule an online interview for a great "opportunity". They never state exactly what that "opportunity" is about. After some hours of not participating on it they will write again - have got three of them, from different gmail emails, all of them following the same script.
I got so tired of python venvs and craziness that I ended up moving my whole dev environment into docker containers. Guess I've accidentally protected myself against some of these attacks.
As a retired graybeard, it's weird to me that people run unsecured JavaScript on Nodejs all day without a second thought. Powershell scripts have to be signed or explicitly trusted. But JavaScript on Node... nada.