Hackers' Pub

Syntax	Description	Examples
`"` keyword `"`	Finds the string within quotes, including spaces. Case-insensitive. (Escape quotes inside with `\"`)	`"Hackers' Pub"`
`from:` handle	Finds content written by the specified user.	`from:hongminhee` `from:hongminhee@hollo.social`
`lang:` ISO 639-1	Finds content written in the specified language.	`lang:en`
`#` tag	Finds content with the specified tag. Case-insensitive.	`#HackersPub`
condition condition	Finds content that satisfies both conditions on either side of the space (logical AND).	`"Hackers' Pub" lang:en`
condition `OR` condition	Finds content that satisfies at least one of the conditions on either side of the OR operator (logical OR).	`#HackersPub OR "Hackers' Pub" lang:en`
`(` condition `)`	Combines the operators within the parentheses first.	`(#HackersPub OR "Hackers' Pub" OR "Hackers Pub") lang:en`

amos @fasterthanlime@hachyderm.io

3/6/2026, 10:32:20 AM

Public

quick review of https://grith.ai/blog/clinejection-when-your-ai-tool-installs-another

> The issue title was interpolated directly into Claude's prompt [...] without sanitisation.

bro prompt sanitisation is the wrong boundary, always has been

> It flooded the cache with over 10GB of junk data, triggering GitHub's LRU eviction policy and evicting legitimate cache entries

HOW IS THAT EVEN POSSIBLE omg

> The compromised version was live for eight hours before StepSecurity's automated monitoring flagged it

did they publish /exactly/ at the time of the only oncall person's bed time and did they have a super restful night?

A GitHub Issue Title Compromised 4,000 Developer Machines

A prompt injection in a GitHub issue triggered a chain reaction that ended with 4,000 developers getting OpenClaw installed without consent. The attack composes well-understood vulnerabilities into something new: one AI tool bootstrapping another.

grith.ai

If you have a fediverse account, you can quote this note from your own instance. Search https://hachyderm.io/users/fasterthanlime/statuses/116181771238232916 on your instance and quote it. (Note that quoting is not supported in Mastodon.)