Sam
167 posts
‼️🚨 Over 700 Ghost CMS sites, including Harvard, Oxford, and Auburn, were compromised through an unauthenticated SQL injection (CVE-2026-26980).
Attackers pulled Admin API Keys and turned every site into a ClickFix delivery vector via fake Cloudflare "verify you are human" pages. Patch was out February 19. Most never applied it.
English
Si c'est vrai, bienvenue en enfer
GIF
Cointelegraph@Cointelegraph
🚨 ALERT: Google says hackers used AI to create a zero-day exploit capable of bypassing multi-factor authentication, per Bloomberg.
Français
@bridgemindai I couldn’t even consider letting an AI touching my production environment. I now understand how some of us have their production DB randomly deleted.
English
Claude Code just stopped a DDoS attack on BridgeMind in under 10 minutes.
13 million requests per minute hitting our API.
CPU pegged at 94%.
Latency spiking to 60 seconds.
Production was down.
I opened Claude Opus 4.7 in Claude Code and said "fix this now."
It identified the attack, scaled ECS from 2 to 8 tasks, tightened WAF rules from 300 to 100 req/IP, blocked the attack vector, and brought CPU down to 15%.
Latency dropped from 60 seconds to 1.25 seconds.
No DevOps team. No on-call engineer.
Just one prompt.
This is why I keep coming back to Claude Code.
English
Multiple security vulnerabilities affecting React Server Components and Next.js have been disclosed. We strongly recommend updating your applications immediately.
Cloudflare WAF managed rules already mitigate the disclosed denial-of-service vulnerabilities, and we are investigating additional coverage for several other CVEs.
developers.cloudflare.com/changelog/post…
English
Why you should NOT use Supabase:
1. SDK Trap - not TypeScript by default, type-gen is bad, easy to make mistakes
2. Security with the SDK is terrible - need to set up a lot of things to have something work
3. Vendor lock-in with the Auth, don't have your keys
4. Pricing way more expensive than a $8/month db + better-auth
5. Better alternative for all tools they provide
English
English
My friend @jackfriks told me he received a message from someone running a phishing scam on TrustMRR.
My security filter marked the message as spam, but I was still curious, so I followed the link.
The scammer pretends to be me, claiming to be building a new integration for TrustMRR, and asking for Vercel API keys ☠️
Since the phishing site was hosted on Vercel, I messaged @rauchg & @andrewqu.
6 minutes later, the scammer was blocked on Vercel 😇
English
@DevBredda @melvynx don't get me wrong. i'm not saying you shouldn't use it.
i said you shouldnt rely exclusively on it and you have to understand the security basics
English
@Guruu75 @melvynx highly disagree.. its over for YOU if you dont use claude for security.. it has been proven that its better to use it..
x.com/AnthropicAI/st…
Anthropic@AnthropicAI
We partnered with Mozilla to test Claude's ability to find security vulnerabilities in Firefox. Opus 4.6 found 22 vulnerabilities in just two weeks. Of these, 14 were high-severity, representing a fifth of all high-severity bugs Mozilla remediated in 2025.
English
@DevBredda @melvynx + never trust Claude and agents for security purposes, if you’re not able to handle it by your own knowledge, it’s over
English
You’re right.
Supabase is not the problem itself.
But for most of people (me included), accessing your db with a passphrase and your rbac at backend level is much more natural than having hardly readable rls policy at db level.
I like supabase if you don’t want to handle complex backend logic but the issue is that it became the default tool for most of vibecoders who think they are protected because « it works ».
Indeed it works, but with one missing rls, your data is absolutely free 😂
English
Neon is a real thin Postgres wrapper (if you don’t use their auth) if you want a serverless db. Supabase ecosystem is a real BaaS.
The whole Supabase PostgREST and db logic with anon key and RLS is powerful but really dangerous when you don’t really master it.
And as most of vibecoders have no clue of it… it becomes a security nightmare in most of products.
English
@andi_losing Let’s go man !
Did you have precious experience on app dev ?
Keep pushing 💪
English
@andi_losing That’s so nice to see your journey Andi !
Wishing you all the best 💪
English
I worked from a coworking in Bangkok today
it’s on the 40th floor and the view over the city is crazy
but the music there is really loud
without noise cancelling I don’t think I could concentrate
Dara@offpaths
this spot is insane for coworking happy to be here with @stevie_builds @andi_losing
English
2 millions d'euros !
Je viens d'atteindre les 2M€ avec mon app.
J'avais déjà dépassé ce chiffre en USD, mais en EURO ça fait quelque chose.
Preuve sur Stripe avec un lien pour mes haters.
profile.stripe.com/teachizyfr/cdL…
Français
@Pauline_Cx @melvynx self host your own Postgres or simply use Neon if you prefer serverless functions and services
English
It's been 4 years that I advise everyone to not use this Supabase ⚠️
→ expensive + limiting (2 free projects then $20 / project)
→ auth is meh
→ vibe coding has 80% of creating security issues with their SDK
I just don't count the number of junior devs building with Supabase making security vulnerabilities that enable anyone to get all user data ☠️
Sara Dietschy 🍑y@saradietschy
Maybe it's my YouTube search being messed up (since search is now just another version of the algo LAME!) But it feels like all YouTube content about Supabase is extremely outdated. All 2-3 years old. Which in the AI universe is ancient for a tool used by a lot of AI ppl.
English
@MennelDev Tellement satisfaisant de faire ses propres solutions maison avec la vision exacte que tu en as
Français
j'suis en train de remplacer toutes mes pages notion surchargées par des petits CRM super custom
apres la PWA pour mon agence, je me fait mon app pour suivre mes app perso (benefices, calendrier paiement apple, dépenses marketing, influ, idées, tickets etc..)
vive claude
Français
@confuse_geek @archiexzzz We learn everyday, that’s what matters.
I’m new to mobile app on my end so that I’ll probably face similar questions.
The more shiny solution is not always the best for our usecase or what we’re at ease with, so that I just stopped using supabase for this exact reason.
English
Web dev is new to me and I’m building a saas for a client. I used to build mobile apps and I’m good at that but web is new.
What is did is all the important logic is at backend side fastapi.
Only I need anon key in .env of frontend because of supabase auth. And obviously access token needed to be store in the frontend.
Almost everything is new to me but supabse is littlebit fimilar so I went with this.
Will try own db or proper managed postgres like neon, digital ocean managed postgres in future for sure.
English
Just hacked a VC-funded Voice AI company. I now have their prod data.
I now have access to all:
> medical information of customers
> call recordings, phone numbers, contact names
> email addresses
> all SYSTEM_PROMPT for all agents they are running
> API keys and Secrets
> org data
> OAuth Provider IDs
> all webhook_events
Mostly, I did IDOR and BAC attacks to get the data. I was able to retrieve all table columns and other access vulnerabilities. Once I had that, it was very easy to bypass and get all the data.
English