Harshit

2 weeks ago, I was debugging something @CodeAntAI code reviewer flagged. It flagged a regex issue in the simple-git repo. 12.4 million weekly downloads. The flag: "This regex guards a case-insensitive system using case-sensitive matching." I almost scrolled past it. I didn't. One hour later I had a working remote code execution POC ready. Here's the thing, simple-git had already fixed this. Twice. CVE-2022-25912. CVE-2022-25860. Both attempted to block the dangerous `ext::` Git protocol using a regex. - The regex used [a-z]. Case-sensitive. - Git config keys are case-insensitive. So protocol.allow=always → blocked. PROTOCOL.ALLOW=always → full remote code execution. The fix that shipped? One character. Adding '/i' to the regex flag. That's the entire diff. 73% of all simple-git installs, roughly 9 million downloads per week, are still running the vulnerable versions right now. The advisory hasn't hit NVD yet. Which means every scanner in your stack is currently blind to it. Snyk. SonarQube. Checkmarx. All blind. Not because they’re bad products. Because they rely on known CVEs. If the CVE doesn’t exist yet, the pattern doesn’t exist yet. This is CVE-2026-28292. CVSS 9.8 Critical. Five days before this, we disclosed CVE-2026-29000. CVSS 10.0. Authentication bypass in pac4j-jwt. Different ecosystem. Different vulnerability class. Rule-based scanners ask: "Does this match a known bad pattern?" AI code review asks: "Does this code do what it's supposed to do?" A case-sensitive regex guarding a case-insensitive syste, isn't a known pattern. It's a logic gap. A spec vs implementation mismatch. That's exactly what CodeAnt AI catches, and exactly what everything else misses. So far we've filed: - 100+ vulnerabilities - Across npm, PyPI, Maven, NuGet - 1.85B monthly downloads affected Patch ≠ Fix. Massive respect to Steve (steveukx), 4 days from report to patch. Open-source maintainers are the unsung backbone of this entire industry. If you use simple-git: npm install simple-git@latest. Do it now. Full writeup in the comments. 👇

Review 2 PRs for $37 this morning. Took 9 minutes on a 8 line template change, removing some unnecessary info, got a tiny nitpick out of it. Then 30 mins on a 15 file (+331/-153) PR where it missed the actual bug introduced, which manual review found quickly. Turning off for now.

CVE-2026-29000

Last one on this topic, and I have been holding this in myself for a while. For centuries, class divides kept the labor of the poor invisible to the rich. Factory workers toiled behind walls, farmers in distant fields, domestic help in backrooms. The wealthy consumed the fruits of that labor without ever seeing the faces or the fatigue behind it. No direct encounter, no personal guilt. The gig economy shattered that invisibility, at unprecedented scale. Suddenly, the poor aren't hidden away. They're at your doorstep: the delivery partner handing over your ₹1000+ biryani, late-night groceries, or quick-commerce essentials. You see them in the rain, heat, traffic, often on borrowed bikes, working 8–10 hours for earnings that give them sustenance. You see their exhaustion, their polite smile masking frustration with life in general. This is the first time in history at this scale that the working class and consuming class interact face-to-face, transaction after transaction. And that discomfort with our own selves is why we are uncomfortable about the gig economy. We want these people to look our part, so that the guilt we feel while taking orders from them feels less. We aren't just debating economics. We are confronting guilt. That ₹800 order might equal their entire day's earnings after fuel, bike rent, and app cuts. We tip awkwardly, or avoid eye contact, because the inequality is no longer abstract. It's personal. Pre-gig era, the rich could enjoy luxury without moral discomfort. Labor was out of sight. Now, every doorbell ring is a reminder of systemic inequality. That's why debates explode. It's not just policy. It's emotional reckoning. Some defend the system (“they choose it”), others demand change (“this isn't progress, its exploitation”). And here’s the uncomfortable twist: the unsaid ask of clumsy ‘solutions’ isn’t dignity. It is about returning to invisibility. Ban gig work and you don’t solve inequality. You remove livelihoods. These jobs don’t magically reappear as formal, protected employment the next day. They disappear, or they get pushed back into the informal economy where there are even fewer protections and even less accountability. Over-regulate it until the model breaks, and you achieve the same outcome through paperwork instead of slogans: the work evaporates, prices rise, demand collapses, and the people we claim to protect are the first to lose income. And then what happens? The rich get their old comfort back. Convenience returns without faces. Guilt dissolves. We go back to clean abstractions and moral posturing from a distance. The poor don’t become safer, they become invisible again: back in cash economies, back in backrooms, back in shadows where regulation rarely reaches and dignity isn’t even debated. The gig economy just exposed the reality of inequality to the people who previously had the luxury of not seeing it. The doorbell is not the problem. The question is what we do after opening the door. Visibility is the price of progress. We can either use this discomfort to build something better (which we keep doing continuously as delivery partners are our backbone), or we can ban and over-regulate our way back into ignorance. One of those choices improves lives. The other simply helps the consuming class feel virtuous in the dark.

2025: shipped fast, broke limits, and partied harder Goa with our APAC crew was unreal Love this team ❤️

Most insane CodeAnt demo I've done in a while @viditchess

unplaced after 8th semester >>> 🧿

Just closed a $1B ARR global HR tech giant, in record time. But the bigger story? Every enterprise deal we’re in reveals the same truth: The code review market is undergoing a full reset. Here’s what’s changing 👇

Launching long-term memory in @CodeAntAI One-time feedback → enforced in every future pull request.

@JollyTanpreet Congratulations 🙌🏼 🥳

Career update soon!

My CEO is away, so I'm taking over sales/marketing for a week. Drop some banger niche advice/suggestions that worked for you.

CTO in charge of sales & marketing this week twitter, help him out before he writes a script to close deals automatically 🥶

haha fr, I open one session and suddenly rethink my entire career path

Spent 8 hours writing CodeAnt AI's second technical blog ✍️. A deep dive into sandboxing for coding agents 📦 (link in comments)

back at yc office hour after a long time. loved it.

Haanji! Diwali ka season aa gaya hai 🪔 Aur meri taraf se aap sab ke liye Kaju Katli giveaway 🥳 (Winners will be chosen randomly!) ✨ Steps: Mujhe apna full address DM karo 😁 Is post ko reshare 🔄 karo taaki humari Kaju Katli vibes sab tak pahunch sake 🚀 English Version: Hey everyone! The Diwali season is here 🪔 And I’m doing a Kaju Katli giveaway for all of you 🥳 (Winners will be chosen randomly!) ✨ Steps: DM me your full address 😁 Reshare 🔄 this post so our Kaju Katli vibes reach everyone 🚀

150

Q3 was the biggest quarter in @CodeAntAI's history! We grew 188% quarter over quarter, our fastest growth yet. Couldn’t be prouder of this cracked team for making it happen. 💙

Few month back at CodeAnt, we moved from Traditional RAG to Agentic RAG. Here's why traditional RAG was fundamentally broken for codebase search 🧵

We just migrated from Sonnet 4 to Sonnet 4.5. Here are the 4 reasons why? 🧵