liam
92 posts
@liamcode
Building @withevideo | not building twitter following
Here's my update to the broader community about the ongoing incident investigation. I want to give you the rundown of the situation directly. A Vercel employee got compromised via the breach of an AI platform customer called Context.ai that he was using. The details are being fully investigated. Through a series of maneuvers that escalated from our colleague’s compromised Vercel Google Workspace account, the attacker got further access to Vercel environments. Vercel stores all customer environment variables fully encrypted at rest. We have numerous defense-in-depth mechanisms to protect core systems and customer data. We do have a capability however to designate environment variables as “non-sensitive”. Unfortunately, the attacker got further access through their enumeration. We believe the attacking group to be highly sophisticated and, I strongly suspect, significantly accelerated by AI. They moved with surprising velocity and in-depth understanding of Vercel. At the moment, we believe the number of customers with security impact to be quite limited. We’ve reached out with utmost priority to the ones we have concerns about. All of our focus right now is on investigation, communication to customers, enhancement of security measures, and sanitization of our environments. We’ve deployed extensive protection measures and monitoring. We’ve analyzed our supply chain, ensuring Next.js, Turbopack, and our many open source projects remain safe for our community. The recommendation for all Vercel customers is to follow the Security Bulletin closely (vercel.com/kb/bulletin/ve…). My advice to everyone is to follow the best practices of security response: secret rotation, monitoring access to your Vercel environments and linked services, and ensuring the proper use of the sensitive env variables feature. In response to this, and to aid in the improvement of all of our customers’ security postures, we’ve already rolled out new capabilities in the dashboard, including an overview page of environment variables, and a better user interface for sensitive env var creation and management. As always, I’m totally open to your feedback. We’re working with elite cybersecurity firms, industry peers, and law enforcement. We’ve reached out to Context to assist in understanding the full scale of the incident, in an effort to protect other organizations and the broader internet. I also want to thank the Google Mandiant team for their active engagement and assistance. It’s my mission to turn this attack into the most formidable security response imaginable. It’s always been a top priority for me. Vercel employs some of the most dedicated security researchers and security-minded engineers in the world. I commit to keeping you updated and rolling out extensive improvements and defenses so you, our customers and community, can have the peace of mind that Vercel always has your back.
Rage Baiting is for Losers Yesterday, YC announced Chad IDE aka “the brainrot code editor.” Chad is an AI code editor that allows you to gamble, watch TikTok, and use dating apps while working on coding tasks. Their launch rightfully got a lot of attention. On one hand it’s funny. On the other hand, what are we doing here and why does this belong on the official YC account? To understand Chad IDE, Cluely, Icon, Friend, and the new class of Gen Z startups, you have to understand the online environment these founders grew up in. If you grew up on the internet and studied how and why certain people would regularly go viral, you know that making people mad has and always will be a highly effective way to get attention. The feedback loop is simple: 1) make something (product or ad) that makes people angry; 2) people comment/ share/ dunk; 3) because feeds are optimized to show posts with high engagement the most, you get more reach. Rage baiting for commercial purposes was pioneered by course bros. People like Tai Lopez realized that making the masses mad was an effective way to drive course sales. They could flaunt Lamborghinis, make a bunch of people angry, and as long as a handful of people found their way into their course, it was a viable, repeatable strategy. Historically on X, rage baiting was a marketing strategy, not a product strategy. Accounts like @sweatystartup frequently post things to get an angry reaction and subsequent reach, but behind the scenes he's always been running a normal commercial real estate fund. In 2025, rage baiting has become a product strategy. Cluely started as an app for cheating on coding interviews. Chad IDE’s only known differentiation from the other hundred AI native IDEs is that you can gamble and swipe on dating apps in it. The rage bait is sitting at the product level now. It’s becoming clear that while rage bait might occasionally work as a marketing strategy, it really should not be employed as a product strategy. Running a successful VC-backed company requires you to build a coalition of people that want to see you win. Getting media, investors, talent, and customers on your side is not an easy task. Rage baiting (whether at the marketing level or product level) is the most effective way to get people (who could be potential investors, customers, or team members) to actively pray for your downfall. YC has long provided some of the most durable, high quality, generalizable advice for startups and I believe it has had a tremendously positive impact on the companies that go through YC and even those that don’t. Launch now, make something people want, do things that don’t scale, ignore your competitors, etc. As someone who believes that YC is one of the most important and influential institutions in tech, I believe it might be time to include this in their list of essential startup advice: “Rage baiting is for losers.”
