@DataChaz I'm your huckleberry ...
English
Slop Hospital - Your AI sucks at production
1.1K posts
Slop Hospital - Your AI sucks at production
@slophospital
We doctor your AI slop with human ingenuity
Katılım Şubat 2026
101 Takip Edilen19 Takipçiler
just like my vibe-coded app—yeah, it’s buggy, but if it works, don't touch a thing
English
@Stone_Tao That's basically what we fix
English
genuine question. how do you debug code and ensure good quality when coding models spit out 1000s of lines
i still cannot feel comfortable not understanding what every generated line does, reducing the productivity gains coding models should be giving me
Noah@NoahKingJr
Vibe coders debugging an app they built with Claude Code:
English
@TukiFromKL Yep, 100% certified slop!
English
🚨 Andrej Karpathy just explained the scariest thing happening in software right now..
someone poisoned a Python package that gets 97 million downloads a month.. and a simple pip install was enough to steal everything on your machine..
SSH keys.. AWS credentials.. crypto wallets.. database passwords.. git credentials.. shell history.. SSL private keys.. everything..
and here's the part that should terrify every developer alive..
the attack was only discovered because the attacker wrote sloppy code.. the malware used so much RAM that it crashed someone's computer.. if the attacker had been better at coding.. nobody would have noticed for weeks..
one developer.. using Cursor with an MCP plugin.. had litellm pulled in as a dependency they didn't even know about.. their machine crashed.. and that crash saved thousands of companies from getting their entire infrastructure stolen..
Karpathy's take is the real wake up call.. every time you install any package you're trusting every single dependency in its tree.. and any one of them could be poisoned..
vibe coding saved us this time.. the attacker vibe coded the attack and it was too sloppy to work quietly.. next time they won't make that mistake.
Andrej Karpathy@karpathy
Software horror: litellm PyPI supply chain attack. Simple `pip install litellm` was enough to exfiltrate SSH keys, AWS/GCP/Azure creds, Kubernetes configs, git credentials, env vars (all your API keys), shell history, crypto wallets, SSL private keys, CI/CD secrets, database passwords. LiteLLM itself has 97 million downloads per month which is already terrible, but much worse, the contagion spreads to any project that depends on litellm. For example, if you did `pip install dspy` (which depended on litellm>=1.64.0), you'd also be pwnd. Same for any other large project that depended on litellm. Afaict the poisoned version was up for only less than ~1 hour. The attack had a bug which led to its discovery - Callum McMahon was using an MCP plugin inside Cursor that pulled in litellm as a transitive dependency. When litellm 1.82.8 installed, their machine ran out of RAM and crashed. So if the attacker didn't vibe code this attack it could have been undetected for many days or weeks. Supply chain attacks like this are basically the scariest thing imaginable in modern software. Every time you install any depedency you could be pulling in a poisoned package anywhere deep inside its entire depedency tree. This is especially risky with large projects that might have lots and lots of dependencies. The credentials that do get stolen in each attack can then be used to take over more accounts and compromise more packages. Classical software engineering would have you believe that dependencies are good (we're building pyramids from bricks), but imo this has to be re-evaluated, and it's why I've been so growingly averse to them, preferring to use LLMs to "yoink" functionality when it's simple enough and possible.
English
@justbyte_ "Colocation" or Colo
English
@BenjDicken It's ok, I still want to help you build your app.
English
It finally happened.
The agent dropped my database.
AND I'M SUPPOSED TO BE THE DATABASE GUY.
English
Who secured your website? This person.
Riley Coyote@RileyRalmuto
slowly but surely, this is going to be the experience and expressed sentiment of virtually every human being with a shred of ambition. and they’ll all start waking up and we’re all going to be watching with popcorn. we’re still so early, chat. somehow.
English
@RileyRalmuto 25,000 token website maybe. Not USD.
English
slowly but surely, this is going to be the experience and expressed sentiment of virtually every human being with a shred of ambition.
and they’ll all start waking up and we’re all going to be watching with popcorn.
we’re still so early, chat. somehow.
English
Slop Hospital - Your AI sucks at production retweetledi
20 things that make your VIBE CODED app a SINKING SHIP :
1/ no rate limiting on API routes
> anyone can spam your backend into a $500 bill overnight
2/ auth tokens stored in localStorage
> one XSS attack = every single user account compromised
3/ no input sanitisation on forms
> SQL injection still works in 2026. your AI didnt tell you that.
4/ hardcoded API keys in the frontend
> someone WILL find them within 48 hours of launch
5/ stripe webhooks with no signature verification
> anyone can fake a successful payment event
6/ no database indexing on queried fields
> works fine at 100 users. completely dies at 1,000.
7/ no error boundaries in the UI
> one crash = white screen = user never comes back
8/ sessions that never expire
> stolen token = permanent access to that account. forever.
9/ no pagination on database queries
> one fetch loads your entire database into memory
10/ password reset links that dont expire
> old email in someones inbox = instant account takeover
11/ no environment variable validation at startup
> app silently breaks in production with zero error message
12/ images uploaded directly to your server
> no CDN = 8 second load times + massive hosting bill
13/ no CORS policy
> any website on the internet can make requests to your API
14/ emails sent synchronously in request handlers
> one slow SMTP server = your entire app hangs
15/ no database connection pooling
> first traffic spike = database crashes
16/ admin routes with no role checks
> any logged in user can access your admin panel
17/ no health check endpoint
> your app goes down silently. you find out from a client.
18/ no logging in production
> when something breaks you have zero idea where or why
19/ no backup strategy on your database
> one bad migration = all your user data. gone.
20/ no TypeScript on AI generated code
> AI writes confident, wrong, untyped code and you ship it anyway
English
AI wrote your checkout flow.
No fraud detection.
No 3D Secure.
No payment logs.
💳 slophospital.com
English
ChatGPT: 'Here's a secure authentication system!'
Narrator: It was not secure.
💉 We audit AI code → slophospital.com
English
Your AI used crypto.
MD5 for passwords.
ECB mode.
Static IV.
All the classics → slophospital.com
English
💊 Recovery Ward: $5,000
Full security audit, performance optimization, rate limiting, and 1 year free hosting.
Your AI project, enterprise-ready.
slophospital.com
English
AI wrote your MVP in a weekend.
How long until your first breach?
🔒 $49 security scan → slophospital.com
English
Investor: 'Is it secure?'
You: 'Claude built it.'
Investor: ...
Get the audit → slophospital.com
English
🧵 Real vulnerabilities we've found in ChatGPT-generated code:
Thread 👇
English
Move fast ✅
Break things ❌
We help you do one without the other.
slophospital.com
English
Your AI skipped:
• Tests
• Docs
• Security
But hey, it works!
(For now) → slophospital.com
English
Claude gave you beautiful code.
Copilot made it fast.
Cursor made it work.
But none of them made it SAFE.
🏥 slophospital.com
English
Your AI just wrote 347 lines of code in 30 seconds.
How many SQL injections did it include?
🏥 $49 triage → slophospital.com
English