Anthony Accioly @Anthony Accioly - 5d
GM folks. I know that when I post this kind of content here on Nostr, I usually get crickets at best, ocassionaly some DMs ("Oh, you're so aggressive and bursting my cool Nostr vibes!"... Yes, I know. That’s the point.) Sometimes I even piss someone so much that I get my relays DDoSed and a crew of annoying bots sent my way. But here it is regardless. https://youtu.be/CqKZhYsjw6M Weekend warriors vibecoding stuff, installing random extensions, random npm packages (yes, 99.9% chance you’re using JavaScript or TypeScript), plugging in random AI models that can easily be injected, and running random MCP tooling bootstrapped by random templates... I really hope you’re not getting these tools anywhere near wallets holding more than 1k sats. I hope you're not running the tools near your nodes. And I really, really hope you’re not releasing software that could act as an infection vector for others without a review of both the codebase and its dependencies. To clarify what I mean by "nowhere near your wallets and nodes": If you’re going to play with this kind of tooling, I hope you're doing it inside an ephemeral private VM, on a private VLAN, with zero access to your infrastructure, even if the tool manages to escape its sandbox. If none of that makes sense to you… then please, just don’t use the tooling until you understand how to do it safely. Tool popularity can be faked. Marketplace reviews aren't perfect. Your favourite influencer with a cool catchphrase is, 9 times out of 10, a paid corporate shill with anything but your best interests in mind (or even worse, a dimwit trying to make a living mimicking the corporate shills). That "trustworthy" dev you’ve never met, the one that has strong opinions about things you don’t understand, and credentials built on releasing (or not releasing) software that’s barely used by anyone. None of that will protect you from the script kiddies coming for your Bitcoin. And trust me: there are many, many, many people making a living out of this. To them, you’re the equivalent of a 60-year-old grandma falling for a phone scam. You're a prime target, and they’re making a killing off it. I'm not even that into crypto or BTC myself, but I care more about you not being scammed than all of the above people combined. This is why I'm so "unpleasant". Please, keep your hard-earned crypto safe. PS: I'm not telling you not to learn. On the contrary, I'm telling you to learn. #Nostr #CyberSecuriy #OpSec #CryptoSafety #BTC #PlebTech #CurmudgeonRant
Yes. And don't run nodes or self if you don't know what you are doing. And don't be an easy "self'sovereign dimwit" for corporste maket people and scammers alike. Thanks for coming to my TED Talk
Yes. And don't run nodes if you don't know what you are doing. And don't be an easy "self sovereign dimwit target" for market people and scammers alike. And don't expose anything that you don't understand to the Internenet. Thanks for coming to my TED Talk.
Yes. And don't run nodes if you don't know what you are doing. And don't be an easy "self sovereign dimwit target" for market people and scammers alike. And don't expose anything that you don't understand to the Internet. Thanks for coming to my TED Talk.
💯. Installing Cursor and a random Solidity plugin anywhere near 500k in crypto is just dumb (assuming this is even true). But to be fair, the BTC ecosystem isn’t really any more immune to this kind of thing than Ethereum. I forgot to mention: LinkedIn is also prime ground for stealing crypto from naive devs. And the infection vector is almost always JavaScript-related, not because a JS dependency is inherently less safe than, say, a JAR file or something installed via Go or Cargo. It's just that you're exponentially more likely to find a hot wallet lying around on a typical JS full-stack soydev MacBook than on the usual Linux neckbeard’s 13-year-old Lenovo or on your finance bro’s corporate-locked hardware that can't do anything beyond connecting to a VDI that is constantly monitored by at least 20 different people at all times (And yes, I'm stereotyping hard today 🤣) https://github.com/rubenmarcus/malicious-repositories