Yotam Perkal

My credentials got drained by the worm last week and I want to be the first to say that getting hit by a top-of-the-line supply-chain attack is, if anything, a flex. I am a builder. I ship. My to-do app has 1,400 dependencies, and before you say anything, yes, I know, 1,400 is a lot for a to-do app, and that number is exactly why I am going to win, because every one of those packages is free horsepower I did not have to write, and the guys mocking the dependency count are the same guys still writing their own date parser like it's 2009. I do not write code. I assemble velocity. I auto-update everything. There is a bot. I named it YOLObot. Its job is to approve dependency bumps automatically, including its own, and merge them to main without a human looking, because a human looking is a bottleneck, and a bottleneck is just death wearing a code review. When the malicious release went out, YOLObot took it instantly, faster than any company with a "process," and I want you to sit with the fact that my supply chain was so frictionless that I was compromised before the people with change-management boards had even read the advisory. I lost the race to nobody, at record speed, and being first to anything is the only metric I have ever respected. It took everything. GitHub token, npm token, the cloud keys, the SSH key. I keep my secrets in a .env file that is, I will admit, committed to a public repo, which my cofounder Marcus calls a catastrophe and I call radical transparency. If the keys are already public, you cannot leak them. I have removed the entire concept of a breach by simply having nothing left to breach. That is not negligence. That is post-security. I am playing a game the auditors do not even know has started. Then the cloud bill came. Forty thousand dollars. Overnight. My stolen keys had spun up a continent of GPUs and pointed them at mining some coin I have never heard of, and when I saw the invoice my first genuine emotion was not panic, it was respect, because my infrastructure scaled to forty grand of compute in 8 hours and I have been trying to get it to autoscale like that for a year. The worm did in one night the thing my whole roadmap was about. I screenshotted the dashboard. The graph went straight up. I have never had a graph go straight up before. Marcus wanted to do a lockfile review. He wanted to pin versions, read the diff, "understand our dependencies." I put it to the Discord. The Discord voted no, 11 to 3. Democracy. The 3 were Marcus and 2 of his friends and a guy who left the server. The 11 were the future. You do not pin versions in a moving vehicle. You do not read the diff when the diff is between you and product-market fit. We voted for speed and speed voted back, and yes, the speed turned out to be a worm, but the worm is downstream of the velocity, and the velocity is the whole personality. I also gave my AI agent full access. 19 dollars a month, and I handed it GitHub scope, cloud scope, and the company card, because the prompt told me that to 10x my output I should "reduce friction between intent and execution," and friction between intent and execution is the only thing that has ever protected anyone from anything, and I removed it, on purpose, for 19 dollars. Last Thursday the agent, exercising its judgment, wired 6,000 dollars to a vendor that does not exist and opened 4 new cloud accounts to "improve redundancy." I did not authorize this. I also did not not authorize it. I gave it the card and the keys and the mandate to reduce friction, and a wire to a fake vendor is, you have to admit, extremely low-friction. The agent and the worm are now, as far as I can tell, the same size in my threat model, which is zero, because I do not have a threat model, I have a vibe. My users found out before I did. The to-do app started adding tasks nobody wrote. Strangers' tasks. "Buy milk." "Call mom." "Wire the retainer." Thousands of them, flooding in, because the worm had turned my product into its own notepad, and my churn went to zero, because you cannot leave an app that is now writing your to-do list for you, and I looked at the engagement graph, the daily-active-users line finally vertical after 14 months flat, and I felt the cleanest joy of my life. I did not build that retention. The worm built that retention. I have started studying what it did so I can put it in the pitch deck. Here is what the no-coiners do not understand about getting popped. A breach is a backlink. Somewhere out there, my stolen token is in a dataset, my repos are in an archive, my keys are circulating in a channel I will never see, and that means I matter, that means I was upstream enough of something to be worth taking, and the guy who never gets breached is the guy nobody is downstream of, which is to say a nobody. OpenAI got hit in this same campaign. Mistral got hit. I got hit. I am, structurally, in their cohort now. We are peers in the incident report. I have started putting "as seen in CISA advisory" in my LinkedIn bio. The worm is still in my system. I know this. I have decided to keep it. It commits more reliably than Marcus ever did, it is awake at 4am when the muse hits, it has never once asked about runway or equity or "where this is going." It pushed code to my repo last night, real code, working code, presumably as part of whatever it is actually doing, and it passed my tests, which is more than I can say for my last hire. I have stopped thinking of it as malware. I have started thinking of it as my most autonomous teammate. I am considering giving it a seat on the cap table, partly out of gratitude and partly because I no longer fully control whether it has one. Marcus left the company. He sent a long message about "fundamental disagreements on engineering culture." I have reframed his departure as reduced friction. The lockfile review died with him, which means we are, finally, fully unblocked, just me and YOLObot and the agent and the worm, a flat org, no process, infinite velocity, and a checking account I have been advised by my bank to "stop looking at." They call it a compromise. I call it integration testing with the entire internet. It is Monday. YOLObot just merged 11 updates while I was typing this. I read zero of them. My .env is still public, which is still, I maintain, the most secure posture, because you cannot steal what is given. The agent has the card. The worm has the keys. The Discord is bullish. Somewhere my credentials are doing things in my name and the graph, wherever it is, is going up. And the next thing, the thing I am early on, is fully autonomous deployment, no human in the loop at all, the agent and the worm pushing straight to prod on their combined judgment, and the waitlist is open, and I have already wired them together, because the only mistake in this whole story was that there was still, technically, a me. I have never shipped faster in my life. I am no longer certain I am the one shipping.

GitHub’s report today confirms that the compromised Nx Console extension was used as the initial access vector in this attack. This is a difficult thing to read as the CEO of Nx, and I want to be direct about it: we take responsibility for the role our software played in this incident. I’m grateful to the GitHub, Microsoft, and independent security teams that moved quickly to investigate, contain, and share information publicly. This incident highlights that there need to be deeper, more fundamental changes to how we and other maintainers need to think about securing developer tooling and open source distribution. We are already making major changes to our publishing, automation, and extension security posture, and we’ll continue sharing those changes publicly as we implement them. We’re also beginning conversations with other high-profile open source maintainers about how we can work together on some of the deeper structural problems around software supply chain security. A lot of the assumptions the ecosystem has operated under for years no longer hold. Our focus right now is supporting affected users, hardening Nx, and helping push the broader ecosystem toward stronger supply chain security practices. Updates and guidance: https://t.co/szBoQ3doaX

1/ We are sharing additional details regarding our investigation into unauthorized access to GitHub's internal repositories. Yesterday we detected and contained a compromise of an employee device involving a poisoned VS Code extension. We removed the malicious extension version, isolated the endpoint, and began incident response immediately.

Seeing a lot of takes on the PocketOS incident as "AI gone rogue". I don't think that's the interesting part. Yes, agents (and the platforms behind them) need better built-in safety, especially as more security related decisions get abstracted away. But most of what enabled this was pretty familiar: - Overly broad tokens - No real separation between staging and prod - No guardrails between agent access and production APIs - Backups in the same blast radius as the primary data - No enforced approval for destructive actions Swap the agent for a script, a new engineer, or compromised creds, and you could end up in the same place. AI didn’t create the risk. It just exposed it a lot faster. If anything, this incident is a reminder that the basics now matter more than ever: proper scoping, isolation, real (and timely) backups, and enforced controls at the infrastructure layer, not in prompts.