Incident Report: CVE-2024-YIKES

Posted by miniBill 19 hours ago

Incident Report: CVE-2024-YIKES(nesbitt.io)

566 points | 145 commentspage 3

f4c39012 15 hours ago|

'The changelog reads “performance improvements.”' was the truest part for me. Surely what we're releasing is the most fundamental thing to understand, yet almost every single app update I see is this or something jokey that really means "don't know" or "don't care"

danielfalbo 18 hours ago||

absolutely hilarious, made me laugh a lot. thank you for writing this, whether human or AI.

baq 3 hours ago||

my sides

the kubernetes reveal had me literally in tears

mrinterweb 9 hours ago||

left-justify !! LOL. History really does repeat its self. Remember left-pad supply chain security panic?

bakugo 15 hours ago||

> Day 1, 03:14 UTC — Marcus Chen, maintainer of left-justify

The dreaded Marcus Chen strikes again.

https://www.reddit.com/r/ClaudeAI/comments/1o3b4q2/just_rece...

https://news.ycombinator.com/item?id=47153675

TZubiri 17 hours ago||

This would have been completely avoided if you were using bun dependency vector locking in Nix.

MarsIronPI 9 hours ago|

That way instead of getting the vulnerabilities now, you get them later! The joys of computing!

danilocesar 18 hours ago||

This week has been tough. Is it the begging of CVEgeddon?

worthless-trash 7 hours ago||

Not a valid CVE number.

bklosky 16 hours ago||

According to Pangram, this is likely AI generated, surprised that no one has pointed this out

furyofantares 16 hours ago||

Not a chance. Far too funny, too well written, too terse while being densely packed with wit. I see zero signs of it being LLM-generated and lots of stuff LLMs have no way of doing.

If I am somehow wrong I would salivate at a chance to see the input.

bakugo 15 hours ago|||

You don't even need to read past the first timeline entry. The name "Marcus Chen" is literally a meme within AI creative writing circles due to how often Claude defaults to that exact name when naming fictional characters.

MarsIronPI 9 hours ago||

Probably being used to enhance the humor, intentionally.

peyton 15 hours ago|||

The author suddenly began writing a post per day around November 2025. They’re all tongue-in-cheek. I believe you are wrong.

furyofantares 15 hours ago||

Huh, neat. I will take a look at those.

And actually I see it clearly now, it has a bunch of signs I have called out multiple times myself. (It is entirely made out of lists of various types, and never states an opinion.)

Just my ego getting hold of me because I didn't realize it on my own.

ninjalanternshk 3 hours ago||

I’m also struggling with this being AI. The blog owner is a real person who’s made significant contributions to the community for years. His post timeline is organic - wayback machine confirms they were published on the dates they show. So it’s definitely not a bot running the blog.

Whether (or to what extent) he uses AI to generate the content he posts is a valid question.

I agree with your earlier reasoning that this is far more clever than anything I’ve seen AI produce yet. Lots of AI humor is dad-joke level at best. If it is AI then he’s trained it on a hand-curated collection of top-shelf satire.

scared_together 7 hours ago||

I never used Pangram before today, but since I've seen it mentioned many times on HN and I enjoyed reading the OP, I decided to try it. I am only using the free plan so let me know if I'm missing something. I am assuming the parent was referring to the tool hosted at pangram.com and not some other tool of the same name.

Pangram indeed claims the OP is 76% AI-generated. It has "high confidence" (EDIT: some parts are "medium confidence") that the early portions of the text were created by AI, and "medium confidence" that some of the later potions were written by a human. EDIT: I was especially dismayed to see that the dog might have been an AI creation :(

When I use the "supporting evidence" option, the main piece of evidence Pangram provides is the frequent use of em-dashes. Each timestamp is followed by an em-dash. Personally I think the em-dashes could be a copy-pasted em-dash or inserted by a markdown to HTML converter. nesbitt.io is apparently using Jekyll [0] - any Jekyll users know anything about this??

Pangram's "supporting evidence" feature also considers → and € to be "unusual Unicode".

Personally, to me it looks like the "supporting evidence" feature still needs some work because Pangram's AI detection is probably a lot more sophisticated than a grep for Unicode symbols. In fact the feature even has a notice claiming that "These patterns aren't used to determine our AI score; they help you see why AI text often reads differently."

As for the rest of the OP's content, it would be interesting to compare the Pangram results to a timeline of a real vulnerability. I tried doing so, but exhausted my free "Pangram credits" - apparently the first 1000 words of this article [1] about the log4j vulnerability is considered 100% human.

[0] https://github.com/andrew/nesbitt.io

[1] https://www.csoonline.com/article/571797/the-apache-log4j-vu...

fallpeak 1 hour ago||

[dead]

somebudyelse 17 hours ago|

Too soon

More comments...