Hacker stories

Five real breaches. Each started with a single line of code.

These are public, well-documented incidents. The takeaway isn't that the engineers were careless — it's that the bug that broke them is the same bug your AI tools write every day. Below: the breach, the cost, and which VybeSafe rule would have caught it before commit.

2016 UBER HARDCODED SECRET

An AWS access key was committed to a private GitHub repo. It cost Uber $148 million.

Engineers committed an AWS access key into a GitHub repository they thought was private. Attackers found the key (a former Uber employee maintained access), used it to log into Uber's S3 buckets, and exfiltrated personal data on 57 million riders and drivers.

Records leaked
57,000,000
FTC settlement
$148M (2018)
Hush money paid
$100k
Disclosure delay
~13 months
The bug, in code

An AWS key, hardcoded into a config file

// committed into a GitHub repo
const AWS_ACCESS_KEY = "AKIAXXXXXXXXXXXXXXXX";
const AWS_SECRET_KEY = "wJalrXUtnFEMI/K7MDENG/bPxRfiCYEX";

Cursor, Claude, and Copilot all suggest hardcoded keys at least once a session — usually as a "temporary placeholder while we wire up env vars." The placeholder rarely gets replaced.

VybeSafe would catch this

Critical · 99% confidence. Pattern AKIA[0-9A-Z]{16} matches the AWS access key format. We refuse to let it commit.

Rule: secrets.aws-access-key
2022 TOYOTA SECRET IN PUBLIC REPO

A subcontractor pushed source code to GitHub. The credentials sat there for nearly five years.

A development partner published source code for Toyota's T-Connect customer site to a public GitHub repository in December 2017. The code contained an access key for the data server holding customer email addresses. It went undetected until September 2022.

Customers exposed
~296,000
Time exposed
4 yr 9 mo
Discovery
Sep 2022
Notification
Oct 7, 2022
The bug, in code

A real key in a file that wasn't gitignored

// app/config/database.config.ts — pushed to public GitHub
export const dbConfig = {
  host: "tconnect-db.toyota.internal",
  accessToken: "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9..."
};

# .gitignore (missing)
# (this file did not exclude config/database.config.ts)

Two failures here: the secret was hardcoded, and the file holding it was tracked by git. Either alone would have prevented this. Both happen in AI-assisted projects daily.

VybeSafe would catch this

Critical. Token-pattern match on the JWT-shaped string, plus a separate Critical for missing .gitignore entries on files with high secret entropy.

Rules: secrets.jwt-token · git.secret-not-ignored
2019 CAPITAL ONE SSRF

One Server-Side Request Forgery. 100 million records. $80 million regulatory fine.

A misconfigured web application firewall was tricked into making a request to AWS's instance metadata endpoint (169.254.169.254). The response handed the attacker temporary credentials for an IAM role with read access to S3. The result: personal data on 100M+ applicants for Capital One credit cards, including 140,000 Social Security numbers.

Records leaked
~106,000,000
SSNs exposed
~140,000
OCC fine
$80M
Class settlement
$190M
The bug, in code

An HTTP fetch with an attacker-supplied URL

// AI-written: "let users preview an external URL"
app.get("/preview", async (req, res) => {
  const target = req.query.url;
  const r = await fetch(target);   // ← SSRF
  res.send(await r.text());
});

The exact pattern AI tools love: a "flexible" endpoint that accepts a URL and fetches it. Without an allowlist of permitted hosts, the server can be aimed at localhost, cloud metadata endpoints, or internal services.

VybeSafe would catch this

High. Any fetch() / axios / requests.get where the URL is untrusted user input without an allowlist check trips the SSRF rule.

Rule: injection.ssrf-user-url
2017 EQUIFAX UNPATCHED CVE

One Apache Struts CVE went unpatched for two months. 147 million records leaked.

CVE-2017-5638 — a remote code execution bug in Apache Struts — was disclosed in March 2017 with a patch available the same week. Equifax's customer dispute portal kept running the vulnerable version. Attackers exploited it that May, sat in the network for 76 days, and walked out with 147 million records.

Records leaked
~147,000,000
Settlement
~$700M
Patch available
2 months prior
Time inside
76 days
The bug, in code

A pinned, vulnerable dependency in the manifest

<!-- pom.xml — production -->
<dependency>
  <groupId>org.apache.struts</groupId>
  <artifactId>struts2-core</artifactId>
  <version>2.5.10</version>  <!-- CVE-2017-5638: RCE -->
</dependency>

In a vibe-coded JS project today, the same pattern shows up as a stale "lodash": "4.17.20" or an old express in package.json. Auto-generated lockfiles compound it.

VybeSafe would catch this

Critical. Dependency manifest is cross-checked against the public CVE database on every scan. Vulnerable versions surface with reachability analysis — i.e. whether your code actually calls the affected function.

Rule: deps.cve-vulnerable
2021 CODECOV SUPPLY CHAIN

An attacker quietly modified a CI uploader script. Hundreds of customers leaked their secrets.

Attackers compromised Codecov's Bash Uploader script — the one customers piped into their CI pipelines with the classic curl ... | bash pattern. The modified script silently exfiltrated environment variables (which contain almost every API key and DB password an org has) for two months before discovery. HashiCorp, Confluent, and Twilio were among the affected.

Time undetected
~2 months
Customers
29,000+ org
Disclosed
Apr 15, 2021
Method
curl | bash
The bug, in code

Piping a remote script straight into a shell

# in a GitHub Actions workflow
- name: Upload coverage
  run: curl -s https://codecov.io/bash | bash

curl | bash trusts the upstream completely, every time you run it. If the upstream is ever compromised, every CI run leaks every env var you have. AI agents reach for this pattern reflexively because it's "the documented install command."

VybeSafe would catch this

High. Any curl ... | bash, iex (irm ...), or wget ... | sh in a CI config or shell script is flagged with the "untrusted remote execution" rule.

Rule: supply-chain.curl-pipe-shell
Run the whole catalog

See which of these patterns are already in your code.

VybeSafe runs all five rules from this page — and 50+ more — against your project locally. No upload. No signup. Free for indie use.

no spam · unsubscribe in one click · we never share your email