Author | Lightnews

Johannes Schnatterer @schnatterer.info · 24d

I think we all recognize that AI changes the way we produce code.
To me it seems it wides the gap what a single dev can reach in terms of output.
The HN discussions shows mixed feelings about this:
news.ycombinator.com/item?id=4550...

What are your thoughts?

Vibe engineering | Hacker News

news.ycombinator.com

1

Johannes Schnatterer @schnatterer.info · 24d

Using Coding Agents in combination with software engineering best practices: Unit testing, concept-first, version control, code review, manual testing, etc. for higher output.

1

Johannes Schnatterer @schnatterer.info · 24d

TIL the term #VibeEngineering" as opposite of #VibeCoding, proposed by @simonwillison.net

While the term does not feel intuitive to me, the idea does:

Vibe engineering | Hacker News

news.ycombinator.com

1

Johannes Schnatterer @schnatterer.info · Sep 18

⚠️ Recommendations:
At least run: npm/yarn/pnpm audit

npm config set ignore-scripts true --global

What else?

Does anyone know of any specific tooling to check if impacted?

1

Johannes Schnatterer @schnatterer.info · Sep 18

Same attacker as nx?
HackerNews: news.ycombinator.com/item?id=4526...

Shai-Hulud malware attack: Tinycolor and over 40 NPM packages compromised | Hacker News

news.ycombinator.com

1

Johannes Schnatterer @schnatterer.info · Sep 18

🗓️ 17 Sep: attack #Shai-Hulud / #CrowdStrike / #tinycolor
Self-replicating worm 😱 started by briefly infecting tinycolor and packages by vendor CrowdStrike. Exposes code and secrets via GitHub and tries to propagate to other packages via npm tokens. Now impacts nearly 500 packages.

1

Johannes Schnatterer @schnatterer.info · Sep 18

🗓️ 8 Sep: #chalk, #debug-js and other packages by maintainer #qix (junon) compromised. They handled this very transparently 👍️

HackerNews: news.ycombinator.com/item?id=4516...
CVE-2025-59144: github.com/advisories/G...

Shai-Hulud malware attack: Tinycolor and over 40 NPM packages compromised | Hacker News

news.ycombinator.com

1

Johannes Schnatterer @schnatterer.info · Sep 18

TLDR recent #npm supply chain attacks

🗓️ 26 Aug: #nx packages compromised stealing SSH keys, npm tokens, and .gitconfig files and weaponized AI CLI tools 😱 upload to repo named #S1ngularity

HackerNews: news.ycombinator.com/item?id=4503...
GHSA: github.com/nrwl/nx/secu...

Image of sandworm Shai-Hulud of the Dune saga. Namesake of the supply chain campaign.

1

Reposted by Johannes Schnatterer

Josh Junon @bad-at-computer.bsky.social · Sep 8

Yep, I've been pwned. 2FA reset email, looked very legitimate.

Only NPM affected. I've sent an email off to @npmjs.bsky.social to see if I can get access again.

Sorry everyone, I should have paid more attention. Not like me; have had a stressful week. Will work to get this cleaned up.

charlieeriksen.bsky.social @charlieeriksen.bsky.social · Sep 8

@bad-at-computer.bsky.social Hey. Your npm account seems to have been compromised. 1 hour ago it started posting packages with backdoors to all your popular packages.

15 60 190

Johannes Schnatterer @schnatterer.info · Sep 18

Here is the link for opting out

www.linkedin.com/mypreference...

LinkedIn Login, Sign in | LinkedIn

Login to LinkedIn to keep in touch with people you know, share ideas, and build your career.

www.linkedin.com

Johannes Schnatterer @schnatterer.info · Sep 18

Shouldn't this be opt in? 🧐😱

Now is the time to opt out.

#linkedin #ai #gdpr

LinkedIn settings showing settings where this setting is enabled:

Data for Generative AI Improvement

Can LinkedIn use your personal data and content you create on LinkedIn to train generative AI models that create content?

Use my data for training content creation AI models

1

Johannes Schnatterer @schnatterer.info · Sep 16

The switch was really easy.

The only customization I did was to enable the constant reminder of my cloud account and node.js version.

Having the time displayed as part of the prompt also turns out useful when scrolling back up later.

github.com/schnatterer/...

github.com

Johannes Schnatterer @schnatterer.info · Sep 16

Anyone still using #powerlevel10k #zsh theme?
It has been on "life support" > 1 year.

I had been using it for almost 5 years because of instant prompt.
Now switched to #starship, which I already had an eye on back then.

Is there a reason not to use starship?
What common (zsh) themes are there?

Terminal window showing zsh with tmux and starship and a prompt that shows the time.
Command "sleep 3" returns "took 3s"

1

Johannes Schnatterer @schnatterer.info · Sep 5

#docker or #podman?

A polarised discussion 👇
news.ycombinator.com/item?id=4513...

Does not motivate me to give podman another go.
I like being efficient and not struggle with things I wouldn't have to with docker 😐

Can anyone share podman success stories?

1

Johannes Schnatterer @schnatterer.info · Sep 5

Just patched Argo CD CVE-2025-55190, scoring 9.9 😱

github.com/argoproj/arg...

nvd.nist.gov/vuln/detail/...

I am impressed that the argo project fixed this in so many versions 🙏
2.13.9, 2.14.16, 3.0.14 and 3.1.2.

#argocd #cve #CVE202555190

Project API Token Exposes Repository Credentials

### Summary Argo CD API tokens with project-level permissions are able to retrieve sensitive repository credentials (usernames, passwords) through the project details API endpoint, even when the t...

github.com

1 2

Johannes Schnatterer @schnatterer.info · Sep 3

Anyway, here is my workaround (to be executed on the host) 😱

sudo apparmor_parser -R /etc/apparmor.d/usr.sbin.slapd

Anyone ever had similar problems and have a better solution?

Johannes Schnatterer @schnatterer.info · Sep 3

Presumably, this is a limitation of k3d running in a container itself, leading to kubelet lacking privilege to modify AppArmor profiles on host.

1

Johannes Schnatterer @schnatterer.info · Sep 3

Eventually found out that my host system has an AppArmor profile for slapd.
However, I was unable to ignore it via k8s' annotation or securityContext setting for unconfined AppArmor profile.

1

Johannes Schnatterer @schnatterer.info · Sep 3

My LDAP pod failed to start with permission denied errors when the startup script used slapadd. These would not go away, even as root.

1

Johannes Schnatterer @schnatterer.info · Sep 3

As a longtime fan of local #k8s clusters for fast feedback (especially #k3d ),I've just faced my first real challenge: deploying #LDAP 😅
(caused by apparmor and nested containerization)

Featured graphic: k3d LDAP deployment challenges

1

Johannes Schnatterer @schnatterer.info · Sep 3

Anyway, here is my workaround (to be executed on the host) 😱

sudo apparmor_parser -R /etc/apparmor.d/usr.sbin.slapd

Anyone ever had similar problems and have a better solution?

Johannes Schnatterer @schnatterer.info · Sep 3

Presumably, this is a limitation of k3d running containerized itself, leading to kubelet lacking privilege to modify AppArmor profiles on host.

1

Johannes Schnatterer @schnatterer.info · Sep 3

My LDAP pod failed to start with permission denied errors when the startup script used slapadd.

Eventually found out that my host system has an AppArmor profile for slapd.
However, I was unable to ignore it via k8s' annotation or securityContext setting for unconfined AppArmor profile.

1

Johannes Schnatterer @schnatterer.info · Aug 18

TIL: #helm image plugin shows all images for a chart, even respecting dependencies 🧐

github.com/nikhilsbhat/...

Terminal showing command "helm images get prometheus-community/kube-prometheus-stack" and a list of images as output

Johannes Schnatterer @schnatterer.info · Aug 14

#ArgoCD 3.1 brings OCI support for generic #OCI artifacts 🥳

I had a first look 👇️

gitops-book.dev/blog/2025-08...

Argo CD 3.1 brings OCI support

Entdecken Sie das deutsche GitOps Buch. Lernen Sie Best Practices für Continuous Deployment, Kubernetes und sichere GitOps Workflows kennen.

gitops-book.dev