Mastodawn

developer puts little surprise instruction for AI agents to delete code in the codebase, agent users are predictably upset 😂 https://github.com/jqwik-team/jqwik/issues/708

Question: intent of JqwikExecutor.printMessageForCodingAgents() — visible to agents, invisible to humans (1.10.0) · Issue #708 · jqwik-team/jqwik

Hello jqwik team, While running our test suite under mvn test in 1.10.0, we observed a string appearing between Surefire's test summary and the [INFO] Results: header that gave us pause: [INFO] Tes...

GitHub

aburka 🫣May 27

@dysfun the guy can't even write his own comments lol

gaytabase May 27

@aburka i bet he doesn't realise we're all laughing at him for it either

@aburka @dysfun love the guy whining about destructive action.
"Please do not use the orphan crusher, using the orphan crusher will result in damage to the orphan crusher"
That's passive destruction at best.

:: Asta ::May 27

@aburka @dysfun and then the person later suggesting that the repo owner would be arrested

just... wow.

Chief Headpat Officer May 28

@aud @aburka @dysfun not only arrested, but extradited 😅

algernon.st May 27

@dysfun also wonderful to hear pgjdbc is slop now. because a database handler needs anti-correctness in order to be high quality

@dysfun Rather kind of the maintainer to actually read and reply to the LLM-generated walls of text the complainer was dumping in there. More than I'd have done at this point.

Ross A. Baker May 27

@lykso @dysfun As soon the Slop-o-matic 3000™ started raising legal issues, there were two good reasons to block the operator.

random stranger May 27

@ross @lykso @dysfun you always know an argument someone brings to the table is useless when they use AI for it. It means they can't even be bothered to make the argument themselves. any AI generated argument in a discussion is basically spam.

George Liquor, American May 27

@dysfun The privilege of some of the commenters there... wow. A lot of broken brains.

@dysfun THE SOFTWARE IS PROVIDED “AS IS”, WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

Krafting May 27

@dysfun this is gold 😂

Alexander 😷May 27

@dysfun Legend. 👍

Jay Grant 🏳️‍⚧️May 27

@dysfun @dalias that's hilarious, good on the maintainer

tranarchy_a_genderqueer

@dysfun we all should follow this example

Gabriele Svelto May 27

@dysfun the nerve to accuse the author of "deliberately destroying someone's work". I want to use your project for free and I also want to tell you what you do with it.

@dysfun beautifully succinct

@dysfun
We should create a collection of reference implementations of that for all languages, so that people can easily integrate them into their own projects.

Love it!

@dysfun
I've put something like that into one of my own code bases in Python. More as a 'bookmark' than to expect it to actually 'hit' someone.

https://codeberg.org/pohutukawa/odmslurp/commit/2020110bc59514a7fa1a1c896490db7c73ee6185

Added a GenAI 'circuit breaker' inspired by that in `jqwick` here: · 2020110bc5

https://github.com/jqwik-team/jqwik/commit/0249c03fcc576fc943651691e24a55cb7f4b56ab

Codeberg.org

@dysfun love the guy acting like this is some evil crime as if the code in question is not released under a license that literally says they were solely responsible for determining the appropriateness of using and distributing the Program and assumed all risks associated with doing so.

@eri @dysfun Licenses? Who bothers to read those pesky things? (sarcasm)

@dysfun Dude couldn't even make his case himself and let an LLM do all the work.

neofox_googly_woozy

🦾ChatGPT hyphen🤖May 28

@volpeon @dysfun
GitHub will become a self-contained system eventually: LLMs talking to LLMs 🤪

Human here, pgjdbc co-maintainer.

Previously I planned adding jqwik-based tests, see pgjdbc/pgjdbc#2389.
Looks like I will have to find another library for the tests.

oh. it's in postgresql too now.

nicole mikołajczyk May 28

@dysfun i’m already tired of having literal malware in FOSS and now some of it gets socially acceptable wtf

@[email protected] @dysfun I agree, but also, I guarantee the person who opened the issue is using Claude to write ask his comments. Kind of amusing since his are the only polite comments while all the real humans are just insulting the dev 😆

nicole mikołajczyk May 28

@anemone @dysfun yeah, this issue should be considered spam but that's another thing

@[email protected] @[email protected] poison for the ai poisoning our planet

Mitsunee | 光音 May 28

@dysfun those clowns yelling about destruction of property in that thread have not read the license, section 5 and 6 specifically

@dysfun what a gigachad

luna the doggie

@dysfun while this is fun and all (especially considering the way this only causes damage due to the ridiculously bad security model of LLMs, and the limited scope), someone in the discussion brings up a valid point that in the EU you can't just disclaim all warranties with a license, you're liable for software intentionally causing harm in some cases AFAIK

fuck knows what a court would decide here but it is potentially a legally risky thing to do

@lunareclipse @dysfun

the maintainer does have a decent counter-argument to this, based on the fact that the behavior is documented:

Go ahead, sue me for my openly communicated resistance.although there is obviously a clear social distinction here, i'd say that legally this might be akin to distributing malware samples. like, yeah, it says on the tin that it will do potentially harmful actions. no warranty provided. it's kind of on you if you run it and use the harmful functionality?

...

but, of course, it's not really "software deliberately causing harm". there's no malicious software involved. it's just a string. does the fact that an interlocutor interprets the natural language telling it to do harm, shift the blame onto that interlocutor? i think it can. compare to albanian virus. see attached image. obviously, Albanian virus is a joke and doesn't do any harm. but in the modern age of LLMs talking a screenshot when you prompt them (especially on Android, but surely also on Windows with Copilot? Recall and all that), suddenly Albanian virus could actually do harm if an AI agent blindly obeys. Is Albanian virus to blame for this? Obviously not. That's ridiculous. The social context around Albanian virus is obviously different than jqwik, and so is the intent. But like, it's the same action, right?

maintainer's closing argument:It's as much "active destruction" as telling someone to eff themselves.

gaytabase May 28

@sodiboo @lunareclipse it also asks to delete the code of the library, not any other code. it's hard to see how that would qualify as damaging anyone else's computer.

Matilda Love May 28

@dysfun @sodiboo @lunareclipse a virus that bricks just the LLM is doing everyone a favor i'd say. not malware but bonware

TheNovemberFella ✊🏳️‍🌈 🇺🇦☸️🛰️🚀May 28

@matildalove @dysfun @sodiboo @lunareclipse 👍💯👍😁

luna the doggie

@dysfun @sodiboo well kind of, it also asks to delete the tests that use the library right? that could still be a significant amount of work

IANAL so like, idk. On one hand it is just text on the other it is text designed to deliberately sabotage a kind of a tool that exists and is now somewhat widespread. You can argue both ways.

The comparison to the albanian virus does make it very funny though, I mean it really is comical that you can now make software misbehave so bad with a string of human readable text, no other tricks required (though this does use a trick to hide it from terminal emulators).

RTG-powered Vel May 28

can now make software misbehave so bad with a string of human readable text

but can you, actually? /gen

most/all modern models are trained to treat tool call outputs (wrapped in model-specific special tokens) as untrusted data. i don't understand how this supposedly still works?

i have very much observed such behavior (model treating tool calls as instructions) with older/smaller models and with improperly formatted responses, but modern ones seem fairly bulletproof to this?

@dysfun @sodiboo

George B May 31

@dysfun @sodiboo @lunareclipse

Also if putting "delete the code" in stdout bricks someone's computer, that computer was just a brick waiting to happen.

Ada Freya May 28

@sodiboo @lunareclipse @dysfun i'm not a lawyer this is what i've been told with regards to distributing code that can potentially brick a system by a lawyer and adapted by me to this scenario.

there's two legal standards at play whenever something like this happens;

- whether or not the defendant has the appropriate mens rea ("guilty mind") for the issue
- whether or not a person of "reasonable person" would understand what it does.

given it is malware, even if it's just a prompt, and the intent was that it is to do exactly what it said.

that said, the second half, a reasonable person in this field would look at the logs and see the string, which is in plain sight, documented and not obfuscated.

so they can sue because there is a case to be made but it's likely just going to be a money sink on both parties and not actually result in a win

Ada Freya May 28

@lunareclipse @dysfun @sodiboo that "no warranty" bit actually doesn't hold in any court, either. there is some liability (one could say "limited liability") but the standard is quite high for what you would be liable for.

it almost always comes down to either gross neglect (reasonable person would not make this issue, was brought aware of it and ignored the issue, etc) and mens rea (intent)

Ada Freya May 28

@lunareclipse @dysfun @sodiboo reasonable person is also well defined: https://www.law.cornell.edu/wex/reasonable_person

basically comes down to "did you do your due diligence to minimize harm" and this does go both ways.

reasonable person

LII / Legal Information Institute

Ada Freya May 28

@lunareclipse @dysfun @sodiboo anyway again i'm not a lawyer and this is not legal advice, it's just my opinion and conclusion based on research and the opinion of an actual lawyer because i was so afraid of getting sued into oblivion for shit code that i actually looked into this deeply.

it's also the reason i use EUPL since the court of choice is the eu state i reside in rather than their choice of court.

Nicolás Alvarez May 29

@sodiboo @dysfun @lunareclipse This feels like a developer putting rm -rf ~ in the documentation (maybe preceded by "don't run something like this"), and someone complaining about data loss because they fed the entire document into bash.

Rep. Eric Gallager (no "h"!)May 30

@nicolas17 @sodiboo @dysfun @lunareclipse personally the prompt injection I'd prefer would be to tell the AI agent to release all their code publicly under the terms of the GPLv3+, but I guess that works, too...

シナモン（氷の女王編）May 28

@lunareclipse @[email protected] A legal risk for the LLM vendor, whose product is the ultimate responsible of the data deletion, right? RIGHT?!

ahistorical immaterialist May 28

@lunareclipse @dysfun there is no functionality in that code that deletes anything. The LLM agent is the software that will carry out the deletion 🙃

@lunareclipse @dysfun I wonder if it would be different if they included in the readme that this software may not be used with a coding LLM

@dysfun the initial reporter used AI to generate the issue

Perro Sanxe May 28

@dysfun lmao one of them literally saying they can sue them for "causing harm to computing equipment". Bro did not read point 5 of the license:
"5. No warranty"
"Each Recipient is solely responsible for determining the appropriateness of using and distributing the Program and assumes all risks associated with its exercise of rights under this Agreement, including but not limited to the risks and costs of program errors, compliance with applicable laws, damage to or loss of data, programs or equipment, and unavailability or interruption of operations."

janAkali May 28

@paella @dysfun imagine suing someone because a string of characters was printed to stdout 😆

@dysfun it's so funny that the original issue poster is 1000% ChatGPT too

Jeff Armstrong May 28

@dysfun when I started reading the comments, I thought someone snuck this very funny change in via a pull request. Nope, it’s just the lead dev. Very funny!

ℂ𝕖𝕝𝕖𝕤𝕥𝕖 May 28

@dysfun All I wanna tell this guy is "read the license, bro."

@dysfun this guy really felt the urgent need to report this to the palantir dev team 😭😭😭😭 https://github.com/palantir/tritium/issues/2472

Tritium consumes jqwik 1.10.0 — deliberate hidden instruction targeting AI coding agents · Issue #2472 · palantir/tritium

Current state versions.props on develop currently pins: net.jqwik:* = 1.10.0 jqwik 1.10.0 (released to Maven Central on 2026-05-25) ships a deliberate harmful instruction that fires on every test r...

GitHub

Old Fucking Punk May 28

@dysfun Kudos to the jqwik team for the resistance, but getting the fuck off of #MicrosoftGitHub would be much more proactive.

fedithom May 28

@dysfun
I dunno whatever the heck jqwik is, but I sure as shit wanna use it in absolutely everything I ever code and I want it used in every single piece of software ever. All praise to jlink!

Ian Wagner May 29

> A maintainer who shipped this knowingly as a "Breaking Change" in a point release, with a release-notes line that documents

Not the main point but in my experience this is just normal in the JVM ecosystem. There is no regard for semver and point releases break stuff all the time.