If you're vibe coding on top of a freelancer's codebase, read this before your next prompt : VibeCodeDevsjump to contentmy subreddits<br>edit subscriptions<br>popular<br>-all<br>-users<br>| AskReddit<br>-pics<br>-funny<br>-movies<br>-gaming<br>-worldnews<br>-news<br>-todayilearned<br>-nottheonion<br>-explainlikeimfive<br>-mildlyinteresting<br>-DIY<br>-videos<br>-OldSchoolCool<br>-TwoXChromosomes<br>-tifu<br>-Music<br>-books<br>-LifeProTips<br>-dataisbeautiful<br>-aww<br>-science<br>-space<br>-Showerthoughts<br>-askscience<br>-Jokes<br>-Art<br>-IAmA<br>-Futurology<br>-sports<br>-UpliftingNews<br>-food<br>-nosleep<br>-creepy<br>-history<br>-gifs<br>-InternetIsBeautiful<br>-GetMotivated<br>-gadgets<br>-announcements<br>-WritingPrompts<br>-philosophy<br>-Documentaries<br>-EarthPorn<br>-photoshopbattles<br>-listentothis<br>-blog
more "
reddit.com VibeCodeDevscomments<br>other discussions (1)
Want to join? Log in or sign up in seconds.
limit my search to r/VibeCodeDevsuse the following search parameters to narrow your results:<br>subreddit:subredditfind submissions in "subreddit"author:usernamefind submissions by "username"site:example.comfind submissions from "example.com"url:textsearch for "text" in urlselftext:textsearch for "text" in self post contentsself:yes (or self:no)include (or exclude) self postsnsfw:yes (or nsfw:no)include (or exclude) results marked as NSFWe.g. subreddit:aww site:imgur.com dog<br>see the search faq for details.
advanced search: by author, subreddit...
this post was submitted on 01 Jun 2026<br>55 points (91% upvoted)<br>shortlink:
Submit a new link
Submit a new text post
VibeCodeDevs<br>joinleave🔥 VibeCodeDevs – Code, Chill, Connect!
🚀 What’s the vibe?<br>• Share tips, tricks & hacks 🧠💡<br>• Flex your projects & get feedback 💻✨<br>• Debug together & level up ⏳🛠️<br>• Connect with chill devs worldwide 🌍🤝
No gatekeeping, no stress—just coding & good vibes. Pull up & let’s build! 🎉🚀
a community for 1 year
MODERATORS
message the mods
10 · 6 comments<br>Welcome to r/VibeCodeDevs<br>· 3 comments
the average 2026 software engineer experience<br>4 · 1 comment
which one are you<br>52 · 10 comments<br>If you're vibe coding on top of a freelancer's codebase, read this before your next prompt<br>1 · 1 comment
Just doing the vibe coding without knowing the code — is that even possible? This guy proved it is 🤯<br>1 · 1 comment<br>Referral code for opencode go<br>0 · 1 comment
Best Opportunity For Saas Founders<br>52 · 41 comments
My vibe coded app hit 1000 hits<br>4 · 4 comments
built a social media platform, try it out !!<br>0 · 1 comment<br>Skill to translate user requests to PRs
Welcome to Reddit,<br>the front page of the internet.<br>Become a Redditorand join one of thousands of communities.
×
54<br>55<br>56
If you're vibe coding on top of a freelancer's codebase, read this before your next prompt (self.VibeCodeDevs)<br>submitted 21 hours ago by Just-Money-4241
I picked up a new client's React Native app to help them ship on Android. Previous dev was an Upwork freelancer. 110 commits. Six months of real work. Clean looking codebase. Exactly the kind of project you'd clone, open in Cursor or VS Code, and start prompting on top of.
I asked Claude Code what it would take to get this on the Play Store. During that assessment it flagged the ESLint config file. Looked totally normal. Ten lines. Standard Expo boilerplate.
Except after the closing bracket on line 10, hidden behind 300 spaces on the same line, was an obfuscated remote code execution loader.
Every time ESLint ran — every time you saved a file, every time your editor auto-linted, every time CI ran — the loader executed. It fetched encrypted payloads from blockchain transactions, decrypted them, and ran whatever code the attacker had deployed that day. No servers involved. No domains. The command and control infrastructure is the Tron and Binance Smart Chain blockchains. Untakeable.
The attacker updated the payload 25 times over 12 months. Per-victim campaign identifiers in the code. This wasn't a one-off. The wallet was active 10 months before this client was even targeted. Estimated 10 to 30 or more Upwork clients could have this same loader sitting in their projects right now.
Why this matters if you vibe code:
You're not reading the codebase line by line. That's the whole point. You're prompting, generating, shipping. But when you clone a repo or inherit a project, you're trusting every file in it. And config files are the last thing anyone looks at.
eslint.config.js is not a config file. It's executable JavaScript. So is babel.config.js. So is metro.config.js. So is next.config.js. So is vite.config.ts. They all run code. They're all attack surface. And none of them show up in your prompts or your AI-generated diffs.
This payload was invisible in a normal code review. It was invisible in git diffs unless you scrolled horizontally past 300 characters. It was invisible to every linter and formatter. It was caught because an AI tool happened to dump the raw file contents during an unrelated task.
What you should do:
If you've inherited or cloned a...