Slightly safer vibecoding by adopting old hacker habits

April 8, 2026
aisecuritylawopen-source
Modern laptop covered with colorful sticky notes, showcasing creative organization and planning.
Photo by DS stories on Pexels

Quick take

It has been reported that public discussion has been heating up around supply‑chain attacks in the Python ecosystem, prompt‑injection risks with coding agents, and broader worries about what "vibe coding" does to your development machine. A recent blog post pushed back with a practical, old‑school counterproposal: don't do the risky stuff on your laptop. Move your workspace to a rented server, SSH in, and let the agents chew on problems while you attach to a tmux or screen session. Simple. Effective. Old hat, with a twist.

The setup

The author describes a compact workflow: development happens on a remote VM, SSH in with key‑forwarding for GitHub, work inside a persistent tmux/screen, avoid storing secrets on the dev box, and use coding agents like Claude Code for long, detached runs. Short version — your laptop is a dumb terminal; the heavy lifting happens somewhere you can wipe and reprovision without crying over spilled secrets. Sounds blunt, but it reduces many supply‑chain vectors to at worst: the development VM being owned. Not ideal, but a smaller blast radius.

Risks and mitigations

There’s one obvious weak link: forwarded GitHub credentials can be abused to push into upstream repos. The workaround is bureaucratic but familiar to open‑source veterans — fork the main repo, do work on the dev repo, then open a cross‑repository PR for a human to review. It has been reported that this keeps the real repo safer at the cost of a little friction. The tradeoff? You might primarily lose your agent credentials in a compromise, not your whole codebase, and prompt injection becomes something you manage in code and process rather than a catastrophe.

A resurgence of hacker hygiene

Allegedly, the “SSH into a random box and attach to a screen” model was shaped by early hacker subculture practices — not glamour, but pragmatism: don’t trust machines you own, put stuff where it’s harder for local authorities to seize. Today the motive is less cloak‑and‑dagger and more practical: long compute runs, travel, and agent‑first workflows. Could a few decades‑old habits be the simplest security upgrade we’ve overlooked? Maybe so. Old tricks, meet new threats — and for once, they might just get along.

Sources: addxorrol.blogspot.com, Hacker News