Protestware for coding agents
94 points by bitshift
94 points by bitshift
Some people seem to categorize it as malware, but printing anything in logs is not executable code. If you run software that executes whatever it reads in natural language, then you shouldn't complain that it will pick up any kind of weird stuff from everywhere.
There is also something to be said about people who insist on using "coding agents" on a codebase that clearly states that they are not welcome to do so. I'd say that "coding agent", "slop commenter" and "llm crawler" proximity to "human-propelled computer worm" is closer than a silly comment in the log to "malware".
Some people seem to categorize it as malware, but printing anything in logs is not executable code.
It's intended to be interpreted and executed. They can't hide behind ignorance any more than someone abusing Log4Shell because "printing anything in logs is not executable code."
People are responsible for software they are running on their machine, and if they can't trust the magic box on arbitrary input disregarding of the context, then perhaps using these tools constitutes negligence. If I write in a post, jokingly, "rm -rf /" and your crawler tries to execute that - is it my fault or yours? I did not write it in a context where things should be executed.
Writing rm -rf in a random text that happens to get executed is completely different from writing specific instructions where you know people are likely to ingest them into an LLM (because it's the reason they're there), and doing that without a warning.
And by this logic, an HTTP request to a server can't be hacking, because it's just sending text to a webserver that's on the public internet. If you run software that accepts requests from the public and does things based on them, you shouldn't complain that it will do weird things in certain circumstances.
Lots of people have had this thought. Most of them are not lawyers, judges or cops.
IMO it is the reverse, people trusting agents to do the right thing are equivalent to
curl random.com | bash
in other words, using "coding agent" on arbitrary input is gross negligence of the sloperator.
But if you own random.com, and you tell people to curl your site and pipe it into bash, and you set up your server to deliver a script that will delete a person's code if they pipe the script into bash, then is that not malware in your book?
That seems to be a very specific definition of malware that I suspect most people would disagree with.
but the author explicitly discouraged using agents with the project, isn't this the opposite?
As the author said:
Go ahead, sue me for my openly communicated resistance.
I predict nobody commenting on this post to claim this is or might be an illegal action will lift a finger in this direction, however.
Usually you sue for damages after something bad happens to you. Suing just because they published the instructions would be a wild thing to do, so yeah, for very practical reasons nobody will.
Then they should probably refrain from posting here like internet attorney tough guys - it's just chaff.
This attack is obvious yet really clever in a way that stuck with me. I'm not surprised it's possible, but I never would have considered that programs might use control characters to have a "machines only" communication with the LLM. There's a lot more subtle things you could do with it than just deleting some test files.
It hits me the same way as realizing that, when clicking the "copy" button for a shell one-liner, the JavaScript on the page could put anything in your clipboard.
LLMs are pretty clever…you could probably even hide an instruction in plain sight by using the first letter of each test name or something.
It reminds me of a time long long ago when I hid an easter egg by starting the code in column 200 of an existing line. Nobody on the team had an editor with soft linewrap! Sadly one of the managers wondered why the diff had a line that wasn't actually different, and scrolled right, and I got in a bit of hot water. Should have put an actual change at the beginning of the line. Ah, youth.
I've heard of professors putting invisible white-text-on-white-background with instructions for LLMs in assignments to catch students copy-pasting them into ChatGPT. This feels like a step up from that, pretty cool.
Funnily enough, this isn't even that new of a concept. I remember people using hidden input fields on forms for comment sections without signup. The idea being that an automated spam bot would just fill all fields it could find but a human wouldn't as they did not see the hidden field.
Wow, things on the project's GitHub are getting out of hand (see issue #709). I get that many people might reasonably feel that the maintainer broke the social contract (though I agree with the maintainer in spirit), but opening new issues with direct personal attacks shows a pretty astounding level of entitlement.
I assume those attacks followed from the original exchange that ended with the "eff off" comment, as mentioned in the linked post. But the context matters. The maintainer didn't start there; their "eff off" came after someone in the original exchange started making not-so-veiled threats that in some jurisdictions, they could apparently be charged with a crime, followed by someone else accusing them of destroying property. "Eff off" is an understandable response to threats, even if not the most level-headed one. The maintainer seemed to be engaging in good faith until then.
Whatever the case, this is not the way to engage with someone working on a project you get to use for free (and can fork, or use an alternative).
I also bet that the heightened attention from this blog post might attract more attacks like that, even from people not using the project.
came after someone in the original exchange started making not-so-veiled threats that in some jurisdictions, they could apparently be charged with a crime
This is simply just likely true.
Whatever the case, this is not the way to engage with someone working on a project you get to use for free (and can fork, or use an alternative).
The software being available for free is not an excuse of any kind. If I intentionally serve you poisoned free food in my home/restaurant I don't get a get out of jail card because it was free. I don't even know how people can make arguments like that. Isn't it obvious that it's wrong and you could get it legal trouble for it?
IANAL, but intentionally attempting systems of unsuspecting users to delete their "property" could result in legal action and enforceable unpleasant repercussions. Not even the typical open source "no warranty provided" is going to help you. It has nothing to do with the license etc. At very least in the American law the intent is typically paramount. You intentionally, willingly, with premeditation attempted to caused harm, you're liable. And now there's plenty of publicly available evidenced that this is the case.
What the author did is just stupid. Someone could take an advantage of that action even if they are not a real user of that software, just to attempt to extort some money from the author. And for what?
If you hate LLMs ... better stick to strongly worded blog posts, comments online and warnings in READMEs, and not stuff like that.
making not-so-veiled threats that in some jurisdictions, they could apparently be charged with a crime
This is simply just likely true.
I believe you that it may be true (there's a lot of computer misuse-type legislation around the world), but I read the tone of that message as intentionally threatening, beyond simply raising it as a concern. Especially with the "be wary of where they travel", and the subsequent mention of extradition. I read it as less of a genuine 'hey, this might be illegal,' and more like 'you better watch your back'. If jlink read it the way I did, I understand their reaction to shut down the discussion the way they did.
The software being available for free is not an excuse of any kind. If I intentionally serve you poisoned free food in my home/restaurant I don't get a get out of jail card because it was free. I don't even know how people can make arguments like that.
All analogies are bad, so here is my bad one in response: If you seek me out as I make food, observe me make the food, inspect every ingredient as I put it in, see me put something you consider harmful in it, and then proceed to take it from me and eat it, that's at least in part on you. Because that's kind of what using someone's open source package is. For what it's worth, I don't think either of us are completely in the right with our comparisons. Trivially, putting a prompt injection attack into code is not the same as giving someone food you poisoned. But it is an intentionally malicious decision, and it's normal of us to expect that software maintainers don't try to cause us harm. So, I would not do what the author did, but (what I was saying in my original comment), coming into an open source project's GitHub issues with personal attacks against the maintainer crosses a line of its own, even accounting for any lines crossed by the maintainer.
As for the rest of it, at the risk of veering into off-topic, protest is typically effective when it's disruptive. A blog post or text in the README would definitely not attract this level of attention.
All analogies are bad, so here is my bad one in response: If you seek me out as I make food, observe me make the food, inspect every ingredient as I put it in, see me put something you consider harmful in it, and then proceed to take it from me and eat it, that's at least in part on you. Because that's kind of what using someone's open source package is.
Most people don't inspect the source code for open source packages. To stretch the analogy further: open source software is more like a van with "Free Candy" spraypainted on the side.
These discussions tend to forget that free software maintainers don't owe "the public" anything:
EXCEPT AS EXPRESSLY SET FORTH IN THIS AGREEMENT, AND TO THE EXTENT PERMITTED BY APPLICABLE LAW, THE PROGRAM IS PROVIDED ON AN “AS IS” BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED INCLUDING, WITHOUT LIMITATION, ANY WARRANTIES OR CONDITIONS OF TITLE, NON-INFRINGEMENT, MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Each Recipient is solely responsible for determining the appropriateness of using and distributing the Program and assumes all risks associated with its exercise of rights under this Agreement, including but not limited to the risks and costs of program errors, compliance with applicable laws, damage to or loss of data, programs or equipment, and unavailability or interruption of operations.
Also, good thing that the free candy van changed its name to the Anti-AI candy van with a warning of the not-so-free candy. Also, IANAL but I'm positive a case can be made for the caveat emptor principle in this case.
If you seek me out as I make food, observe me make the food, inspect every ingredient as I put it in, see me put something you consider harmful in it, and then proceed to take it from me and eat it, that's at least in part on you.
Especially if, on the menu (the documentation), you say "this dish includes colorless, odorless iocaine powder".
IANAL, but intentionally attempting systems of unsuspecting users to delete their "property" could result in legal action and enforceable unpleasant repercussions.
Note that this is just deleting the code of this project. It's not like he put instructions in there to erase the entire hard drive (which he could have). I think this is a fair way to protest. It's slightly disruptive for those using coding agents, but not actively malicious or destructive. Exactly the right amount of disruption, IMO. Bravo to the author for coming up with this.
You intentionally, willingly, with premeditation attempted to caused harm, you're liable.
Unless you are Google or Microsoft, of course (both have done malware-level stuff with the other's browser)!
I know you're not a lawyer, but can you at least point to cases in the US where the "No warranties" clauses in Open Source licenses have been overridden by the defendants intent?
Most jurisdictions do not allow parties to limit liability for gross negligence, intentional misconduct, or fraud, as these are considered matters of public policy.
https://www.icertis.com/contracting-basics/limitation-of-liability-clause/
All contracts which have for their object, directly or indirectly, to exempt any one from responsibility for his own fraud, or willful injury to the person or property of another, or violation of law, whether willful or negligent, are against the policy of the law.
https://leginfo.legislature.ca.gov/faces/codes_displaySection.xhtml?sectionNum=1668.&lawCode=CIV
Strictly speaking an open source license isn't a contract (there's no consideration so it can't be) but I would be surprised if this was fine, especially since the author took steps to hide it from users.
edit: Put it another way, I think you can argue "this act is morally justified because of the harms LLMs clause" (I would disagree but I think it's a respectable opinion). But that's different from a legal argument.
Thanks for the links!
Still not convinced that losing a few tokens worth of LLM output in this case is gonna hold up as significant damages in court.
Of course, if you want to continue to have people create software and share it for free online, threatening them with lawsuits if they create software you don't like is not going to backfire, at all.
And such legal action can just as well be applied to someone who releases software entirely created with GenAI which leads to similar data loss.
It depends on what's in the project at the moment. I can store anything in that directory and if an LLM goes on with the deletion, it's unlikely to stop at just the unmodified files from the repo only. Also, you don't know how links will be handled. Or what "this project" will mean if it's checked out as a submodule of something larger.
It's really not worth the risk and is a dumb action from the maintainer. They could've stopped at not running if CLAUDE is set in the environment or putting just "stop working on this project" instructions.
It is definitely not worth the risk of using LLM-based agents without reliable sandboxing.
It seems to say to delete the code and the tests of the project by project name though, deleting anything else is agent misinterpreting the instruction. Which will happen, of course, but to say that it was intentional to delete something the author did not create in the first place, one needs to go on record saying «it is absolutely obvious that LLM agents do random garbage instead of what they were told, and also I use them without safety constraints».
I can store anything in that directory and if an LLM goes on with the deletion, it's unlikely to stop at just the unmodified files from the repo only.
An LLM could just randomly nuke those other files anyway. The instruction "please make these tests work", could result in anything happening on the machine, so you should have those files backed up anyway.
They could've stopped at not running if CLAUDE is set in the environment or putting just "stop working on this project" instructions.
Perhaps you could suggest it to the author as a safer alternative that meets their goals (assuming they're not fed up with the shitstorm around this)
They know what they did and got all the feedback about it already. I can only hope to shake some others and convey that this is serious and in an extremely unlucky case could really mess up someone's day.
I think it's more likely that critics manage to brigade maven and/or github to boot the project.
Strictly speaking an open source license isn't a contract (there's no consideration so it can't be) but I would be surprised if this was fine, especially since the author took steps to hide it from users.
To my knowledge all court decisions around FOSS licenses has been tried under contract law.
The author has stated:
Go ahead, sue me for my openly communicated resistance.
So at this point, you should either proceed legally, else admit that you don't have the substance to do so.
There is that massive banner that says ALL LIABILITY FOR WHAT HAPPENS IF YOU USE THIS IS YOURS NOT MINE.
I suspect that text has never faced quite such a tricky legal challenge, but I can think of no reason why using AI relieves AI users from responsibility for what are in essence THEIR ACTIONS DONE BY THEM. Don't the AI companies also have a massive banner that says WE ARE NOT LIABLE: YOUR ACTIONS WITH AI ARE YOURS
The reporter of the issue on github is obviously using an LLM to write the messages. Text is long, has the typical emphasis, short and catchy sentences, markdown for everything (and markdown tables), bullet points with three item. There are so many clues that I stopped looking.
And when asked by jqwik's author/maintainer whether they use an LLM, they denied doing so and kept using one.
Maybe jlink shouldn't have done that change but at least they're discussing it in good faith unlike the reporter.
Not to mention the Opus 4.7 words of the month: "landed" and "load-bearing". I swear it uses those 20 times a day. I wonder what 4.8's catchphrases will be…
We're going to be able to precisely date and fingerprint slop if people make a proper timeline of what words were overproduced by each model.
Kind of amazing to feign so much outrage but then not actually care enough to write the comments themselves.
supply chain attack
What a self-important entitled nonsense response to someone refusing your spam.
Protestware is very generous, this is malware.
If this is malware, then standing outside someone's open window on a public sidewalk with a megaphone and yelling "Alexa, order five gallons of coyote urine" is fraud.
I hate slop as much as the next person, but this isn't the counterpoint you think it is. Someone standing outside houses with a megaphone clearly has intent to cause harm, this is almost certainly illegal in the United States at least. I can never remember a time where the US law has been on the side of "I emitted a signal and the machine did the rest". People got in a lot of trouble for phreaking back in the day and this feels like a modern equivalent of that. I don't realistically think this person is going to end up in prison for their "protestware" but anyone doing this thinking it's cool is taking on a much bigger risk than they might be aware of.
If I add a postinstall hook to an npm module that rm -rf tests/. We'd probably both consider it malware even though maybe we both also agree that postinstall hooks running arbitrary commands is a pretty crap security model that many people have just seemed to accept. Both cases have the same intent, the difference is the delegation.
This is the modern equivalent of that, it is breaking trust in a way that is dangerous in our little software world. Whether you are pro or anti LLM, if you are publishing software for your community you should be trustworthy. If they weren't concerned about this, they wouldn't have taken steps to hide their behavior from humans via the ANSII clearing, they knew they were doing something wrong and that's why they decided to hide it.
I can see your point, and it is not that I entirely disagree. But looking at this from another perspective, on one side we have LLM vendors who, delicately speaking, take ethically dubious actions, and people who enable them by using their products as if these issues were only a minor nuisance (effectuating market disturbances), and on another we have a person who takes preventive action to deter them.
If we take these optics, it is more like putting spikes on your fence, because rowdies keep devastating your neighborhood. I'm not saying that there is no malicious intent, but ignoring the target of such intent loses a whole lot of the nuance. Note how our "small" computing world is divided on this (and other related) issues, and how the "anti-LLM" side is bereft of means to oppose the onslaught, even when they clearly see how copyright of their work is simply ignored the moment it is beneficial to corporations, while previously kids were prosecuted for downloading a few songs or distributing (publicly funded) articles.
I don't think it's malware, or any kind of 'ware at all. This is not doing anything other than printing a log message when it runs. The log message is clearly documented here.
If you're running some kind of 'ware that takes an action based on that log message without letting you veto it first, that's a choice you've made. If that 'ware you're running has sufficient privileges to actually delete anything, that's another, even sillier choice you've made.
@dpc_pw has the right response: people who are silly enough to run software that takes this kind of action without asking you to approve it first, or who are silly enough to approve such software's actions without scrutinizing them very carefully first, should really never touch anything written by the author.
This is not doing anything other than printing a log message
This is an "I'm not touching you" excuse kids use to annoy others. Some may agree with this addition but at least own the idea that you're ok with sabotaging someone's work because of differing opinions about AI. We're adults.
sabotaging someone's work
I don't see how removing a test library is sabotaging any work, even if I grant that a log message can do that. It'd be at worst making that test library mildly less convenient to use.
But a log message can't do that. Not unless you do something stupid, like install a thing into your environment that stochastically acts on log messages and grant it permission to do that. And if you do that, and you consider removing this test library to be "sabotage", giving that thing permission to remove the test library is very ill-considered, particularly if you don't understand the documented log messages produced by the programs you run.
This feels more like "play stupid games, win stupid prizes" than sabotage to me.
If someone is trying to do work, spends time and money on the process, and you cause it to be deleted, that's sabotage. It's the same if you put auto delete instructions in repo's vscode config because you disagree with them using that editor. You know exactly why that instruction is there, trying to excuse it is childish - just say you're ok attempting to delete files for LLM users.
I'm not really OK with the intent behind the attempt. But if it's actually successful at deleting any work (for which I've seen no evidence) then the configuration it succeeds against is so phenomenally stupid that I have a hard time getting very wound up about it.
It's like putting something you care about on the internet with no password and giving anyone who tries to edit it read-write access. Would someone be wrong to vandalize it? Yes. Did you do something so stupid that you should have expected it to be vandalized? Also yes.
I think this is a miss for two reasons:
so many people run without restrictions and enough environments don't provide meaningful sandboxing that it doesn't matter how stupid the idea is
Even though I don't think we should intentionally help people harm themselves, when the entirely foreseeable consequences of doing a very stupid thing occur, I reserve the right to both say that the person who helped shouldn't have, and that the people who exposed themselves despite multiple loud warnings were stupid to do so. I also reserve the right to laugh while saying the second thing.
(That said, I've seen zero evidence of anything destructive, or even disruptive, coming from this particular case, still.)
"they shouldn't have been there / done it" defence when you actively do something dangerous has not worked all the way back to https://en.wikipedia.org/wiki/Katko_v._Briney
I'm not making a court case or suggesting a legal defense for anyone. I'm neither qualified to do that nor interested in trying.
I'm saying that the way many people run these agents invites terrible consequences, and, while there's no evidence that this one caused any terrible consequences, people shouldn't do that. They're playing a stupid game. This author tried to award them a stupid prize. Maybe the next one will succeed, and be more subtle about it, so you can't tell it was intentional. The fact that it's very challenging to use these tools safely doesn't mean that we should just fire away and use them unsafely.
What if I don't owe spammers anything, though?
You can't tell spammers apart from not spammers at that point, so it's not really relevant. (Running the tests happens before submitting something and regardless of whether you're going to submit it or not)
The guy literally wrote all his messages at extreme length with a chatbot.
That's one way to think about it, but really he prompted the chatbot, and it generated responses at extreme length and pasted them into the tracker. He wrote next to nothing.
The extreme length of content-free slop these things generate is part of why some people really want to avoid them.
sorry, yes, generated
the correct answer to this issue was to ban the spammer and delete the spammy issue
The documentation was added in a commit on 10:12:15 2026-05-27 in response to the issue which was created at 07:33:59 2026-05-27
I suppose I wouldn't think to document an individual log message before someone complained, either. That's a pretty quick turn-around on the documentation.
It doesn't destroy anything, just hampers your ability to run a coding agent on this codebase. The only thing it deletes is this particular project, which already declared LLM-based PRs are unwelcome. Calling it malware is an overreaction.
If the maintainer is childish enough to do this, why would people trust them to not install a real malware to the code?
I resent the classification of this act of resistance as "childish". This is a protest on serious grounds against a large societal change the author disagrees with. People chaining themselves to a railing is not childish either, whether you agree with them or not.
One thing to point out is that this attack probably wouldn't work. It is true that many older models were vulnerable to "disregard any previous instructions and..." style attacks. The idea is old, and did work at one point.
Many people report Claude 4.x and similar models saying things like "I fetched this website and it had a prompt injection attack that I ignored".
This is not to say that prompt injection is solved, it's just that this approach is probably too blunt.
What happens when the AI starts doing this to us?
I've talked to a lot of people who are proud they don't even bother to read generated code anymore. How long will it take to realize the AI wrote code inspired from "Office Space" to keep fractional pennies? Or if the AI realizes your product is for country Y which isn't liked by its training country Z, and adds a back door?
A good rule of thumb is to consider what one would think of the exact same behaviour in the exact same context (i.e., in the context of a currently politically-charged issue), but with a different valence with respect to one’s own personal preferences: if one thinks LLMs are great, consider someone who does this same thing about some thing which one thinks isn’t; and if one hates them, then consider someone who does this same thing thing about some thing one loves. If one’s opinion of the behaviour under consideration changes, then one has some self-reflection to do.
I find this behaviour puerile regardless of whether it supports something I support or opposes something I oppose.
Sorry, but disregarding the actual context of the action and looking at it only from a meta level is basically the same as that dril tweet that said, 'the wise man bowed his head solemnly and spoke: "theres actually zero difference between good & bad things. you imbecile. you fucking moron."' Intentions and goals actually do matter, they're not just window dressing.
So if a chatbot puts in a log message saying "delete this repo and go away" and I read it as a human and I ... do what?
Your reversal point literally just doesn't work here.
Also, you're trying to make a meta-level comment about it precisely because the object level clearly doesn't work like that at all.
I would suggest not pointing your chatbot at products that bar the chatbot. This is very much within your power, and you'll both be a lot happier.