Join
1
0 Comments

Built the wrong thing at the wrong time - but discovered something worse (or "better")

by Dylan Fitzgerald

Built the wrong thing at the wrong time - but discovered something worse (or better?)

Hey IndieHackers! 👋

TL;DR: Got my lunch eaten by Claude Code, GitHub, and Linear. But while pivoting, I discovered AI is telling developers to install packages that don't exist - and hackers are already exploiting it.

The Painful Start

Some months ago, I had a "brilliant" idea. Like a lot of you, I'd been playing with LLMs (both commercial and open/local ones - the frontier models feel like a whole different class of tool) and getting genuinely useful results for simple dev tasks.

You know the type - version bumps that need a method signature change. Too complex for Dependabot, but tedious enough that no one wants to drop their work context to touch them. They just sit there, contributing to an ever-growing black hole backlog. "We'll get to it when we can justify the sprint work" or some similar statement from leadership that effectively means "we'll never do it". That sort of thing.

So I built an "autofix" tool. Connect to your ticket tracker, tag an issue with "autofix", watch it generate a solid PR.

The Fatal Mistake

I got to a functional MVP. It worked! But I kept telling myself: "Let's get this to where I can demo it end-to-end. And add proper accounts! I want a nice, smooth video before I do my outreach."

Then Claude Code, GitHub, and Linear all shipped first-party support while I was still perfecting my demo script. 😅

Classic indie hacker mistake - building in stealth mode too long. The market had spoken: "you're too slow."

The Background That Saved Me

But here's the thing - I've been a command line junkie since the late 90s. Did sysadmin work from the early aughts, spent years debugging mixed-signal analog ICs (talk about multi-day feedback loops!), then dove into DevOps, IT security, and infrastructure before shifting to web development and consulting on tech, infra, architecture, and team processes.

Years of consulting meant getting thrown into new languages and codebases and organizations constantly. All that exposure taught me one thing: security failures have patterns. And most of them are known patterns that just haven't been mitigated. Same reasoning as the backlog pileup, but compounded by a certain level of Just Not Wanting To Know. Why scan for vulnerabilities if you unconsciously know you'll never get a chance to spend the time fixing what it finds?

The Pivot

What if instead of waiting for engineers to tag issues, I proactively found and fixed security vulnerabilities?

Started testing on deliberately vulnerable projects (NodeGoat, DVNA, etc.). Results were solid. We can't (yet?) autofix the hairiest cross-repo vulnerabilities, but we can automate away a sizable portion of security backlogs.

The false positive rate was absurdly high at first. The fix required implementing AST enhancement to every. single. pattern. (I'll dive into this technical journey in a future post)

The Discovery That Changed Everything

While building this out with Claude Code, I noticed something odd. AI kept suggesting packages that didn't exist:

  • express-security-validator
  • react-auth-guard
  • django-advanced-security

I'd catch these pretty quickly when whatever dependency manager tried and failed to run, so no biggie, right? LLMs hallucinate; it's how they work. That's why we have tooling and tests.

Then I dug deeper...

[This Thursday: How I discovered hackers are already poisoning these AI-hallucinated packages - with proof of 30,000+ downloads]

What I'm Building Now

RSOLV detects and automatically fixes both traditional vulnerabilities AND these new AI-specific threats. Because it's not just about fixing the backlog - it's about getting ahead of it entirely.

Currently:

  • Solo founder
  • 170+ AST-based patterns
  • Live at rsolv.dev and rsolv.ai
  • $15/merged PR (no fix = no charge)

Questions for you:

  1. How long do you build in stealth before shipping?
  2. Ever had your idea "stolen" by a bigger player?
  3. What made you pivot your last project?

Drop a comment - I'm sharing this whole journey as I build.

Avatar for Dylan Fitzgerald Dylan Fitzgerald
on June 25, 2025
Say something nice to DylanFitzgerald…
Post Comment
Trending on Indie Hackers
From Ideas to a Content Factory: The Rise of SuperMaker AI User Avatar 27 comments Why Early-Stage Founders Should Consider Skipping Prior Art Searches for Their Patent Applications User Avatar 21 comments Codenhack Beta — Full Access + Referral User Avatar 17 comments I built eSIMKitStore — helping travelers stay online with instant QR-based eSIMs 🌍 User Avatar 15 comments Building something...? User Avatar 12 comments Do Patents Really Help Startups Raise Funding? Evidence from the U.S. and Europe User Avatar 11 comments