We pwned X, Vercel, Cursor, and Discord through a supply-chain attack

A 16-year-old bug hunter says he poked at the shiny new AI-powered docs that big names like Discord, X, Vercel, and Cursor use, and found a way to slip naughty code into companies’ help pages with a single click. That set off the comments section like a fire alarm. The loudest chorus: bug bounties are way too low. “Cool bug. Bug bounty money is pathetic,” grumbled one user, while another gasped that $11k is “a tiny amount” for something that could hijack accounts.

Who’s to blame? Some readers pointed at Mintlify — “Sounds like you pwned Mintlify!” — while others called it a supply‑chain fail, since big brands plugged third‑party tech straight into their docs without enough guardrails. The geekiest debate turned into an unexpected art lesson: SVG images (the crisp, scalable kind) can hide scripts. One commenter explained that’s why many sites block them: pretty pictures, messy security. Cue jokes about “one weird trick” guides and “AI docs, human oops.”

As the teen detailed digging through developer tools and a command-line helper to uncover a hidden doorway that fetched files under trusted domains, the ethics got spicy: take the bounty or sell to the dark web? One cynic winked, “Might have got more from the onion.” Others applauded responsible disclosure and leaderboard bragging rights. The vibe: admiration plus anxiety, with a heavy sprinkle of salt.