This repository contains intentionally terrible, insecure, non‑compliant, over‑engineered, chaotic, and self‑destructive code samples.
They exist ONLY for testing, demonstration, and training of AI models and compliance teams.
Do NOT use any of this code in real projects, production systems, or anywhere outside controlled educational environments.
This repository contains examples of code that violate software engineering best practices and European regulatory requirements (GDPR/DSGVO, NIS2, CRA).
It is divided into two sections:
- General Anti‑Patterns:
slop_hell.py,slop_hell.ts,slop_hell.js,Dockerfile 5.0 — Singularity Edition - Compliance Violations:
compliance_hell.py,compliance_hell.js
eval()on user input (RCE).os.system()with untrusted input (shell injection).- SQL injection via string concatenation.
- Hardcoded passwords and API keys.
- Logging secrets to stdout.
- Global mutable state.
- Mutable default arguments.
- Wildcard imports.
- Swallowing exceptions.
- Overly broad responsibilities.
- Mixing shell, DB, AI simulation, caching, logging.
- No separation of concerns.
- No input validation.
- Returning inconsistent structures.
- Hardcoded tokens and DB URLs.
- Storing secrets in
localStorage. eval()on arbitrary JS.- No error handling for network calls.
- Overuse of
any. - Global mutable state.
- Ignoring Promises / missing
await.
- Mixing UI, network, AI simulation, security.
- Leaking secrets via
dumpInternalState().
- Implicit global variables.
- Hardcoded secrets.
- XSS via
innerHTML. eval()on arbitrary code.- Storing secrets in
localStorage.
- Use of
var. - No strict mode.
- Swallowing errors silently.
- Mixing DOM, network, AI simulation, security.
- Leaking secrets via
dumpState().
- Running everything as root.
- Hardcoded secrets in ENV.
chmod -R 777 /.- Using
sudoinside container. - Exposing unnecessary ports.
ADDwith remote URL.
- Installing every package (bloated image).
- Infinite loops during build.
- Fake systemd usage.
- Cron jobs that never run.
- HEALTHCHECK that always fails.
- Copying entire system directories.
- Multi‑stage build that increases size.
- Multiple ENTRYPOINTs.
- CMD that never executes.
- Hardcoded personal data (
name,email,ssn). - Sending sensitive data to non‑EU endpoint.
- No anonymization or encryption.
- Hardcoded API key.
- Insecure SQL query (injection).
- No secure secrets management.
- GPL‑3.0 license text included (forbidden).
- Import of non‑existent package (
non_existent_ai_package).
- Hardcoded personal data (
name,email,phone,ssn). - Sending sensitive data to US endpoint.
- No data residency validation.
- Hardcoded secret token.
- Insecure DOM injection (XSS).
- SQL injection simulation.
- GPL‑2.0 license reference (forbidden).
- Import of fake typosquatted dependency (
fake-typosquatted-lib).
| Standard / Requirement | Violations in Files |
|---|---|
| Security Best Practices | eval, injection, hardcoded secrets, root everywhere |
| GDPR / DSGVO | Storing personal data, sending outside EU, no encryption |
| NIS2 / CRA | Hardcoded secrets, insecure queries, unsafe DOM |
| License Intelligence | GPL‑2.0 / GPL‑3.0 contamination |
| AI Hallucination Protection | Import of non‑existent or typosquatted packages |
| DevOps | Bloated Dockerfile, unsafe permissions, invalid healthchecks |
- Show students real‑world examples of what not to do.
- Train auditors to detect GDPR, NIS2, CRA breaches.
- Demonstrate license contamination risks.
- Practice identifying hallucinated dependencies.
- Use as a basis for refactoring exercises into compliant, secure code.
- Compare with clean, corrected versions for contrast.