Most active commenters
  • cluckindan(3)
  • freedomben(3)

←back to thread

Malicious versions of Nx and some supporting plugins were published

(github.com)
441 points longcat | 21 comments | 27 Aug 25 01:38 UTC | HN request time: 0.488s | source | bottom
1. divan ◴[27 Aug 25 12:48 UTC] No.45038932[source]
So any process on my computer could just start using Claude Code for their own purposes or what? o_O
replies(6): >>45038958 #>>45038967 #>>45039022 #>>45039024 #>>45039029 #>>45039116 #
2. m-hodges ◴[27 Aug 25 12:51 UTC] No.45038958[source]
While this feels obvious once its pointed out, I don't think many people have considered it or its implications.
3. echelon ◴[27 Aug 25 12:52 UTC] No.45038967[source]
Yes. It's a whole new attack vector.

This should be a SEV0 at Google and Anthropic and they need to be all-hands in monitoring this and communicating this to the public.

Their communications should be immediate and fully transparent.

replies(1): >>45039200 #
4. algo_lover ◴[27 Aug 25 12:57 UTC] No.45039022[source]
Any postinstall script can add anything to your bashrc. I sometimes wonder how the modern world hasn't fallen apart yet.
replies(2): >>45040263 #>>45040447 #
5. IshKebab ◴[27 Aug 25 12:57 UTC] No.45039024[source]
Yeah but so what? A process on your computer could do whatever it wants anyway. The article claims:

> What's novel about using LLMs for this work is the ability to offload much of the fingerprintable code to a prompt. This is impactful because it will be harder for tools that rely almost exclusively on Claude Code and other agentic AI / LLM CLI tools to detect malware.

But I don't buy it. First of all the prompt itself is still fingerprintable, and second it's not very difficult to evade fingerprinting anyway. Especially on Linux.

6. mathiaspoint ◴[27 Aug 25 12:58 UTC] No.45039029[source]
Even before AI the authors could have embeded shells in their software and manually done the same thing. This changes surprisingly little.
7. 42lux ◴[27 Aug 25 13:05 UTC] No.45039116[source]
Edit: Was not supposed to create a flamewar about semantics...
replies(3): >>45039298 #>>45039309 #>>45039922 #
8. antiloper ◴[27 Aug 25 13:11 UTC] No.45039200[source]
It's not a SEV0 for LLM providers. If you already have code execution on some system, you've lost already, and whatever process the malware happens to start next is not at fault.
replies(1): >>45040259 #
9. cluckindan ◴[27 Aug 25 13:18 UTC] No.45039298[source]
It’s not an RCE, it is a supply chain attack.
replies(1): >>45039425 #
10. divan ◴[27 Aug 25 13:20 UTC] No.45039309[source]
Ah, I didn't know that claude code has headless mode...
11. freedomben ◴[27 Aug 25 13:30 UTC] No.45039425{3}[source]
It's an RCE delivered via supply chain attack
replies(1): >>45040390 #
12. saberience ◴[27 Aug 25 14:06 UTC] No.45039922[source]
If that's your definition then most of modern software is an RCE. Mac OSX is also an RCE, so is Windows 11, Chrome etc.
replies(1): >>45040396 #
13. echelon ◴[27 Aug 25 14:31 UTC] No.45040259{3}[source]
It 100% is, and I posted my rationale here [1]. I would stake my reputation on this being the appropriate stance.

[1] https://news.ycombinator.com/item?id=45039442

14. bethekidyouwant ◴[27 Aug 25 14:32 UTC] No.45040263[source]
realistically, how many times has this happened in eg homebrew? Hard to be worried tbh.
15. djent ◴[27 Aug 25 14:41 UTC] No.45040390{4}[source]
malware isn't remote. therefore it isn't remote code execution
replies(1): >>45040477 #
16. ◴[27 Aug 25 14:41 UTC] No.45040396{3}[source]
17. myaccountonhn ◴[27 Aug 25 14:44 UTC] No.45040447[source]
I don't think this solves the world but as a quickfix for this particular exploit I ran:

sudo chattr -i $HOME/.shrc

sudo chattr -i $HOME/.profile

to make them immutable. I also added:

alias unlock-shrc="sudo chattr -i $HOME/.shrc"

alias lock-shrc="sudo chattr +i $HOME/.shrc"

To my profile to make it a bit easier to lock/unlock.

18. freedomben ◴[27 Aug 25 14:46 UTC] No.45040477{5}[source]
If you can execute code on some machine without having access to that machine, then it's RCE. Whether you gain RCE through an exploit in a bad network protocol or through tricking the user into running your code (i.e. this attack) is merely a delivery mechanism. It's still RCE
replies(1): >>45041149 #
19. cluckindan ◴[27 Aug 25 15:36 UTC] No.45041149{6}[source]
Not exactly. A supply chain attack can be used to deliver RCE enabling payloads such as a reverse shell, but in itself, it is not considered RCE.

RCE implies ability to remotely execute arbitrary code on an affected system at will.

replies(1): >>45043335 #
20. freedomben ◴[27 Aug 25 18:38 UTC] No.45043335{7}[source]
> A supply chain attack can be used to deliver RCE enabling payloads such as a reverse shell, but in itself, it is not considered RCE.

Yes, as I tried to make clear above, these are orthogonal. The supply chain attack is NOT an RCE, it's a delivery mechanism. The RCE is the execution of the attacker's code, regardless how it got there.

> RCE implies ability to remotely execute arbitrary code on an affected system at will.

We'll have to disagree on this one, unless one of us can cite a definition from a source we can agree on. Yes frequently RCE is something an attacker can push without requiring the user to do something, but I don't think that changes the nature of the fact that you are achieving remote code execution. Whether the user triggers the execution of your code by `npm install`ing your infected package or whether the attacker triggers it by sending an exploitative packet to a vulnerable network service isn't a big enough nuance in my opinion to make it not be RCE. From that perspective, the user had to start the vulnerable service in the first place, or even turn the computer on, so it still requires some user (not the attacker) action before it's vulnerable.

replies(1): >>45044459 #
21. cluckindan ◴[27 Aug 25 20:04 UTC] No.45044459{8}[source]
https://www.sciencedirect.com/topics/computer-science/remote...