←back to thread

Malicious versions of Nx and some supporting plugins were published

(github.com)
441 points longcat | 5 comments | 27 Aug 25 01:38 UTC | HN request time: 0.738s | source
1. grav ◴[27 Aug 25 13:08 UTC] No.45039159[source]
> Interestingly, the malware checks for the presence of Claude Code CLI or Gemini CLI on the system to offload much of the fingerprintable code to a prompt.

Can anyone explain this? Why is it an advantage?

replies(3): >>45039226 #>>45039286 #>>45039823 #
2. NitpickLawyer ◴[27 Aug 25 13:13 UTC] No.45039226[source]
Some AV / endpoint protection software could flag those files. Some corpo deep inspection software could flag those if downloaded / requested from the web.

The cc/geminicli were just an obfuscation method to basically run a find [...] > dump.txt

Oh, and static analysis tools might flag any code with find .env .wallet (whatever)... but they might not (yet) flag prompts :)

3. cluckindan ◴[27 Aug 25 13:17 UTC] No.45039286[source]
The malware is not delivering any exploits or otherwise malicious-looking code, so endpoint security is unlikely to flag it as malicious.
replies(1): >>45041572 #
4. sneak ◴[27 Aug 25 13:59 UTC] No.45039823[source]
Furthermore most people have probably granted the node binary access to everything in their home directory on macOS. Other processes would pop up a permission dialog.
5. skybrian ◴[27 Aug 25 16:09 UTC] No.45041572[source]
That’s because it’s new. Perhaps feeding prompts into Claude Code and similar tools will be considered suspicious from now on?