←back to thread

Malicious versions of Nx and some supporting plugins were published

(github.com)
441 points longcat | 2 comments | 27 Aug 25 01:38 UTC | HN request time: 0.001s | source
Show context
snovymgodym ◴[27 Aug 25 13:35 UTC] No.45039484[source]
Claude code is by all accounts a revolutionary tool for getting useful work done on a computer.

It's also:

- a NodeJS app

- installed by curling a shell script and piping it into bash

- an LLM that's given free reign to mess with the filesystem, run commands, etc.

So that's what, like 3 big glaring vectors of attack for your system right there?

I would never feel comfortable running it outside of some kind of sandbox, e.g. VM, container, dedicated dev box, etc.

replies(3): >>45039575 #>>45039684 #>>45039901 #
kasey_junk ◴[27 Aug 25 13:44 UTC] No.45039575[source]
I definitely think running agents in sandboxes is the way to go.

That said Claude code does not have free reign to run commands out of the gate.

replies(2): >>45039736 #>>45043092 #
sneak ◴[27 Aug 25 13:55 UTC] No.45039736[source]
Yes it does; you are thinking of agent tool calls. The software package itself runs as your uid and can do anything you can do (except on macOS where reading of certain directories is individually gated).
replies(2): >>45039900 #>>45039986 #
1. kasey_junk ◴[27 Aug 25 14:10 UTC] No.45039986{3}[source]
Ok, but that’s true of _any_ program you install so isn’t interesting.

I don’t think the current agent tool call permission model is _right_ but it exists, so saying by default it will freely run those calls is less true of agents than other programs you might run.

replies(1): >>45046417 #
2. sneak ◴[27 Aug 25 23:09 UTC] No.45046417[source]
Not all programs misbehave in this way. Signal desktop lets you turn off this vulnerability, and of course iOS apps and normal macOS apps are not allowed to self-modify, as it breaks their signature.

https://github.com/signalapp/Signal-Desktop/issues/4578

https://github.com/syncthing/syncthing-macos/issues/122