←back to thread

Malicious versions of Nx and some supporting plugins were published

(github.com)
441 points longcat | 1 comments | 27 Aug 25 01:38 UTC | HN request time: 0.355s | source
Show context
snovymgodym ◴[27 Aug 25 13:35 UTC] No.45039484[source]
Claude code is by all accounts a revolutionary tool for getting useful work done on a computer.

It's also:

- a NodeJS app

- installed by curling a shell script and piping it into bash

- an LLM that's given free reign to mess with the filesystem, run commands, etc.

So that's what, like 3 big glaring vectors of attack for your system right there?

I would never feel comfortable running it outside of some kind of sandbox, e.g. VM, container, dedicated dev box, etc.

replies(3): >>45039575 #>>45039684 #>>45039901 #
sneak ◴[27 Aug 25 13:52 UTC] No.45039684[source]
None of this is the concerning part. The bad part is that it auto-updates while running without intervention - i.e. it is RCE on your machine for Anthropic by design.
replies(4): >>45039771 #>>45039873 #>>45039918 #>>45039987 #
1. actualwitch ◴[27 Aug 25 14:10 UTC] No.45039987[source]
Not only that, but also connects to raw.githubusercontent.com to get the update. Doubt there are any signature checks happening there either. I know people love hating locked down Apple ecosystem, but this kind of stuff is why it is necessary.