←back to thread

Malicious versions of Nx and some supporting plugins were published

(github.com)
441 points longcat | 4 comments | 27 Aug 25 01:38 UTC | HN request time: 0.022s | source
Show context
divan ◴[27 Aug 25 12:48 UTC] No.45038932[source]
So any process on my computer could just start using Claude Code for their own purposes or what? o_O
replies(6): >>45038958 #>>45038967 #>>45039022 #>>45039024 #>>45039029 #>>45039116 #
42lux ◴[27 Aug 25 13:05 UTC] No.45039116[source]
Edit: Was not supposed to create a flamewar about semantics...
replies(3): >>45039298 #>>45039309 #>>45039922 #
cluckindan ◴[27 Aug 25 13:18 UTC] No.45039298[source]
It’s not an RCE, it is a supply chain attack.
replies(1): >>45039425 #
freedomben ◴[27 Aug 25 13:30 UTC] No.45039425[source]
It's an RCE delivered via supply chain attack
replies(1): >>45040390 #
djent ◴[27 Aug 25 14:41 UTC] No.45040390[source]
malware isn't remote. therefore it isn't remote code execution
replies(1): >>45040477 #
1. freedomben ◴[27 Aug 25 14:46 UTC] No.45040477[source]
If you can execute code on some machine without having access to that machine, then it's RCE. Whether you gain RCE through an exploit in a bad network protocol or through tricking the user into running your code (i.e. this attack) is merely a delivery mechanism. It's still RCE
replies(1): >>45041149 #
2. cluckindan ◴[27 Aug 25 15:36 UTC] No.45041149[source]
Not exactly. A supply chain attack can be used to deliver RCE enabling payloads such as a reverse shell, but in itself, it is not considered RCE.

RCE implies ability to remotely execute arbitrary code on an affected system at will.

replies(1): >>45043335 #
3. freedomben ◴[27 Aug 25 18:38 UTC] No.45043335[source]
> A supply chain attack can be used to deliver RCE enabling payloads such as a reverse shell, but in itself, it is not considered RCE.

Yes, as I tried to make clear above, these are orthogonal. The supply chain attack is NOT an RCE, it's a delivery mechanism. The RCE is the execution of the attacker's code, regardless how it got there.

> RCE implies ability to remotely execute arbitrary code on an affected system at will.

We'll have to disagree on this one, unless one of us can cite a definition from a source we can agree on. Yes frequently RCE is something an attacker can push without requiring the user to do something, but I don't think that changes the nature of the fact that you are achieving remote code execution. Whether the user triggers the execution of your code by `npm install`ing your infected package or whether the attacker triggers it by sending an exploitative packet to a vulnerable network service isn't a big enough nuance in my opinion to make it not be RCE. From that perspective, the user had to start the vulnerable service in the first place, or even turn the computer on, so it still requires some user (not the attacker) action before it's vulnerable.

replies(1): >>45044459 #
4. cluckindan ◴[27 Aug 25 20:04 UTC] No.45044459{3}[source]
https://www.sciencedirect.com/topics/computer-science/remote...