←back to thread

Nx compromised: malware uses Claude code CLI to explore the filesystem

(semgrep.dev)
493 points neuroo | 7 comments | 27 Aug 25 12:18 UTC | HN request time: 0.237s | source | bottom
1. DetroitThrow ◴[27 Aug 25 15:04 UTC] No.45040706[source]
@dang Even though the blogpost has some helpful flavor, this GH issue seems much more direct and giving much more straightforward guidance for resolving the issue. Is it possible to change the link?
replies(3): >>45041142 #>>45042648 #>>45042787 #
2. JdeBP ◴[27 Aug 25 15:35 UTC] No.45041142[source]
Credit to otterly and Hilift for finding some other better coverage than this semgrep page as well:

* https://news.ycombinator.com/item?id=45040126

* https://news.ycombinator.com/item?id=45040507

replies(1): >>45041766 #
3. merb ◴[27 Aug 25 16:25 UTC] No.45041766[source]
I do not like these coverages. They always write about VSCode Extension which has basically nothing todo with the bug.

It only did run affected programs of course but it's so stupid to even talk about vscode in that case. if you used the affected nx versions you are affected no matter if you used vscode,webstorm, whatever ide of your liking. if you used a not affected nx version nothing happend no matter which vscode version you used.

replies(1): >>45042494 #
4. ramimac ◴[27 Aug 25 17:31 UTC] No.45042494{3}[source]
Hi! Author here who added the VSCode stat :)

I thought it was useful to include because:

* it can inform triage, if you use the extension you're more likely to be impacted * because it was VSCode, Workplace Trust actually partially mitigated this in at least 38 cases

replies(1): >>45042936 #
5. dang ◴[27 Aug 25 17:43 UTC] No.45042648[source]
(We detached this subthread from https://news.ycombinator.com/item?id=45038993.)

I found the first submission on the story (https://news.ycombinator.com/item?id=45034496), which used a github url, and merged the thread into it - more explanation at https://news.ycombinator.com/item?id=45042727.

6. ◴[27 Aug 25 17:54 UTC] No.45042787[source]
7. merb ◴[27 Aug 25 18:04 UTC] No.45042936{4}[source]
The vocoder extension does not contain any affected packages, it‘s just misleading