←back to thread

Malicious versions of Nx and some supporting plugins were published

(github.com)
441 points longcat | 1 comments | 27 Aug 25 01:38 UTC | HN request time: 0.199s | source
Show context
roenxi ◴[27 Aug 25 12:46 UTC] No.45038912[source]
Honest to goodness, I do most of my coding in a VM now. I don't see how the security profile of these things are tolerable.

The level of potential hostility from agents as a malware vector is really off the charts. We're entering an era where they can scan for opportunities worth >$1,000 in hostaged data, crypto keys, passwords, blackmail material or financial records without even knowing what they're looking for when they breach a box.

replies(4): >>45039149 #>>45039756 #>>45043435 #>>45049665 #
christophilus ◴[27 Aug 25 13:55 UTC] No.45039756[source]
Similar, but in a podman container which shares nothing other than the source code directory with my host machine.
replies(2): >>45040537 #>>45043286 #
0cf8612b2e1e ◴[27 Aug 25 18:34 UTC] No.45043286[source]
I would love if some experts could comment on the security profile of this. It sounds like it should be fine, but there are so many gotchas with everything that I use full VMs for development.

One immediate stumbling block- the IDE would be running in my host, which has access to everything. A malicious IDE plugin is a too real potential vector.

replies(2): >>45045210 #>>45045680 #
1. evertheylen ◴[27 Aug 25 21:00 UTC] No.45045210[source]
I actually run code-server (derivative of VSCode) inside the container! But I agree that there can be many gotchas, which is why I try to collect as much feedback as possible.