| ▲ | 0xbadcafebee 6 days ago |
| Before anyone puts the blame on Nx, or Anthropic, I would like to remind you all what actually caused this exploit. The exploit was caused by an exploit, shipped in a package, that was uploaded using a stolen "token" (a string of characters used as a sort of "usename+password" to access a programming-language package-manager repository). But that's just the delivery mechanism of the attack. What caused the attack to be successful were: 1. The package manager repository did not require signing of artifacts to verify they were generated by an authorized developer.
2. The package manager repository did not require code signing to verify the code was signed by an authorized developer.
3. (presumably) The package manager repository did not implement any heuristics to detect and prevent unusual activity (such as uploads coming from a new source IP or country).
4. (presumably) The package manager repository did not require MFA for the use of the compromised token.
5. (presumably) The token was not ephemeral.
6. (presumably) The developer whose token was stolen did not store the token in a password manager that requires the developer to manually authorize unsealing of the token by a new requesting application and session.
Now after all those failures, if you were affected and a GitHub repo was created in your account, this is a failure of: 1. You to keep your GitHub tokens/auth in a password manager that requires you to manually authorize unsealing of the token by a new requesting application and session.
So what really caused this exploit, is all completely preventable security mechanisms, that could have been easily added years ago by any competent programmer. The fact that they were not in place and mandatory is a fundamental failure of the entire software industry, because 1) this is not a new attack; it has been going on for years, and 2) we are software developers; there is nothing stopping us from fixing it.This is why I continue to insist there needs to be building codes for software, with inspections and fines for not following through. This attack could have been used on tens of thousands of institutions to bring down finance, power, telecommunications, hospitals, military, etc. And the scope of the attacks and their impact will only increase with AI. Clearly we are not responsible enough to write software safely and securely. So we must have a building code that forces us to do it safely and securely. |
|
| ▲ | hombre_fatal 5 days ago | parent | next [-] |
| One thing that's weirdly precarious is how we still have one big environment for personal computing and how it enables most malware. It's one big macOS/Windows/Linux install where everything from crypto wallets to credential files to gimmick apps are all neighbors. And the tools for partitioning these things are all pretty bad (and mind you I'm about to pitch something probably even worse). When I'm running a few Windows VMs inside macOS, I kinda get this vision of computing where we boot into a slim host OS and then alt-tab into containers/VMs for different tasks, but it's all polished and streamlined of course (an exercise for someone else). Maybe I have a gaming container. Then I have a container I only use for dealing with cryptocurrency. And I have a container for each of the major code projects I'm working on. i.e. The idea of getting my bitcoin private keys exfiltrated because I installed a VSCode extension, two applications that literally never interact, is kind of a silly place we've arrived in personal computing. And "building codes for software" doesn't address that fundamental issue. It kinda feels like an empty solution like saying we need building codes for operating systems since they let malware in one app steal data from other apps. Okay, but at least pitch some building codes and what enforcement would look like and the process for establishing more codes, because that's quite a levitation machine. |
| |
| ▲ | chatmasta 5 days ago | parent | next [-] | | macOS at least has some basic sandboxing by default. You can circumvent it, of course – and many of the same people complaining about porous security models would complain even more loudly if they could not circumvent it, because “we want to execute code on our own machine” (the tension between freedom and security). By default, folders like ~/Documents are not accessible by any process until you explicitly grant access. So as long as you run your code in some other folder you’ll at least be notified when it’s trying to access ~/Documents or ~/Library or any other destination with sensitive content. It’s obviously not a panacea but it’s better than nothing and notably better than the default Linux posture. | | |
| ▲ | quotemstr 5 days ago | parent [-] | | > By default, folders like ~/Documents are not accessible by any process until you explicitly grant acces And in a terminal, the principal to which you grant access to a directory is your terminal emulator, not the program you're trying to run. That's bonkers and encourages people to just click "yes" without thinking. And once you're authorized your terminal to access documents once, everything you run in it gets that access. The desktop security picture is improving, slowly and haltingly, for end-user apps, but we haven't even begun to attempt to properly sandbox development workflows. | | |
| ▲ | chatmasta 5 days ago | parent [-] | | Yeah, it does say “Do you want to grant Terminal.app access to ~/Documents?” I agree this should be more granular to the actual process/binary attempting the access. Or at least there should be an option like on iOS, to grant access but “just this once.” That way you know it’s the program you just ran, but you aren’t granting access to any program you execute in the terminal in perpetuity. But I’ve yet to grant it since I treat that prompt as an indication I should move the files I’m trying to access into a different directory. |
|
| |
| ▲ | quotemstr 5 days ago | parent | prev | next [-] | | > One thing that's weirdly precarious is how we still have one big environment for personal computing and how it enables most malware. You're not the only one to note the dangers of an open-by-default single-namespace execution model. Yet every time someone proposes departing from it, he generates resistance from people who've spent their whole careers with every program having unbridled access to $HOME. Even lightweight (and inadequate) sandboxing of the sort Flatpak and Snap do gets turned off the instant someone thinks it's causing a problem. On mobile, we're had containerized apps and they've worked fine forever. The mobile ecosystem is more secure and has a better compatibility story than any desktop. Maybe, after the current old guard retires, we'll be able to replace desktop OSes with mobile ones. | |
| ▲ | vgb2k18 5 days ago | parent | prev | next [-] | | Agreed on the madness of wide open OS defaults, I share your vision for isolation as a first-class citizen.
In the mean-time (for Windows 11 users) theres Sandboxie+ fighting the good fight. I know most here will be aware of its strengths and limitations, but for any who dont (or who forgot about it), I can say its still working just as great on Windows 11 like it did on Windows 7.
While its not great isolating heavy-weight dev environments (Visual Studio, Unreal Engine, etc), its almost perfect for managing isolation of all the small suff (Steam games, game emulators, YouTube downloaders , basic apps of all kinds). | |
| ▲ | Gander5739 5 days ago | parent | prev | next [-] | | Like Qubes? | | |
| ▲ | miggol 5 days ago | parent [-] | | Qubes really is the trailblazer in this regard. You can get pretty close with distroboxes on Linux as well. When a project requires a certain Python version a virtualenv suffices. But when you need a specific Python and NPM version then I might as well make a distrobox. Set a custom home and the project is isolated, speaking only to my IDE over LSP, and also to my web browser I suppose. This only protects the developer themselves of course, but it's a start. |
| |
| ▲ | JdeBP 5 days ago | parent | prev | next [-] | | I am told that the SmartOS people have this sort of idea. * https://wiki.smartos.org | | |
| ▲ | quotemstr 5 days ago | parent [-] | | > SmartOS is a specialized Type 1 Hypervisor platform based on illumos. On Solaris? Why? And why bother with a Type 1 hypervisor? You get the same practical security benefits with none of the compatibility headaches (or the headaches of commercial UNIX necromancy) by containerizing your workloads. You don't need a hypervisor for that. All the technical pieces exist and work fine. You're solving a social problem, not a technical one. |
| |
| ▲ | mayama 5 days ago | parent | prev | next [-] | | flatpak is supposed to address this. Running applications in sandbox. But, with almost all applications wanting access to your HOME, because of convenience, sandbox utility is quiet questionable in most cases. | |
| ▲ | christophilus 5 days ago | parent | prev [-] | | Not if you make podman your default way of isolating projects. |
|
|
| ▲ | Hilift 5 days ago | parent | prev | next [-] |
| 50% of impacted users the vector was VS Code and only ran on Linux and macOS. https://www.wiz.io/blog/s1ngularity-supply-chain-attack "contained a post-installation malware script designed to harvest sensitive developer assets, including cryptocurrency wallets, GitHub and npm tokens, SSH keys, and more. The malware leveraged AI command-line tools (including Claude, Gemini, and Q) to aid in their reconnaissance efforts, and then exfiltrated the stolen data to publicly accessible attacker-created repositories within victims’ GitHub accounts. "The malware attempted lockout by appending sudo shutdown -h 0 to ~/.bashrc and ~/.zshrc, effectively causing system shutdowns on new terminal sessions. "Exfiltrated data was double and triple-base64 encoded and uploaded to attacker-controlled victim GitHub repositories named s1ngularity-repository, s1ngularity-repository-0, or s1ngularity-repository-1, thousands of which were observed publicly. "Among the varied leaked data here, we’ve observed over a thousand valid Github tokens, dozens of valid cloud credentials and NPM tokens, and roughly twenty thousand files leaked. In many cases, the malware appears to have run on developer machines, often via the NX VSCode extension. We’ve also observed cases where the malware ran in build pipelines, such as Github Actions. "On August 27, 2025 9AM UTC Github disabled all attacker created repositories to prevent this data from being exposed, but the exposure window (which lasted around 8 hours) was sufficient for these repositories to have been downloaded by the original attacker and other malicious actors. Furthermore, base64-encoding is trivially decodable, meaning that this data should be treated as effectively public." |
| |
| ▲ | smj-edison 5 days ago | parent [-] | | I'm a little confused about the sudo part, do most people not have sudo behind a password? I thought ~/.bashrc ran with user permissions... | | |
| ▲ | marshray 5 days ago | parent [-] | | My personal belief is that users should not be required type their password into random applications, terminals, and pop-up windows. Of course, login screens can be faked too. So my main user account does not have sudo permissions at all, I have a separate account for that. | | |
| ▲ | 0xbadcafebee 5 days ago | parent [-] | | I'm lazy, so I have sudo and 1P/op gated by biometric. If for some reason biometric doesn't work (which happens a lot in Ubuntu... sigh...) I have a long alt-password that works instead. Otherwise I never type passwords, I only get them from 1P, because they're all complex and unique so I wouldn't remember them anyway. If I get a prompt I wasn't expecting, I cancel it. |
|
|
|
|
| ▲ | delfinom 5 days ago | parent | prev | next [-] |
| >This is why I continue to insist there needs to be building codes for software, with inspections and fines for not following through. This attack could have been used on tens of thousands of institutions to bring down finance, power, telecommunications, hospitals, military, etc. And the scope of the attacks and their impact will only increase with AI. Clearly we are not responsible enough to write software safely and securely. So we must have a building code that forces us to do it safely and securely. Yea, except taps on the glass https://github.com/nrwl/nx/blob/master/LICENSE THE SOFTWARE IS PROVIDED 'AS IS', WITHOUT WARRANTY OF ANY KIND,
EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.
IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY
CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT,
TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE
SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. We can have building code, but the onus is on the final implementer not people sharing code freely. |
|
| ▲ | anon7000 5 days ago | parent | prev | next [-] |
| > You to keep your GitHub tokens/auth in a password manager that requires you to manually authorize unsealing of the token This is a failure of the GH CLI, IMO. If you log into the GH CLI, it gets access to upload repositories, and doesn’t require frequent re-auth. Unlike AWS CLI, which expires every 18hr or something like that depending on the policy. But in either case (including with AWS CLI), it’s simply too easy to end up with tokens in plaintext in your local env. In fact, it’s practically the default. |
| |
| ▲ | madeofpalk 5 days ago | parent [-] | | gh cli is such a ticking time bomb. Anything can just run `gh auth token` and get a token that probably can read + write to all your work code. | | |
| ▲ | awirth 5 days ago | parent [-] | | These tokens never expire, and there is no way for organization administrators to get them to expire (or revoke them, only the user can do that), and they are also excluded from some audit logs. This applies not just to gh cli, but also several other first party apps. See this page for more details: https://docs.github.com/en/apps/using-github-apps/privileged... After discussing our concerns about these tokens with our account team, we concluded the only reasonable way to enforce session lengths we're comfortable with on GitHub cloud is to require an IP allowlist with access through a VPN we control that requires SSO. https://github.com/cli/cli/issues/5924 is a related open feature request | | |
| ▲ | 0xbadcafebee 5 days ago | parent [-] | | That is crazy. See, this is what I'm talking about. It shouldn't even be possible to have services that sensitive with auth tokens that can't expire. |
|
|
|
|
| ▲ | tailspin2019 5 days ago | parent | prev | next [-] |
| I think you’re right. I don’t like the idea of a “building code” for software, but I do agree that as an industry we are doing quite badly here and if regulation is what is needed to stop so many terrible, terrible practices, then yeah… maybe that’s what’s needed. |
|
| ▲ | Perz1val 5 days ago | parent | prev | next [-] |
| What an entitled idea, if you want a guarantee then buy a license. Wanting to hold people accountable for an open source library that you got for free is the same bullshit attitude as google with their hostile developer verification. |
|
| ▲ | 5 days ago | parent | prev | next [-] |
| [deleted] |
|
| ▲ | echelon 5 days ago | parent | prev [-] |
| Anthropic and Google do owe this issue serious attention [1], and they need to take actions as a result of this. [1] https://news.ycombinator.com/item?id=45039442 |
