Run Claude Code in a locked down container or VM that has no access to sensitive data, and review all of the code it commits?

Conceivably couldn’t a post install script be used for the malicious dependency to install its own instance of Claude code (or similar tool)?

In which case you couldn’t really separate your dev environment from a hostile LLM.

	▲	christophilus 5 days ago \| parent \| next [-]
		I run npm in the container, too, along with my dev tooling. They’d have to break out of the container, which I’m sure is possible, but is a good bit harder than just running an arbitrary nom script.
	▲	anon7000 5 days ago \| parent \| prev [-]
		Yes, though the attackers would have to pay for an account. In this case, it’s using a pre-installed, pre-authorized tool, using your own credits to hack you

As a separate locked-down user would probably also work.