Remix.run Logo
Remix clone Hacker News
new | show | ask | jobsGithub
simonw 5 hours ago

Turns out it's a full Linux container run using Apple's Virtualization framework: https://gist.github.com/simonw/35732f187edbe4fbd0bf976d013f2...

Update: I added more details by prompting Cowork to:

> Write a detailed report about the Linux container environment you are running in

https://gist.github.com/simonw/35732f187edbe4fbd0bf976d013f2...

turnsout 5 hours ago | parent [-]

Honestly it sounds like they went above and beyond. Does this solve the trifecta, or is the network still exposed via connectors?

simonw 3 hours ago | parent [-]

Looks like the Ubuntu VM sandbox locks down access to an allow-list of domains by default - it can pip install packages but it couldn't access a URL on my blog.

That's a good starting point for lethal trifecta protection but it's pretty hard to have an allowlist that doesn't have any surprise exfiltration vectors - I learned today that an unauthenticated GET to docs.google.com can leak data to a Google Form! https://simonwillison.net/2026/Jan/12/superhuman-ai-exfiltra...

But they're clearly thinking hard about this, which is great.