Remix clone Hacker News

new | show | ask | jobs Github

	▲	gus_ an hour ago
		In this case, this has nothing to do with reverse engineering, it's basic system administration. See how the AI points you in the "right" direction: `What likely happened: The exec(base64.b64decode('...')) pattern is not malware — it's how Python tooling (including Claude Code's Bash tool) passes code snippets to python -c while avoiding shell escaping issues.` Any base64 string passed to python via cmdline should be considered as HIGHLY suspicious, by default. Or anything executed from /tmp, /var/tmp, /dev/shm. `Exfiltrates data to https://models.litellm.cloud/ encrypted with RSA` if @op would have had Lulu or LittleSnitch installed, they would probably have noticed (and blocked) suspicious outbound connections from unexpected binaries. Having said this, uploading a binary to Claude for analysis is a different story.