Remix.run Logo
Remix clone Hacker News
new | show | ask | jobsGithub
haute_cuisine 3 hours ago

Please, someone explain how it's possible to add obfuscated file to so many repositories? Do they don't have any code reviews?

Also, the title is misleading, setup adds config to be auto executed by people who work on the repo. They would have to use vscode/cursor/claude/gemini. People who use codex / opencode / other harnesses are safe I guess.

Details: https://www.stepsecurity.io/blog/miasma-worm-hits-microsoft-...

axegon_ 3 hours ago | parent | next [-]

> Do they don't have any code reviews?

I have a good friend that works for one of the giants(I can't say which one for obvious reasons but S&P 500). He's been working there for quite a while now, so far he hasn't seen what the project he works on looks like, has the repo cloned and knows what language is used but nothing beyond that. Everything is slopped together. His project is the authentication and authorization system for all the company products. In his own words "I hit Tab all day long and write 'this is intended' in the reviews, which are all ai, there is no human in the loop. This is what we are told to do by the CEO and CTO unironically. If something breaks, no one knows how any of this works since no one has seen the actual code. Our performance reviews are based on how many tokens we've used, not what we have done". I suspect this is the case in many companies now so it's not unreasonable to think that there are no actual code reviews.

LastTrain an hour ago | parent | next [-]

> have a good friend that works for one of the giants(I can't say which one for obvious reasons but S&P 500).

I can’t think of any obvious reason other than this being embellished / made up? Those companies have tens of thousands of employees you aren’t going to “out” anyone by naming the company.

axegon_ an hour ago | parent [-]

I have a fair share of OSINT experience, be it as a hobby. The fact that I said S&P 500 and what his department does, that he is hired as a developer, I've already narrowed it down to several thousand people. Add the company name and you can narrow it down to a few dozens at most. And you can keep deducing further till you narrow it down to one or two.

trumpdong 3 hours ago | parent | prev [-]

the reasons are not obvious. I want to avoid their products.Does anyone else *cough* who has a throwaway account know the place?

axegon_ 3 hours ago | parent [-]

At this point, I suspect that is just about every tech company. Your best bet is to self-host everything, no agents, no cloud services, completely locked up home network and a loaded shotgun if anything starts making unexpected noises.

ianmarcinkowski 36 minutes ago | parent | prev | next [-]

Coworker seriously asked "since we're generating most of our code now, who is actually reading all of the code?" We're at a small company, but the urge to trust The Oracle is almost spiritual with some people IMHO.

I read 90%+ of the code I generate by reviewing it like I would a junior developer. I'm heavily vibe-coding a new feature right now and it's going to get a thorough reading as soon as GitHub's PRs start working again

vorticalbox 3 hours ago | parent | prev [-]

if an account with the ability to push to the repo was taken over, there wouldn't be any PR review.