Remix.run Logo
chrisjj 3 hours ago

> Until the IDE is patched, open untrusted repositories only in an isolated VM, Windows Sandbox, or other disposable environment.

Got to wonder why trusted repositories are excluded...

dalemhurley 3 hours ago | parent [-]

Except it might come from a trusted repo. Some of the biggest repos have been recently targeted in supply chain attacks. Consider for a moment

1. Attacker takes over maintenance of a widely used Cursor extension

2. Attacker adds a remote backdoor to monitor which repos are being maintained

3. Attacker decides to only infect the largest one with a git commit hook

4. The developer didn’t even know they just included git.exe in their commit

5. The developer is a sole maintainer on the repo and merges their own PR without review (because they(/their AI) wrote it)

6. Now a trusted repo is infected

7. A contributor pulls down the infected repo and opens cursor