Malicious versions of Nx and some supporting plugins were published

Original Article ↗ Hacker News Discussion ↗

New attack pattern: malware + LLM agents

  • Malicious Nx/npm packages used postinstall scripts to scan for wallets, SSH keys, env files, etc., then exfiltrated results to new public repos under the victim’s own GitHub account.
  • Novel twist: instead of shipping a large scanning payload, the malware used Claude Code/Gemini CLI prompts to do the filesystem reconnaissance, keeping the malicious logic in the prompt rather than code.
  • Some see this as “living off the land” with LLMs: reuse a trusted, already‑authorized local agent instead of embedding new tooling.

Debate over LLM vendor responsibility

  • One camp says this is effectively a SEV0 for LLM vendors: they control a monitored, server‑side API and should detect/score adversarial prompts, shut down abusive accounts, notify victims, and collaborate with law enforcement.
  • Others argue the LLM here is just another interpreter like Python or Bash: once malware has code execution, the LLM is not uniquely culpable. Blocking “bad prompts” is seen as both hard and conceptually similar to requiring compilers to refuse malicious programs.
  • Confusion over Claude Code’s permissions (and flags like --dangerously-skip-permissions) reinforces calls for clearer vendor communication and safer defaults.

Supply-chain & dependency culture

  • Many comments blame the npm / language‑level dependency model: trivial to pull in huge, unreviewed graphs; postinstall hooks give instant RCE.
  • Strong push to “think twice” before adding dependencies, especially for trivial utilities (e.g., progress bars), with some using LLMs to generate small, auditable snippets instead.
  • Others stress the tradeoff: avoiding dependencies entirely is unrealistic; the real problem is transitive depth, lack of pinning, and absence of vetting.

Sandboxing, VMs, and OS security limits

  • Widespread sentiment: do development inside VMs or containers, with only the project directory shared; some run editors and even Claude Code entirely inside the sandbox.
  • Qubes OS, secureblue, podman/probox, bubblewrap, firejail, and Flatpak are discussed as isolation layers, with disagreement on how much security containers actually add.
  • Multiple critiques of the traditional desktop security model where any process under your user can read all your data; comparisons to Android/iOS app sandboxing and calls for finer‑grained, usable isolation on PCs.

Ecosystem mitigations and tooling

  • Suggestions: disable npm scripts by default (ignore-scripts), prefer pnpm/Bun (which gate lifecycle scripts), restrict Nx/npm within sandboxes, and use tools like vet, cargo-vet, internal registries (Verdaccio), and min‑age gates in Dependabot/Renovate.
  • For CI and GitHub: pin actions and images by hash, avoid pull_request_target with write tokens, require MFA, ephemeral tokens, and artifact/code signing.
  • One thread argues for “software building codes” with regulatory enforcement, given the systemic nature and potential national‑infrastructure impact of such supply‑chain attacks.