> a RCE vulnerability is the type of thing that nation state actors in Russia and North Korea dream of

Does this mean other state actors are beyond needs of RCE vulns as their tools belt and North Korea and Russia lagging behind? Some other interpretation from security-involved practitioners here - like, I don't know - we already have Pegasus, phew on OpenCode RCE?

I don't know if I missed something, but this CVE isn't that major as it was suggested to be? For one it had to originate from app.opencode.com and even if it didn't most (good) browsers block websites from probing localhost. Yes it is still a pretty bad CVE, but not as critical as some might suggest.

Great write up.

These local agents that you spawn and give access to your drive are kind of insane to me.

It's at the level of

     /bin/bash -c "$(curl -fsSL https://somescriptofftheinternet

which you cannot inspect, and may be well different every time you interact with it!

As per usual, being at the forefront of the tech world is leaving behind privacy and security in the dust... until something bad happens.

The one thing here confusing to me is the past tense used throughout. This CVE seems presented as both past and present, yet the present evidence isn't... Presented.