8 pointsby donohoe2 hours ago2 comments
  • himata41132 hours ago
    I honestly can't even tell if it's real. Like sure everything looks correct, but I just can't shake the feeling that this is just something picked up from reddit and turned into a story.

    Either way the prevalence of these is so widespread that you can no longer avoid it by being "smart". Sandbox everything, run vscode in a limited-access box and use the remote development features vscode already has. Run it on another machine if you can.

    Use hardware keys (yubikey, token2). Use socket-based authentication. It's hard and a worse dx experience, but there really isn't any other way unless you never touch public libraries or don't use vscode. At bare minimum use a simple jail such as bwrap to strip access to most of the sensitive credentials and limit persistant access.

    --

    This is probably a hallucinated story based on a real incident. (another post by same author: https://medium.com/bean-bag-scientist/report-01-running-a-fu...)

  • rebane20012 hours ago
    this reads like slop
    • entropean hour ago
      It is hard to have much sympathy for someone who complains about seeing a Git commit they never made but presumably clicked "publish" for a blog post that says "a North Korea-aligned group who targets software developers specifically. Not banks. Not hospitals. Devs." Supply chain security is a huge concern nowadays, and JavaScript in config/build-chain files is a sadly long-lived threat vector against a supply chain.
    • egypturnashan hour ago
      Imagine:

      You are a programmer who is all-in on LLM code generation. You get so much written every day! Hundreds of thousand lines of code, and you barely lifted a finger. But... your LLMs are trained on the entirety of Github.

      How many repos on there are full of trojans and viruses? How do you know that your super-productive LLM isn't copying those instead of the canonical version of whatever frameworks it's building?

      One day you find one. You write a blog post about it. Or, rather, the vague outline of a post. You make an LLM flesh it out, of course. You barely lift a finger.

    • Teknomadixan hour ago
      "I want to be honest about something..." This definitely reads like SLOP. It has got all those unmistakable formulations, patterning of certain phrases and lead in sentences. The signatures of slop.
    • LoganDark2 hours ago
      Sure does.