Hacker News: ffemachttps://news.ycombinator.com/user?id=ffemacHacker News RSShttps://hnrss.org/hnrss v2.1.1Wed, 03 Jun 2026 20:24:53 +0000<![CDATA[New comment by ffemac in "1-Click GitHub Token Stealing via a VSCode Bug"]]>True, but security breach inside a sandbox/container can cause serious damage too(stealing your code/data/keys, spreading via your code/release etc). And containers aren't for security anyway(e.g. Copy Fail breaching to host https://xint.io/blog/copy-fail-pod-to-host)

]]>Wed, 03 Jun 2026 14:00:05 +0000https://news.ycombinator.com/item?id=48384218ffemachttps://news.ycombinator.com/item?id=48384218https://news.ycombinator.com/item?id=48384218<![CDATA[New comment by ffemac in "1-Click GitHub Token Stealing via a VSCode Bug"]]>> malicious-NPM-package-of-the-week

This is going to get worse and worse. I recently noticed AI harness (e.g. OpenCode) downloading random npm packages in the background and litter them everywhere in a few place in ~ and in your project dir, all without telling/asking you.

What's worse is that people don't seem to care even the devs.

]]>Wed, 03 Jun 2026 08:04:40 +0000https://news.ycombinator.com/item?id=48381254ffemachttps://news.ycombinator.com/item?id=48381254https://news.ycombinator.com/item?id=48381254<![CDATA[New comment by ffemac in "1-Click GitHub Token Stealing via a VSCode Bug"]]>I looked into Zed because popular harness (OpenCode/KiloCode) just random downloads npm packages in the background and didn't tell you. But then I found out reports of Zed doing the same. Why we can't have nice things?

]]>Wed, 03 Jun 2026 07:57:01 +0000https://news.ycombinator.com/item?id=48381188ffemachttps://news.ycombinator.com/item?id=48381188https://news.ycombinator.com/item?id=48381188<![CDATA[New comment by ffemac in "Malicious npm packages detected across Red Hat Cloud Services"]]>No, it will stop working. The whole point of min age is letting someone else taste the food before you, so you are not poisoned. (except maybe scanners but they can't detect everything and the payloads will highly likely to remain dormant when it detected it's within a scanning env).

BTW it will only get much worse because popular AI coding harness (e.g. OpenCode/KiloCode) will just download random npm packages in the background without you knowing. And the devs don't care.

]]>Mon, 01 Jun 2026 21:30:04 +0000https://news.ycombinator.com/item?id=48362911ffemachttps://news.ycombinator.com/item?id=48362911https://news.ycombinator.com/item?id=48362911<![CDATA[New comment by ffemac in "Malicious npm packages detected across Red Hat Cloud Services"]]>Exactly, popular AI coding harness (OpenCode/KiloCode) downloads random npm packages in the background without you knowing. What's worse is the devs don't care.

]]>Mon, 01 Jun 2026 21:21:46 +0000https://news.ycombinator.com/item?id=48362811ffemachttps://news.ycombinator.com/item?id=48362811https://news.ycombinator.com/item?id=48362811<![CDATA[New comment by ffemac in "Malicious npm packages detected across Red Hat Cloud Services"]]>It will only get much worse because popular AI coding harness (OpenCode/KiloCode) will just download random npm packages in the background without you knowing. And the devs don't care.

Setting min age is useless if everyone is doing it. The whole point of setting min age is make someone else take the bait before you.

]]>Mon, 01 Jun 2026 21:18:39 +0000https://news.ycombinator.com/item?id=48362783ffemachttps://news.ycombinator.com/item?id=48362783https://news.ycombinator.com/item?id=48362783