Vulnerable Claude code in GitHub action led to stolen NPM keys

Vulnerable Claude code in GitHub action led to stolen NPM keys (github.com)
from qqq@lemmy.world to programming@programming.dev on 28 Aug 00:22
https://lemmy.world/post/35100711

Seems like a ton (over 1k) of people were affected because of an auto updating VS Code extension. Check your bashrc/zshrc and GitHub account if you use nx

#programming

threaded - newest

Solemarc@lemmy.world on 28 Aug 02:36 collapse

This doesn’t look like a Claude issue or an AI issue, this looks like someone pushed malicious code to a repo and they where trying to make AI tools ignore these files? I’m not reading this wrong am I?

qqq@lemmy.world on 28 Aug 03:01 collapse

The command injection in the GitHub action code was written by Claude[1]. That was used to get the NPM key and then malware was pushed to NPM.

[1] github.com/nrwl/nx/pull/32458