Just absolutely no regard for security at all.
-
Just absolutely no regard for security at all. None. The entire burden of self-protection shifted to humans alone at their endpoints in systems and communities entirely, foundationally built on mutual trust and trustworthiness.
@mhoye If we didn't learn from the left pad incident, we never will. This is just a new payload for an existing threat vector.
-
Just absolutely no regard for security at all. None. The entire burden of self-protection shifted to humans alone at their endpoints in systems and communities entirely, foundationally built on mutual trust and trustworthiness.
-
Just absolutely no regard for security at all. None. The entire burden of self-protection shifted to humans alone at their endpoints in systems and communities entirely, foundationally built on mutual trust and trustworthiness.
@mhoye This is the real "we're cooked"
-
Just absolutely no regard for security at all. None. The entire burden of self-protection shifted to humans alone at their endpoints in systems and communities entirely, foundationally built on mutual trust and trustworthiness.
@mhoye While the whole situation from AI injection down to 'packages can postinstall global packages' is a series of bad to insane decisions, the only thing I really don't understand is ... why install openclaw on machines? Was this trying to achieve something or just show it was possible?
-
Just absolutely no regard for security at all. None. The entire burden of self-protection shifted to humans alone at their endpoints in systems and communities entirely, foundationally built on mutual trust and trustworthiness.
@mhoye could you share the source? Thanks in advance
-
Just absolutely no regard for security at all. None. The entire burden of self-protection shifted to humans alone at their endpoints in systems and communities entirely, foundationally built on mutual trust and trustworthiness.
“the CLI binary (dist/cli.mjs) and all other package contents are identical to the legitimate cline@2.2.3 release.
A corrected version (2.4.0) was published at 11:23 AM PT and 2.3.0 was deprecated at 11:30 AM PT. The compromised token has been revoked and npm publishing now uses OIDC provenance via GitHub Actions.”https://github.com/cline/cline/security/advisories/GHSA-9ppg-jx86-fqw7
-
“the CLI binary (dist/cli.mjs) and all other package contents are identical to the legitimate cline@2.2.3 release.
A corrected version (2.4.0) was published at 11:23 AM PT and 2.3.0 was deprecated at 11:30 AM PT. The compromised token has been revoked and npm publishing now uses OIDC provenance via GitHub Actions.”https://github.com/cline/cline/security/advisories/GHSA-9ppg-jx86-fqw7
I didn’t know about using “OpenID Connect (OIDC) to authenticate GitHub Actions” and wonder how many surfaces it closes and whether it opens new surfaces?
-
@mhoye While the whole situation from AI injection down to 'packages can postinstall global packages' is a series of bad to insane decisions, the only thing I really don't understand is ... why install openclaw on machines? Was this trying to achieve something or just show it was possible?
-
Just absolutely no regard for security at all. None. The entire burden of self-protection shifted to humans alone at their endpoints in systems and communities entirely, foundationally built on mutual trust and trustworthiness.
-
@mhoye could you share the source? Thanks in advance
-
Just absolutely no regard for security at all. None. The entire burden of self-protection shifted to humans alone at their endpoints in systems and communities entirely, foundationally built on mutual trust and trustworthiness.
@mhoye
Could you provide a source URL to this? -
Just absolutely no regard for security at all. None. The entire burden of self-protection shifted to humans alone at their endpoints in systems and communities entirely, foundationally built on mutual trust and trustworthiness.
-
@mhoye
Could you provide a source URL to this? -
-
Just absolutely no regard for security at all. None. The entire burden of self-protection shifted to humans alone at their endpoints in systems and communities entirely, foundationally built on mutual trust and trustworthiness.
FFS.
-
Just absolutely no regard for security at all. None. The entire burden of self-protection shifted to humans alone at their endpoints in systems and communities entirely, foundationally built on mutual trust and trustworthiness.
@mhoye
> developers not working in an isolated environment (zone, vm, jail, etc) and letting their devtools access their whole laptop
they deserve it -
Just absolutely no regard for security at all. None. The entire burden of self-protection shifted to humans alone at their endpoints in systems and communities entirely, foundationally built on mutual trust and trustworthiness.
@mhoye postinstall was probably the worst thing added to npm - it's been there since the start with absolutely no effort to secure it or remove it
-
@mhoye
> developers not working in an isolated environment (zone, vm, jail, etc) and letting their devtools access their whole laptop
they deserve it@feld "they deserved it" is a childish, bullshit response to systemic problems.
-
