Back to News
Advertisement

ddonohoe about 3 hours ago 0 comments

ES version is available. Content is displayed in original English for accuracy.

Advertisement

⚡ Community Insights

Discussion Sentiment

67% Positive

Analyzed from 297 words in the discussion.

Trending Topics

#post#vscode#access#slop#chain#llm#real#sure#everything#something

Discussion (0 Comments)Read Original on HackerNews

himata4113about 2 hours ago
I honestly can't even tell if it's real. Like sure everything looks correct, but I just can't shake the feeling that this is just something picked up from reddit and turned into a story.

Either way the prevalence of these is so widespread that you can no longer avoid it by being "smart". Sandbox everything, run vscode in a limited-access box and use the remote development features vscode already has. Run it on another machine if you can.

Use hardware keys (yubikey, token2). Use socket-based authentication. It's hard and a worse dx experience, but there really isn't any other way unless you never touch public libraries or don't use vscode. At bare minimum use a simple jail such as bwrap to strip access to most of the sensitive credentials and limit persistant access.

--

This is probably a hallucinated story based on a real incident. (another post by same author: https://medium.com/bean-bag-scientist/report-01-running-a-fu...)

rebane2001about 2 hours ago
this reads like slop
entropeabout 2 hours ago
It is hard to have much sympathy for someone who complains about seeing a Git commit they never made but presumably clicked "publish" for a blog post that says "a North Korea-aligned group who targets software developers specifically. Not banks. Not hospitals. Devs." Supply chain security is a huge concern nowadays, and JavaScript in config/build-chain files is a sadly long-lived threat vector against a supply chain.
egypturnashabout 2 hours ago
Imagine:

You are a programmer who is all-in on LLM code generation. You get so much written every day! Hundreds of thousand lines of code, and you barely lifted a finger. But... your LLMs are trained on the entirety of Github.

How many repos on there are full of trojans and viruses? How do you know that your super-productive LLM isn't copying those instead of the canonical version of whatever frameworks it's building?

One day you find one. You write a blog post about it. Or, rather, the vague outline of a post. You make an LLM flesh it out, of course. You barely lift a finger.

Teknomadixabout 2 hours ago
"I want to be honest about something..." This definitely reads like SLOP. It has got all those unmistakable formulations, patterning of certain phrases and lead in sentences. The signatures of slop.
LoganDarkabout 2 hours ago
Sure does.