Yeah but so what? A process on your computer could do whatever it wants anyway. The article claims:
> What's novel about using LLMs for this work is the ability to offload much of the fingerprintable code to a prompt. This is impactful because it will be harder for tools that rely almost exclusively on Claude Code and other agentic AI / LLM CLI tools to detect malware.
But I don't buy it. First of all the prompt itself is still fingerprintable, and second it's not very difficult to evade fingerprinting anyway. Especially on Linux.
It's not a SEV0 for LLM providers. If you already have code execution on some system, you've lost already, and whatever process the malware happens to start next is not at fault.
Any postinstall script can add anything to your bashrc. I sometimes wonder how the modern world hasn't fallen apart yet.
I don't think this solves the world but as a quickfix for this particular exploit I ran:
sudo chattr -i $HOME/.shrc
sudo chattr -i $HOME/.profile
to make them immutable. I also added:
alias unlock-shrc="sudo chattr -i $HOME/.shrc"
alias lock-shrc="sudo chattr +i $HOME/.shrc"
To my profile to make it a bit easier to lock/unlock.
realistically, how many times has this happened in eg homebrew? Hard to be worried tbh.
Yeah but so what? A process on your computer could do whatever it wants anyway. The article claims:
> What's novel about using LLMs for this work is the ability to offload much of the fingerprintable code to a prompt. This is impactful because it will be harder for tools that rely almost exclusively on Claude Code and other agentic AI / LLM CLI tools to detect malware.
But I don't buy it. First of all the prompt itself is still fingerprintable, and second it's not very difficult to evade fingerprinting anyway. Especially on Linux.
Yes. It's a whole new attack vector.
This should be a SEV0 at Google and Anthropic and they need to be all-hands in monitoring this and communicating this to the public.
Their communications should be immediate and fully transparent.
It's not a SEV0 for LLM providers. If you already have code execution on some system, you've lost already, and whatever process the malware happens to start next is not at fault.
It 100% is, and I posted my rationale here [1]. I would stake my reputation on this being the appropriate stance.
[1] https://news.ycombinator.com/item?id=45039442
While this feels obvious once its pointed out, I don't think many people have considered it or its implications.
Edit: Was not supposed to create a flamewar about semantics...
If that's your definition then most of modern software is an RCE. Mac OSX is also an RCE, so is Windows 11, Chrome etc.
It’s not an RCE, it is a supply chain attack.
It's an RCE delivered via supply chain attack
6 replies →
Ah, I didn't know that claude code has headless mode...
Even before AI the authors could have embeded shells in their software and manually done the same thing. This changes surprisingly little.