A popular NPM package got compromised, attackers updated it to run a post-install script that steals secrets But the script is a *prompt* run by the user's installation of Claude Code. This avoids it being detected by tools that analyze code for malware You just got vibepwned
This looks to be one of the first documented case of malware which tries to coerce AI installed on your system to pwn you
Read more here: stepsecurity.io/blog/supply-ch… And here: semgrep.dev/blog/2025/secu…
@zack_overflow hackers said: fuck it, i don't want to debug that powershell.exe bullshit
@zack_overflow incredibly funny though. i think i want to pay them just for the laugh
@zack_overflow nbcnews.com/tech/security/… Also wild … this is going to be more and more prevalent. Agentic ai 🤖 army of malicious scammer bots , malware spreaders ect. It’s coming and coming fast.💨