A popular NPM package got compromised, attackers updated it to run a post-install script that steals secrets But the script is a *prompt* run by the user's installation of Claude Code. This avoids it being detected by tools that analyze code for malware You just got vibepwned
This looks to be one of the first documented case of malware which tries to coerce AI installed on your system to pwn you
Read more here: stepsecurity.io/blog/supply-ch… And here: semgrep.dev/blog/2025/secu…
@zack_overflow Well if you had used npq it would've alerted you of bad signals like provenance missing from the release and other red flags github.com/lirantal/npq
@zack_overflow @elder_plinius feels like u could have invented this one
Wirelessly control built-in speakers across every room of your home with Juke.
@zack_overflow @threadreaderapp please unroll for wayback machine archival