I run training courses on developer security to broaden their understanding of threat surface from their behaviour, day-to-day tooling, the repositories they work on and broader supply chain. One of the modules covers this exact scenario, it's amazing how many people do these exercises on corporate machines let alone their personal device!<p>There are mitigations you can put in place by using containers, virtual machines or even the execution environment e.g. Deno's ability to block/whitelist network calls[0], Bun's --ignore-scripts [1] and supply chain package managers have made some strides here like pnpm [2]. But it's knowing your threat surface and how to use your tooling which can be quite overbearing on cognitive load, especially in fast paced scenarios like "job of a lifetime offer!" from linked in.<p>Easiest way by default is to use ephemeral VMs / Sandbox Containers for such tasks which don't have mounted directories to your system etc. Or spin up a cheap EC2 / VPS to work on them in a short period of time.<p>[0] - <a href="https://deno.com/blog/deno-protects-npm-exploits" rel="nofollow">https://deno.com/blog/deno-protects-npm-exploits</a> and <a href="https://docs.deno.com/runtime/fundamentals/security/" rel="nofollow">https://docs.deno.com/runtime/fundamentals/security/</a><p>[1] - <a href="https://bun.com/docs/pm/lifecycle" rel="nofollow">https://bun.com/docs/pm/lifecycle</a><p>[2] - <a href="https://pnpm.io/supply-chain-security" rel="nofollow">https://pnpm.io/supply-chain-security</a><p>[2] - https://
I snagged right away at "the kind of low-level reliability judgment that most teams only notice when something breaks." Real people don't talk like the J. Peterman catalog.
This type of attack is going on for few years now. I had 2 in my credit.<p>Some details <a href="https://freebird.in/malicious-code-source-code-shared-via-job-offers-business-offers/" rel="nofollow">https://freebird.in/malicious-code-source-code-shared-via-jo...</a>
Wow, this is pretty scary. LLMs have made phishing attempts look so much more legit, and the damage they can do so much greater.
All these mid sentence questions in parentheses look so unprofessional to me.