Nobody should do 'npm install' or 'pip install' on their machine.
Using a proper sandboxing(https://github.com/ashishb/amazing-sandbox) regularly will drastically limit the blast radius of these attacks.
> https://github.com/ashishb/amazing-sandbox
Does your Docker backend run commands in rootless containers? I skimmed the code but didn't see anything to confirm this.
loading story #48462405
Is there a detection component here too? Sandboxing development is great, but the next step is to deploy to production. How do you know if something malicious happened in the sandbox, such that you don't deploy the malware further?
loading story #48461833
> Nobody should do 'npm install' or 'pip install' on their machine.
What alternative do you suggest?
Do you mean not install outside a sandbox?
loading story #48461051
loading story #48459299
loading story #48458994
{"deleted":true,"id":48458973,"parent":48458852,"time":1780999478,"type":"comment"}