It's a continuation of the Shai Halud worm and the lack of security around developer dependnecy installations, which has existed for a very long time.
Hackers have figured out that developers themselves are an ideal target due to how easy it is to trick them into installing something and how much private information they have on their machines (creds, cloud clis, mcps, etc.).
You have tools from large corporations where the official installation procedure involves copy pasting a command from a random blog post, run it with sudo and watch it download and execute a script from a random filehost. This is somehow deemed acceptable by everyone involved.
Meanwhile I can't use teams in our meeting rooms, since any form of internet access was deemed a security risk in rooms where customer projects could be discussed. This is in a day and age where 90% of customer meetings are done over the internet.
Anyone trying to follow sane practices in this industry just asks to end up in a padded cell.
Same as it ever was.
By some, not all. It's been crazy from the start and it is still crazy to pipe a script to bash!
Yes in our place too. "You better do as much as possible with AI or you will be left behind" dogmas etc.
It's the stupid IoT hype all over again. No concern for security, just trying to be the first in the pack.
Welp.
Unfortunately, most developers don't like them so it is a though sell.
You make it sound like you are surprised, but everyone who has tried this knows it's crap and a band aid at best.
I couldn't find anything about it that was even half as good as a real text editor.
It made writing code feel like a chore. I usually love writing code.
I use VSCode/Codium since I maintain a GUI stack for general usage. But I have all the terminal tools installed for my work there as well. I hate customizing things too, which I find is necessary if you want to get the most out of terminal text editors. VSCode is pretty good out of the box, with terminal access and everything built in.
Jeez, I hope this doesn't turn into a text editor flame war...
Edit: I realize in hindsight this comes across as overly negative. I think those are great solutions to have available for when you are working with a suboptimal local setup for whatever reason. I just don't think they're the default choice let alone any sort of ideal to strive for.
You could argue this is probably on GitHub for creating a token here that gives blanket access to all repos vs a scoped token for just the repo.
Why not set up proper containers (or VMs) locally? And why not wait a little till local LLMs catch up?
Maybe just a personal itch, but having your dev environment elsewhere feels so gross to me..
On the other hand ephemeral cloud environment with proper security controls makes a lot of sense if the goal is to isolate and control.
If everyone was following the protocol we wouldn't have had the problem to begin with.
I am against proprietary SAAS online in browser dependencies.
I personally think the, perhaps confusingly named, capability based security models are the way of The Future.
Gonna be a hard nut to crack to implement this across the supply chain.
Transitive dependencies are a bitch.
Idiots must suffer.
I am not saying vibe coding is the issue. The issue is that a typical developer might be working on a lot more projects that run concurrently then they used to. And because of the various nature of the project the risk is significantly increased.
Scale this across the workforce and you not just doubled the problem.
In the end it can just be a culture thing. A dev who was going to write docs and tests before is going to have a LLM generate docs and tests today. Same with safe practices and defensive coding. The machine does whatever you want from it, for most that's "just get the job done I don't care". So that's the output.
13 million swe roles with .01% is 130,000 compromised devices.
Process problem