Ask HN: Who else got pwned by the Next.js RCE?

8•whycombinetor•11h ago

I'm a little embarrassed, but not sure what I could have done differently other than reading the Saturday email from GCP with the nondescript subject "New Advisory Notification". Ten hours later, GCP instance suspended due to crypto mining. Now looking at the disk image, it installed something at ~/nxt/ , installed a monero miner at ~/c3pool/ , and added several systemctl services to run these on startup. BRB, killing this machine with fire... This makes me think I should be running everything in Docker, even simple small stuff that "shouldn't" have any potential security issues.

Fortunately this machine wasn't anything important for me and there was no sensitive data to exfil beyond AI API keys. But I imagine there's other orgs that just got catastrophically, irrecoverably pwned.

What's your story?

(RCE context: https://news.ycombinator.com/item?id=46136026 )

Comments

samdoesnothing•9h ago

I'm sure a lot of people and companies got pwned and they aren't going to disclose it. There are chrome extensions that passively polls sites for the vulnerability, and since the vulnerability is so simple to exploit and leaves virtually no trace...

My gut feeling is that we are going to be feeling the consequences of simultaneous enshittification of software, the mounting complexity of our systems, and AI enslopification combine to create far more vulnerabilities in the future. The only defence is to adopt simple systems and software.

yellow_lead•3h ago

I don't use Next.js but I'm curious as well. My impression was that most people run it under Vercel who patches quickly, but maybe that's not the case.

Kinesis Advantage2

Show HN: Peargent – A Simple Python Framework for Building AI Agents

Indian boy, aged 3, becomes youngest rated chess player in history

Finnix

Fifty Years of Retracted Medical Publications from 1975 to 2024

Apple Taps Meta Lawyer as General Counsel in Latest Shake-Up

Estimate Trend at a Point in a Noisy Time Series

Publishing Malicious VS Code Extensions: Bypassing VS Code Marketplace Analysis

IBM to Acquire Confluent for $11B

Dewy: Continuous deployments for VPS and bare metal, no K8s required

EVs 80% Worse Consumer Reports Lied – ICE Cars Are Failing at Record Levels

2FAS Pass: Local-First Password Manager

Kazakhstan, France collaborate to boost aviation training capacity

Earth needs energy. Atlanta's Super Soaker creator may have a solution

FiwixOS 3.5 Released

GeneralGiist – A Global Forum Built for Real, Unfiltered Conversations

How to Use Git Worktree for Claude Code Development

Funerary figurines found in royal tomb identifies Pharoah

The Forge Tier List

Cybersecurity Must Block AI Browsers for Now

CDC advisory panel delays vote on hepatitis B vaccines

Block all AI browsers for the foreseeable future: Gartner

Show HN: I added coins to Dino Game

Ideavo – Tinder-style validation for startup ideas

Reborrowing

Mystery Science Theater 3000: The Definitive Oral History of a TV Masterpiece

Top IAM Platforms

Deposition of cathode metals from the largest lithium-ion battery fire

Ask HN: Has anyone else been hit by React2Shell?

Bots, bias, and bunk: How can you tell what's real on the net?