Transcript
00:00:00So it is Wednesday morning and I deliberately did not create an episode about the huge supply chain attack, a new huge supply chain attack that happened yesterday with more than 600 NPM packages being affected, another shy Hulu attack, because I don't wanna talk about that every week.
00:00:23But then a couple of hours ago I woke up to reading that GitHub is investigating the breach of around 4000 internal repositories due to the compromise of an employee device through a poisoned VS code extension.
00:00:43And I'm really just tired. No week goes by without serious security incidents like this. Last week we had the Tanstack-related supply chain attack wave, this week we had another one and now we have that GitHub attack and thus far from what GitHub released it only
00:01:07in quotes affected their repository, the exfiltration of around 4000 internal repositories, not customer repositories, also not private customer repositories, just internal GitHub repositories, but still barely a week goes by without a new incident like this.
00:01:27And I mean then we also have all these security vulnerabilities that are being found like again involving GitHub, the one that was found a couple of weeks ago that allowed for remote code execution.
00:01:38It was found and patched before it could be abused but cyber security is obviously becoming a huge issue and I know I talked about this before and I talked about the role of AI and all that which of course is huge because AI helps with finding security vulnerabilities,
00:02:00it helps with writing malicious code, it helps with running supply chain attacks and it makes those attacks so much more interesting for the attackers because there are so many new people pushing code, there's more code being written than ever, there are agents writing code and installing packages, it's the wild west out there right now.
00:02:24It is really an annoying timeline, I will say that. I am totally on board with that you have to adjust to AI being there, that you have to learn how to work with these tools.
00:02:40And that is what I'm doing for many months and that is why I created courses on Claude Code or Codex but also recently my colleague Manuel created one on Claude Code work because we want to share what we learned about these tools, how we're using them, how you can maybe use them to be more effective and how to make that transition from traditional code writing to an AI enhanced developer.
00:03:03But at the same time let's be very honest, I would love to have a simpler timeline with less security incidents, with less CEOs telling me all the time that all white collar work will be over in a month or so but here we are.
00:03:21Here we are with another security incident today and it's only Wednesday morning as I mentioned so we'll see what else comes around for the rest of this week.
00:03:30And the only thing we can do right now besides leave the industry of course which is certainly what some developers did or are considering, the only thing which you can do if you decide to stay in that industry is of course to adapt and learn these AI tools sure but when it comes to security to really take this seriously.
00:03:50And I know I also mentioned this before in past episodes but that is for example why I created an entire free video on my other YouTube channel which I'll link below again where I walk you through some basic steps you can take to have a more secure development environment.
00:04:08And that includes stuff like using a package manager like pnpm or also bun as a package manager that is more secure by default. For example the latest version of pnpm has a minimum release age of one day which means if you install packages through it, it won't pull in packages that are younger than one day.
00:04:29Therefore reducing the danger of being affected by supply chain attacks since most of them but not necessarily all of them of course you got no guarantee but most of them are caught pretty quickly so that's a good thing and obviously you can tweak all these settings.
00:04:44And then managers like this but also bun for example block the execution of scripts that may be attached to packages you're installing.
00:04:55And then of course there are other steps like running in a dev container or on a virtual machine doing your development there and not storing secrets in plain text on your machine.
00:05:05But of course one also has to wonder for GitHub how the compromise of one employee's device as it sounds can lead to mass data exfiltration like this so obviously big companies or any companies with more than just a few employees will have to rethink how big or reconsider how big their blast radiuses are and how much damage a single employee can do.
00:05:31And that all happens at a time where theoretically you would want to give AI agents mass access to all kinds of data to make them efficient to have agents crawl over vast amounts of data and interact with all kinds of systems so you got these clashing realities right now.
00:05:53And the truth is you're just in high danger if you are not restrictive about permissions, access rights, data security and all that fun stuff nobody cared about for many many years but now it's getting serious, AI is making these attacks easier and more worthwhile.
00:06:12Fun times, fun times to be a developer but hey it can probably only get better we'll see.
Community Posts
No posts yet. Be the first to write about this video!
Write about this video