Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

Personally, I'd expect Claude Code not to have such far-reaching access across my filesystem if it only asks me for permission to work and run things within a given project.


Apparently they were using --dangerously-skip-permissions, --yolo, --trust-all-tools etc. The Wiz post has some more details - https://www.wiz.io/blog/s1ngularity-supply-chain-attack


That's a good catch. I knew these flags existed, but I figured they'd require at least a human in the loop to verify, similar to how Claude Code currently asks for permission to run code in the current directory.


This confusion is even more call for a response from these companies.

I don't understand why HN is trying to laugh at this security and simultaneously flag the call for action. This is counterproductive.


Probably because "HN" is not an entity with a single mind, but rather a group of millions each with their own backgrounds, experiences, desires, and biases?

Frankly it's amazing there's ever a consensus.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: