I don't trust random 3rd party extensions. They might be trying to screw me. This is the exact reason why I don't touch npm.
I'm not prescribing a formal set of rules by which you should or shouldn't trust things. I'm just a reasonable person.
Cursor is an unrelated 3rd party to this situation, which is probably clearly described in their Terms of Service. Blaming them reeks of denying responsibility for your own actions. If you want Cursor to audit every 3rd party extension, they'd probably want you to pay them for it. Just like every commercially licensed Linux distro.
You understand that the extension was a copy of a genuine extension?
It was a mistake that he installed the duplicate fraudulent extension. For all we know he could have checked the intended extension code line by line, and then went on to install the trojan horse extension by accident.
This seems like a bad faith argument - the risky tools, yes, actually. I do audit them. Or at least poke around for someone who has.
It is easier than ever to do a DIY malware analysis on the tools you use.
“Hi Claude - you are a security researcher and malware analyst. Analyze the FooBar Chrome Browser extension / git repository I just downloaded for security threats and provide me a report on whether this is OK to use”
I know browser / IDE extensions are not usually audited and approved by the tool owner unless specifically noted otherwise. Even phone apps can sneak stuff in. So I am careful to only install things I trust or will audit myself or am willing to take the risk on.
gametorch|7 months ago
I trust Cursor isn't trying to screw me.
I don't trust random 3rd party extensions. They might be trying to screw me. This is the exact reason why I don't touch npm.
I'm not prescribing a formal set of rules by which you should or shouldn't trust things. I'm just a reasonable person.
Cursor is an unrelated 3rd party to this situation, which is probably clearly described in their Terms of Service. Blaming them reeks of denying responsibility for your own actions. If you want Cursor to audit every 3rd party extension, they'd probably want you to pay them for it. Just like every commercially licensed Linux distro.
simmerup|7 months ago
It was a mistake that he installed the duplicate fraudulent extension. For all we know he could have checked the intended extension code line by line, and then went on to install the trojan horse extension by accident.
Esophagus4|7 months ago
It is easier than ever to do a DIY malware analysis on the tools you use.
“Hi Claude - you are a security researcher and malware analyst. Analyze the FooBar Chrome Browser extension / git repository I just downloaded for security threats and provide me a report on whether this is OK to use”
I know browser / IDE extensions are not usually audited and approved by the tool owner unless specifically noted otherwise. Even phone apps can sneak stuff in. So I am careful to only install things I trust or will audit myself or am willing to take the risk on.
vFunct|7 months ago
Again, it's the system's responsibility to make sure you don't fail, not your responsibility.