neuroo | 7 months ago | on: Nx compromised: malware uses Claude code CLI to explore the filesystem
neuroo's comments
neuroo | 10 years ago | on: Ask HN: Best resources on webapp security?
The top 10 is way too high level to be of any use, but the cheatsheets are actually not bad:
https://www.owasp.org/index.php/XSS_Prevention_Cheatsheet (end of the page)
neuroo | 12 years ago | on: A New Development for Coverity and Heartbleed
Not yet, we are looking at them right now.
neuroo | 12 years ago | on: A New Development for Coverity and Heartbleed
The "model" makes reference of the model injection for memcpy.
The modification made by the team is referenced in John's blog post "Their insight is that we might want to consider byte-swap operations to be sources of tainted data".
As Andy said (and quoted), that's a modification that we need to evaluate overall to look at its impact in term of false positives (FP). It will probably be made available however under some options if it doesn't pass our acceptance tests for FP rate though... a bit too early to say.
page 1
Good callout. Evidence so far points to `nx --version` itself being safe because this was in a post-install script but we changed the rec in our post.
We took the versions in the Github security advisory and compiled it into a Semgrep rule which is MIT-licensed: https://semgrep.dev/c/r/oqUk5lJ/semgrep.ssc-mal-resp-2025-08.... Semgrep rules can be overkill for these use cases but it can be convenient to have a single command to check for all affected versions across multiple packages, especially for our users who already have Semgrep installed. That's basically what I did on all our internal repos.
We updated the blog post to note the Semgrep rule is MIT licensed. And you can run locally with Semgrep (which is LGPL: https://github.com/returntocorp/semgrep) if you curl it and run `semgrep --config=rule.yaml`