alt Hacker NewsBeing reminded of this anecdote from NYMag's recent cover story (which had previously been reported in a WSJ story[0]) about a Disney engineer who downloaded an AI-gen tool from Github and "checked the code himself, it had looked legitimate":
> He had no idea why the hackers had targeted him or what their plan was, whether they would drain his family’s finances or stalk his home. Eventually, after running another anti-virus program, he found a piece of malware hidden in a plug-in he had downloaded from GitHub, the open-source coding site, one day in February when he was messing around with an AI image generator. He had checked the code himself, it had looked legitimate, and others had reviewed it positively. But it seems it contained a Trojan-horse virus that gave the hackers free rein of his PC. Once inside, they just had to wait for Van Andel to log in to 1Password. From there, they were able to steal all his credentials, plus many of his multifactor-authentication codes, so every time Van Andel logged in to an app, a website, or an account, they could follow behind him. They’d had access for months.
[0] https://www.wsj.com/tech/cybersecurity/disney-employee-ai-to...
Replies
If I go through the effort to view the code for something, I then compile it myself.
A password manager is a single point of failure and should be avoided. I've heard other sad stories about someone who's pw manager was compromised and they lost everything.
Strong support for the strategy of not putting your TOTP/MFA in your password manager, which has been argued on HN in the past.