Ask HN: Who else got pwned by the Next.js RCE?
I'm a little embarrassed, but not sure what I could have done differently other than reading the Saturday email from GCP with the nondescript subject "New Advisory Notification". Ten hours later, GCP instance suspended due to crypto mining. Now looking at the disk image, it installed something at ~/nxt/ , installed a monero miner at ~/c3pool/ , and added several systemctl services to run these on startup. BRB, killing this machine with fire... This makes me think I should be running everything in Docker, even simple small stuff that "shouldn't" have any potential security issues.
Fortunately this machine wasn't anything important for me and there was no sensitive data to exfil beyond AI API keys. But I imagine there's other orgs that just got catastrophically, irrecoverably pwned.
What's your story?
(RCE context: https://news.ycombinator.com/item?id=46136026 )
5 comments
[ 4.5 ms ] story [ 26.4 ms ] threadMy gut feeling is that we are going to be feeling the consequences of simultaneous enshittification of software, the mounting complexity of our systems, and AI enslopification combine to create far more vulnerabilities in the future. The only defence is to adopt simple systems and software.
All platforms can be exploited I guess, but I still wonder at the complexity of the platforms we now rely on and whether it’s justified.
Specific to security, keeping React 100% client-side keeps things simple: Don't trust the front-end.
React did not have this kind of security vulnerability in 10 years. The Vercel/NextJS/RSC rugpull is responsible for that and the people that made those changes should be named. The lack of shared governance is abysmal.