[barnas2]

As someone who works in security, it's really neat that you were able to discover this with the help of Claude. That being said the "I just opened Cursor again which triggered the malicious package" message is a bit eye opening. Ideally the instant you suspected malware that machine should have been quarantined and your security personnel contacted.

[wisemanwillhear]

I get why you say this, but real life is messy and the "fog of war" makes situations far less obvious in the moment. The older I get the more I realize how much we need scrappy, can-do people who don't always follow the "rules". Knowing the "rules" and knowing that people follow the "rules" because "that's what your supposed to do" is itself an avenue for malicious actors to exploit.

[barnas2]

Clear procedures are the entire point of incident response plans. You follow them because of the fact that your judgement can be compromised in the moment. They re-triggered the malware payload because they decided to just dive in and handle it on their own in the "fog of war". Which would have been avoided entirely if they'd been following the standard advice to quarantine the machine and contact security so that they can investigate properly, with the developer if necessary.

Your final sentence is completely irrelevant. Blind rule adherence can be an avenue for exploit in certain scenarios, but this wasn't a case of a developer being tricked into following a bad rule. They didn't follow a real and very well justified standard practice.

The takeaway is "wow, we got lucky, we should have security people to loop in for this next time" not your weird life philosophy about how rule followers are a problem.