|
|
|
|
|
|
by hmokiguess
82 days ago
|
|
|
> I truly have no idea what the system or code looks like Does it not concern you if it installed a compromised package, vulnerable exploit, or it has something exposed and leaking everything to an attacker? I understand that your personal account is removed from it, but still, it has a direct link to you, and an attacker could be just building up towards it stealthily to hit when the time is right, maybe it gains SSH into your VM or whatever |
|
|
It could have installed say, that vulnerable version of litellm, and the entire VM is compromised. But it’s on an isolated vlan anyway so the worst it can really do is use bandwidth and maybe hurt my IP reputation? I could move it to a cloud VM but the risks seem minimal at the moment. I’m definitely not advocating for no defense in depth, but npm install in an isolated VM feels safer than npm install on my work laptop these days :-)