To protect my computer from malicious software, I would need to install only the apps that I trust. I should trust that the code does what it is supposed to do. I should trust that the devs not only write good code, but also review the AI-generated code, use YubiKeys, 2FA, secure their computers, use sandboxes, scan and pin dependencies, take care of publishing and access to third-party services, and basically keep the security at the top level.
The more software I install, the bigger the chance that I run something unsafe. One mistake, and everything that the app can access is at risk of a leak.
And it’s not only about the app itself. Most of the risk hides in the dependency tree. One small package deep inside, compromised or taken over, and the whole app is compromised with it. You don’t pick those packages, the devs do.
The new attack surface is AI tooling. MCP servers, agents, browser and editor extensions. They often get more access than a regular app, and we install them without thinking, because they are useful and the hype is big.
It’s nothing new, but now more than ever it’s time to think about what we install.
- Is it sandboxed?
- What access does it have?
- Do we trust the source?
- Do I really need this app?
- Is there a more secure alternative?
There are a lot of interesting apps and libraries released every day, but how can I trust all of them? The App Store (in case of Apple) is a safer default because apps there are sandboxed and reviewed by Apple, but it’s not a guarantee. Compiling from source only helps if someone actually reads the code, and almost nobody does.
So I install less. I sandbox what I can. I keep as little sensitive data on the computer as possible, encrypt what stays, and restrict what the apps can reach.
It’s never easy.