The TeamPCP attacks this year involving Github Actions, Trivy, npm (CanisterWorm), CheckMarx, Docker Hub, PyPI, LiteLLM, Telnyx, etc. has made me reconsider the security gamble I take whenever I download software. Despite doing unimportant personal projects all on one PC, I still don’t want my identity and personal files stolen by some vibe-coded worm that evaded fully staffed companies and anti-malware, so I started looking into sandboxing for the first time. I have zero idea what’s reputable, and one reason I’m asking for advice here is to avoid bots and salespeople in at least one space.
My needs:
Affordable. Ideally free but can accept $200 per year
Timely security updates
Savable environment. If compromised, can delete with no lingering effects on host PC.
No default or easy option for an escape hatch in the sandbox to my host PC’s files e.g. dangerouslyDisableSandbox in Claude Code.
Graphical interface with multiple simultaneous windows for reading and watching things on the internet, looking at literal graphs I generate. Prefer GUI over CLI and lots of mouse controls, but can adapt if all of those activities are still possible.
Internet access in environment for downloads, though it’d be nice to also work without internet access. Assume whatever I log into is disposable, free, and unconnected to the rest of my digital identity.
Projects will never involve sensitive information. All data and dependencies are downloaded, and nobody benefits from plagiarizing these small end-user projects.
At least copy plain text or screenshots from environment to host PC, if transferring compromised files and paste-jacking are too risky. Luckily my projects are mostly small enough for this.
Host is Windows, environment doesn’t have to be. Don’t want to move all of my personal stuff, and I think some everyday apps don’t have nice equivalents.
I’ve read that software can tell if it’s running in a virtual machine, and things get worse if escapes or bugs occur at a lower level e.g. bare-metal, though working at a higher level provides a larger attack surface e.g. host OS. I can’t tell which is better or when, so advice would be good. I’m open to other suggestions if security can be addressed. For example, I steered away from remote desktop services because that’s another login that could be stolen or intercepted, just to start.
I have been using podman containers for my dev environments for a little while now, and I’m reasonably happy with it. Basically, I just create a container, and then make a folder that has any stuff in it that I wish to persist between sessions or to be shared from the host, and then I mount those folders onto the podman container during startup.
Setting it up has required a lot of futzing about and learning about random things, but once it’s set up, I find it pretty straightforward to use. podman is supported on windows, but you’ll need to do it from the WSL.
My main motivation for this was that I did not trust the guard rails that were built into coding agents, and instead preferring to do the isolation myself, but these software dependency attacks also make me want to move more of my regular software development into containers.
I think cloud machines are important because even being on the same private network as an unrestricted coding agent is a bit of a risk imo.
I like Hetzner cloud instances a lot; they are super cheap. You can get a 24/7 server for single-digit € per month. Sadly they don’t support Windows so maybe @Mason’s suggestion is better.
On my Hetzner machine I can let coding agents run without restrictions. I made them their own GitHub account and email, so their only access to me is via a telegram chat, where I work on open-source projects with it. This means that even if the machine was entirely compromised, the only inconvenience would be wiping it and restarting. The agent’s GitHub account doesn’t even have write access to my repositories. It’s really like I have an external collaborator living in Helsinki who eagerly wants to contribute to all my open source projects…
I also like that all my coding sessions can be on a single machine so they can share memory and intermediate work (and caches).
These days I’m experimenting with Docker Sandboxes (Docker Sandboxes | Docker Docs), which are apparently more secure than standard containers and designed for agents. There are still two things I don’t like:
The folder I open the container in is synced by default with the one on my computer, so that file changes there are immediately visible locally
There is still a risk of my Claude credentials being exfiltrated, which is arguably more valuable than the agent’s bogus GitHub account
I’m still hesitant about directly sharing the host kernel, but I do like it’s rootless by default instead of the other way around like Docker
I wasn’t even considering that, I do connect devices regularly over WiFi or Bluetooth…
I don’t think I need Windows if I’m on a separate machine entirely, but I do need a graphical interface to look at literal graphs I generate, read and watch things on an internet browser, basically how a person directly interacts with typical desktop PCs (I’ll have to add this to the list). I’ve never subscribed to a server unless some app handles it invisibly for me, so I’m mostly in the dark about what to look for. My impression is that servers are generally terminal-only and I need to look for remote desktop services, but I’m not sure if that’s right. In any case, all the hourly rates I’m seeing sure add up fast, especially if I want more RAM or a GPU.
How do you manage this “collaborator”? Does it just make pull requests to your repo at some points like anyone else can, and you review the source while avoiding the risky things like in the Trivy breach? If so, that could be a better middleman to transfer files, these small projects won’t ever hold sensitive information in the first place.