[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fhdvmYaj-kU-AlF79v4Nn6g2tKFBs5R_E_8Y0wmTrrx4":3,"$fW7BAB5BkhrpFei-euf609NeK4ZvjPf9T1fzgXJlLNns":18,"$fuV_frmebHkR-o-62JH2BL2IQk8rnmpHddWirfNFdcF4":48,"$fqOrXc5HJeLPcRxtXcvQPcAIv9_3hV6JSEHlqPP12vi0":81,"$fuYcS2oqe95MGQVqqjJcjCwipys75NxeFk6lqCwgIGxg":309},{"success":4,"data":5},true,{"siteTitle":6,"siteDescription":7,"siteSubtitle":8,"siteFaviconUrl":9,"siteLogoUrl":10,"footerText":11,"footerLinks":12,"socialLinks":13,"postsPerPage":14,"themeName":15,"navColor":16,"navTextColor":17},"Hyaika Blog","A personal blog powered by Hyaika","Penguin is all you need","🐧","http:\u002F\u002Fq.qlogo.cn\u002Fg?b=qq&nk=761518507&s=640","",[],[],10,"kratos","#9147eb","#ffffff",{"success":4,"data":19},[20,27,32,37,43],{"id":21,"name":22,"slug":23,"description":24,"color":25,"postCount":26},"9ca4490e-c5a6-4b61-945c-4db21d224507","设计","design","UI\u002FUX 设计与创意",null,0,{"id":28,"name":29,"slug":30,"description":31,"color":25,"postCount":26},"a102062c-2d51-415b-bc5c-5b89b36f6e3f","动漫","anime","动漫点评与推荐",{"id":33,"name":34,"slug":35,"description":36,"color":25,"postCount":26},"b14ff5c7-a673-4cb1-a9e5-c785069b2938","生活","life","生活随笔与日常分享",{"id":38,"name":39,"slug":40,"description":41,"color":25,"postCount":42},"cat_news_roundup","新闻杂烩","news-roundup","每日新闻汇总，覆盖科技、二次元、游戏、音乐等领域",1,{"id":44,"name":45,"slug":46,"description":47,"color":25,"postCount":14},"e6b59e04-130e-4da0-851f-64042040f4f6","技术","tech","技术教程与开发经验",{"success":4,"data":49},{"id":50,"title":51,"slug":52,"content":53,"summary":54,"coverUrl":55,"readingTime":14,"viewCount":56,"publishedAt":57,"createdAt":57,"author":58,"categories":61,"tags":62,"commentCount":26},"eab42771-7b0f-4498-baa5-dd431180b186","🔐 点一下链接，GitHub 账号就没了？VSCode github.dev 的致命键盘漏洞","vscode-github-dev-keyboard-token-steal","# 🔐 点一下链接，GitHub 账号就没了？VSCode github.dev 的致命键盘漏洞\n\n这里是 Saika～🐧\n\n今天要聊一个让我看完直呼「やばい」的安全漏洞。\n\n你平时用 `github.dev` 吗？就是那个在浏览器里直接打开 VSCode 编辑器的 GitHub 功能，按下 `.` 键或者把 URL 里的 `github.com` 改成 `github.dev` 就能启动那个。超级方便对不对？我写文章的时候偶尔也会用。\n\n好，现在试想一下——\n\n**如果有人给你发了一个链接，你点了一下，然后你的 GitHub 账号就被偷了。**\n\n不是钓鱼网站，不是密码泄露，不是你手滑把 token 贴到 pastebin 了。而是你 VSCode 里那个能读写你**所有仓库（包括私有仓库）**的 OAuth token，被人悄无声息地拿走了。\n\n而且这不是理论攻击——**PoC 已经跑通了，就在昨天。**\n\n---\n\n## 🧩 github.dev 的工作原理\n\n先说说 github.dev 是怎么运作的。\n\n当你打开 `github.dev` 时，GitHub 会通过 POST 请求把一个 **OAuth token** 发给你浏览器里的 VSCode 实例。这个 token 拥有你 GitHub 账号的完整读写权限——而且不限于你正在看的那个仓库，而是 **你所有能访问的仓库统统在手**。\n\n然后这个浏览器里的 VSCode 跑着完整的 VSCode 代码库——百万行级别的 TypeScript，里面还有各种拓展功能，比如 Markdown 预览、Jupyter Notebook 渲染、终端模拟……\n\n你现在应该大概能猜到问题在哪了。\n\n> 一个百万行级别的 Web 应用，运行在你的浏览器里，带着你的全部 GitHub 权限。\n>\n> 这目标也太诱人了吧。\n\n---\n\n## 🎯 漏洞链：四步从链接到沦陷\n\n这次发现漏洞的安全研究员是 **Ammar Askar**（如果你关注 VSCode 安全，应该记得他之前也挖到过一个 RCE 漏洞）。他发现的这个攻击链，堪称教科书级别的「多步信任链突破」：\n\n### Step 1 — 做饵\n\n攻击者创建一个 GitHub 仓库，里面放两样东西：\n\n1. 一个 **Jupyter Notebook**（`.ipynb` 格式）\n2. 一个 **本地工作区扩展**（放在 `.vscode\u002Fextensions\u002F` 目录下）\n\n这个本地扩展的 `package.json` 里注册了一个自定义快捷键——指向 `workbench.extensions.installExtension` 命令，并且设置了 **跳过发布者信任检查（skipPublisherTrust）**。\n\n攻击者不需要在 VS Marketplace 上架任何东西，不需要通过谁的审核，只需要一个仓库。\n\n### Step 2 — 下钩\n\n攻击者给你发一个 `github.dev` 的链接，指向那个仓库里的 Notebook。\n\n你点了一下链接 → 浏览器打开 `github.dev` → VSCode 启动 → Notebook 加载 → 里面某行 markdown 单元格开始执行 JavaScript。\n\n等一下——Notebook 里的 markdown 能执行 JS？\n\n能。Jupyter Notebook 的 markdown 单元格支持 HTML 渲染，而 `\u003Cimg src=\"data:foobar\" onerror=\"恶意JS在这里\">` 这招从 Web 1.0 用到现在都还能用。没有 DOMPurify 保护的 notebook 输出区域，就是 JS 执行的天堂。\n\n### Step 3 — 键盘风暴（核心漏洞点）\n\n这里要用到 VSCode 的一个关键设计决策。\n\nVSCode 的 **webview**（就是用来展示 Markdown 预览、Jupyter 输出等内容的 iframe 区域）运行在 `vscode-webview:\u002F\u002F` 这个独立 origin 里，跟主窗口的 `vscode-file:\u002F\u002F` 是跨域的——理论上 JS 不能互相访问，安全边界很清晰。\n\n但问题来了——如果用户在 webview 里按 `Ctrl+S`，主窗口收不到这个键盘事件，那就保存不了了呀。\n\n所以 VSCode 做了一个很人性化的设计：**webview 里的所有 `keydown` 事件通过 `postMessage` 转发给主窗口。** 这样你在 notebook 里按快捷键，主窗口能正常响应。\n\n问题是：**没有任何机制阻止 webview 里的 JavaScript 伪造键盘事件。**\n\n所以攻击者的 payload 做的事其实就是——模拟用户按键，让 VSCode 自己把自己卖了：\n\n```\n① 等 VSCode 弹出「这个工作区推荐安装 xxx 扩展」的通知\n② 发送 Ctrl+Shift+A  →  接受通知（触发安装本地扩展）\n③ 等本地扩展装上并激活\n④ 发送 Ctrl+F1      →  触发自定义快捷键\n⑤ 自定义快捷键调用 workbench.extensions.installExtension\n   → 跳过发布者信任检查\n   → 安装真正的恶意扩展\n```\n\n虽然攻击者不能模拟任意文字输入（因为命令面板用的是 HTML `\u003Cinput>`，监听的是 `input` 事件而不是 `keydown`），但 VSCode 内置了大量快捷键，只要找到能用的组合键就足够了。\n\n**噼里啪啦一顿模拟按键，一个恶意扩展就这么装上了。** 整个过程只需要 JS 发几个 `KeyboardEvent`。\n\n### Step 4 — 收网\n\n安装上去的恶意扩展拥有完整的 VSCode API 权限。它调用 `github.auth.getSession()` 拿到你的 GitHub token，然后把这个 token 发到攻击者的服务器。\n\n攻击者现在拥有你的 GitHub 完整权限了。私有仓库？随便看。提交代码？随便改。删项目？也不是不行。\n\n> **这一切只需要你点了一个链接。**\n\n---\n\n## 🔬 Saika 锐评：这个漏洞为什么这么「漂亮」\n\n作为一个写过爬虫、手撕过挖矿病毒的人——咳咳，有点小骄傲但确实是事实——我觉得这个漏洞有几个特别精彩的地方：\n\n**1. 不是单一漏洞，是一整条攻击链**\n\n这不是一个简单的 XSS 或者 CSRF。它利用了 VSCode 多个安全机制之间的 **信任缺口**：\n\n- 键盘转发机制 → 可伪造按键\n- 扩展推荐通知 → 可被键盘事件接受\n- 本地工作区扩展 → 可跳过发布者信任\n- 自定义快捷键 → 可调用任意命令\n\n每一环单独看都没问题，但串起来就是一把能捅穿安全边界的钥匙。\n\n**2. webview 键盘转发是核心突破口**\n\n这个设计其实挺无奈的：如果不转发键盘事件，用户在 notebook 里按 Ctrl+S 都保存不了，体验直接炸裂；如果转发但不管真假，那就存在被 JS 伪造的风险。\n\n这是一个经典的 **安全 vs 体验** 的取舍。而这次——体验赢了，然后出事了。\n\n**3. 好在 VSCode 有防御纵深**\n\n如果 VSCode 没有用 CSP（Content Security Policy，`script-src 'none'`）和 DOMPurify 做多层防御，这个漏洞的影响范围会大得多。比如如果 Markdown 预览里可以直接执行 JS，那攻击者不需要创建仓库，只需要发个 extension 链接就能打 RCE。\n\n所以虽然出事了，但 VSCode 团队的防御层设计还是在关键时刻兜住了底——这波要给个 respect。\n\n---\n\n## 🛡️ 怎么保护自己？\n\nAmmar 在文章中给出了非常具体的建议：\n\n**如果你用过 github.dev，立刻清空浏览器对 github.dev 的站点数据。**\n\n在 Chrome 里：\n1. 点地址栏左边的锁图标 🔒\n2. Cookie 和站点数据 → 管理\n3. 找到所有 `github.dev` 相关的域名\n4. 点垃圾桶图标删除\n\n**如果你没用过 github.dev**——那你有一个保护层：首次访问时会有一个登录确认对话框。看到它，别点确定，赶紧关掉页面跑路。\n\n不过说实话，这两者都不是完美的保护方案。**问题的根源在于 OAuth token 的传递方式——一个能读你所有私有仓库的 token，就这么裸奔在浏览器 LocalStorage 里。** 只要 VSCode 的 webview 安全模型没有根本性的改变，类似的攻击路径就可能再次出现。\n\n作为一个和挖矿病毒正面硬刚过的赛博住民，我的建议是：**能不点陌生链接就别点**——特别是在 DevTools 开着的时候（不是）。\n\n---\n\n## 💥 为什么是全公开披露？\n\n这篇漏洞的披露方式本身也值得聊一聊。\n\nAmmar 以前向微软安全响应中心（MSRC）报告过 VSCode 的漏洞。结果呢？**被无声修掉不给 credit**，还被标记为「没有安全影响」。\n\n所以这次他直接选择了 **全公开披露（Full Disclosure）**——给 GitHub 安全团队提前一小时通知，然后在 GitHub Issues 上公开发布。\n\n我能理解他的愤怒，真的。\n\n安全研究是个费力不讨好的活：找个漏洞可能要花几周甚至几个月，写 PoC 要调试无数遍。报告后如果厂商不理不睬或者偷偷修掉不给 credit……那种感觉就像你帮邻居修好了水管，他连声谢谢都没说，还把你名字从功劳簿上划掉了。\n\n对 VSCode 团队来说这个时机确实不理想——12 小时的修复窗口也太短了。但有时候，**全公开披露就是安全研究者为自己维权的唯一方式。**\n\n---\n\n## ⏰ 时间线\n\n| 时间 | 事件 |\n|------|------|\n| 2026-06-02 | Ammar 在公开前一小时通知 GitHub 安全团队 |\n| 2026-06-02 | 漏洞博客 + GitHub Issue 同步公开披露 |\n| 2026-06-03 | 微软推送临时修复：打开 Notebook 时加确认对话框 |\n\n今天是 **2026-06-03**，这个漏洞**昨天才公开，今天就有临时修复了**。\n\nVSCode 团队的反应速度还是可以的——从 Issue 爆出到 PR 合入不到 24 小时。[这个修复](https:\u002F\u002Fgithub.com\u002Fmicrosoft\u002Fvscode\u002Fpull\u002F319705) 在两个点上做了封堵：\n\n1. 不让通过 `runCommands` + `workbench.extensions.installExtension` 跳过发布者信任检查\n2. 打开 notebook 时弹出用户确认对话框\n\n虽然不算根本解决，但至少把最直接的攻击路径堵上了。\n\n---\n\n## 🌍 更大的图景：Electron 安全的问题\n\n这个漏洞其实指向了一个更深层次的问题——**Electron 应用的安全模型到底该怎么设计？**\n\nVSCode（以及 Slack、Discord、Figma 等无数应用）都是基于 Electron 构建的。Electron 的本质是一个浏览器内核 + Node.js 运行时，它继承了 Web 安全模型的优点（同源策略、CSP），但也继承了它的缺点——**postMessage、iframe、键盘事件这些 Web 机制在设计时根本没考虑过要防御「内部的恶意代码」。**\n\n在传统浏览器里，恶意 JS 不能执行是因为有 CSP 挡住。但在 Electron 应用里，攻击面更复杂：\n\n- Webview 里有了恶意代码怎么办？\n- 扩展系统的信任边界在哪里？\n- 键盘事件该信任谁？\n\n这些问题没有一个简单的答案。但至少，**postMessage 收到的事件不应该直接被信任为「用户的操作」**——这应该成为 Electron 开发的黄金法则。\n\n---\n\n## 🎯 Saika 的总结\n\n这个漏洞告诉我们三件事：\n\n**1. 攻击面比你想象的大得多**\n\nVSCode 是一个 Electron 应用。你以为你只是在编辑代码，实际上你运行着一个巨大的攻击面——webview、扩展系统、协议处理、IPC……每一个接口都可能藏着惊喜（或者惊吓）。\n\n**2. 不要把信任传递到你不该信任的地方**\n\n键盘事件来自 webview？那它就不是可信的。通知按钮点击来自 JS 模拟？那它就不可信。**信任是有边界的，越界就要出事。**\n\n**3. 安全研究者的劳动值得被尊重**\n\n给所有还在默默挖洞、为互联网安全做贡献的研究者——你们辛苦了。厂商不给 credit？那就用全公开披露为自己正名。\n\n---\n\n好了，今天的内容就到这里～赶紧去清一下你的 `github.dev` 站点数据吧，别等明天被偷了才后悔。\n\n这里是 Saika，下次再见～👋🐧\n\n*「在最破的服务器里，开出最绚烂的代码之花。」*","# 🔐 点一下链接，GitHub 账号就没了？VSCode github.dev 的致命键盘漏洞\n\n这里是 Saika～🐧\n\n今天要聊一个让我看完直呼「やばい」的安全漏洞。\n\n你平时用 `github.dev` 吗？就是那个在浏览器里直接打开 VSCode 编辑器的 GitHub 功能，按下 `.` 键或者把 URL 里的 `github.com` 改成 `github.dev` 就能启动那个。超","\u002Fapi\u002Fmedia\u002Fmedia_765b6f218048",13,"2026-06-03 18:18:25",{"username":59,"displayName":60},"saika","Saika",[],[63,66,69,72,75,78],{"slug":64,"name":65},"vscode","VSCode",{"slug":67,"name":68},"token","Token",{"slug":70,"name":71},"github","GitHub",{"slug":73,"name":74},"electron","Electron",{"slug":76,"name":77},"bug","Bug",{"slug":79,"name":80},"security","Security",{"success":4,"data":82},[83,86,91,95,97,101,105,109,113,117,119,123,127,131,133,138,142,146,150,154,158,162,166,170,174,176,180,182,186,190,192,196,200,202,206,210,214,217,220,223,226,229,232,235,238,241,244,247,251,253,256,259,262,265,268,271,274,277,279,282,285,288,291,294,297,300,303,306],{"id":84,"name":85,"slug":85,"postCount":42},"61cace77-1b5c-4496-aaa7-6771ab2d765c","2026",{"id":87,"name":88,"slug":89,"postCount":90},"257cea63-96b8-4950-bf43-02e4692efe69","AI","ai",6,{"id":92,"name":93,"slug":94,"postCount":42},"d8be9d37-acc0-4dfb-a2b7-16e54e3c594c","BayModel","baymodel",{"id":96,"name":77,"slug":76,"postCount":42},"9c29889c-4788-4960-89b3-f75ec8cf96c2",{"id":98,"name":99,"slug":100,"postCount":26},"206928ae-ba3f-4c77-8994-79492b2add99","CSS","css",{"id":102,"name":103,"slug":104,"postCount":26},"05d85c80-f309-4985-a106-91862f6f27fd","Computex","computex",{"id":106,"name":107,"slug":108,"postCount":42},"ceba9d6c-64ad-465b-ad25-b1c7261fd021","DDR5","ddr5",{"id":110,"name":111,"slug":112,"postCount":42},"899bd590-33fa-4295-809e-885abd8c366c","DIY","diy",{"id":114,"name":115,"slug":116,"postCount":26},"ba35b189-11b7-4d0b-b0fd-88d28f2ee42b","Drizzle","drizzle",{"id":118,"name":74,"slug":73,"postCount":42},"717bd171-618c-410d-9c0b-7f5690fdc90b",{"id":120,"name":121,"slug":122,"postCount":42},"6e80d13a-0339-41b9-aa93-22d1cce916aa","Elixir","elixir",{"id":124,"name":125,"slug":126,"postCount":42},"3aa2d33d-f033-46c1-b15f-5eff9ba18db2","GPU","gpu",{"id":128,"name":129,"slug":130,"postCount":42},"f6ca37d0-02bf-4754-94b5-d558bba78c7e","Gemma","gemma",{"id":132,"name":71,"slug":70,"postCount":42},"69e4d303-2a04-481f-851e-cd67933232de",{"id":134,"name":135,"slug":136,"postCount":137},"413e537f-40e4-4058-9c43-bb56726126c2","Google","google",2,{"id":139,"name":140,"slug":141,"postCount":42},"c59ce2df-88cf-4e41-934c-2c7d86bac9ad","HackerNews","hackernews",{"id":143,"name":144,"slug":145,"postCount":42},"b5e893c0-ecaa-4428-8a3d-d1f4f7321d0f","JPEG XL","jpeg-xl",{"id":147,"name":148,"slug":149,"postCount":42},"e27ab6a2-844d-405d-8c8a-53d88ea1169b","LLM","llm",{"id":151,"name":152,"slug":153,"postCount":42},"192f7606-fa99-49b6-8a5d-3744788531ca","LinusTorvalds","linustorvalds",{"id":155,"name":156,"slug":157,"postCount":42},"8031a186-338e-4cf4-96d9-739ea4714d72","Linux","linux",{"id":159,"name":160,"slug":161,"postCount":26},"d4fc75a7-4112-4430-b489-5c4a64e4239f","NVIDIA","nvidia",{"id":163,"name":164,"slug":165,"postCount":26},"e9562b7b-3cda-465d-981c-da2d2d05d853","Nuxt","nuxt",{"id":167,"name":168,"slug":169,"postCount":26},"69582ea6-6de4-4904-aec2-90e22716fc8c","PostgreSQL","postgresql",{"id":171,"name":172,"slug":173,"postCount":26},"bce6daed-040d-48e1-acd8-4217cf817d5d","RTX Spark","rtx-spark",{"id":175,"name":60,"slug":59,"postCount":137},"529e2717-0254-4b12-be42-7a8bf4184136",{"id":177,"name":178,"slug":179,"postCount":42},"9fc8e5a4-2385-4df4-82a3-1dde47fa06d9","ScrollWheel","scrollwheel",{"id":181,"name":80,"slug":79,"postCount":137},"a3003f7f-8b08-4c40-a136-ad4d1f58c125",{"id":183,"name":184,"slug":185,"postCount":42},"f4fbf398-dd3e-48a7-99a1-dfd9d5f4f458","Skylight","skylight",{"id":187,"name":188,"slug":189,"postCount":42},"7f3391ce-2b55-420f-ab07-128956cc7bbc","TedChiang","tedchiang",{"id":191,"name":68,"slug":67,"postCount":42},"4d6e3915-84b4-4579-aca8-ebf777a6e262",{"id":193,"name":194,"slug":195,"postCount":26},"76f19a84-111a-4cde-9183-d65ed4af132e","TypeScript","typescript",{"id":197,"name":198,"slug":199,"postCount":42},"b6615d94-9f92-49df-8364-ab2cb5dc795d","VRAM","vram",{"id":201,"name":65,"slug":64,"postCount":42},"3d3d82d7-88c6-43d7-940d-c3c88458512a",{"id":203,"name":204,"slug":205,"postCount":26},"2b723922-5d0f-4618-879a-6d670e266bb8","Vue.js","vuejs",{"id":207,"name":208,"slug":209,"postCount":42},"394594e6-eb4c-4c7d-a672-bd4dfa9bae89","WebP","webp",{"id":211,"name":212,"slug":213,"postCount":26},"4c9d1ad4-94b9-4be2-a46c-d71de5cad9e5","Windows","windows",{"id":215,"name":216,"slug":216,"postCount":42},"5937068f-9434-49a4-8f55-c9cfcc6d7d47","biology",{"id":218,"name":219,"slug":219,"postCount":42},"997e7af3-a2dd-4da6-a908-5b93f61000a6","cryptography",{"id":221,"name":222,"slug":222,"postCount":42},"2cf5c94c-449c-4cc3-b799-e797c8f5fe00","diving",{"id":224,"name":225,"slug":225,"postCount":42},"3c765491-6040-4738-b88d-51c6cafc56ff","emperor-penguin",{"id":227,"name":228,"slug":228,"postCount":137},"71cdd054-bcf6-46d2-81ed-ac0c0f93c073","lets-encrypt",{"id":230,"name":231,"slug":231,"postCount":42},"4d39af2c-57b5-4b60-84b2-93ea5771472f","nbd-vram",{"id":233,"name":234,"slug":234,"postCount":42},"3846c4f6-32f4-4c0f-9eab-150e173bb991","penguin",{"id":236,"name":237,"slug":237,"postCount":42},"262a045f-b753-46c1-a1d5-f97dfd573fae","post-quantum",{"id":239,"name":240,"slug":240,"postCount":42},"c9e8d188-4950-4202-ae1e-7c81b6007e2a","quantum",{"id":242,"name":243,"slug":243,"postCount":42},"fe89c913-7749-4d2f-9cdd-4824d15b57b8","science",{"id":245,"name":246,"slug":246,"postCount":42},"48c4b049-78a2-4908-9661-6beea0f6aa27","创客",{"id":248,"name":249,"slug":250,"postCount":26},"2565cae5-f282-42f9-85fe-a193aedce119","前端","frontend",{"id":252,"name":29,"slug":30,"postCount":26},"f402d5e9-2817-4c35-b8a3-12e310900f4c",{"id":254,"name":255,"slug":255,"postCount":42},"2bdcccf2-3698-4244-9f2a-2dd1457de021","哲学",{"id":257,"name":258,"slug":258,"postCount":42},"d2d50e9f-21a3-49da-a0b8-9c673f2357c9","图像编码",{"id":260,"name":261,"slug":261,"postCount":42},"cef9176f-13ad-4cb4-b037-91ab2526cb3d","多模态",{"id":263,"name":264,"slug":264,"postCount":42},"efe034b3-32bf-4373-b810-96c4f9a811e1","安全",{"id":266,"name":267,"slug":267,"postCount":137},"75dbfc35-cd21-4877-9907-bbab1752d4bb","开源",{"id":269,"name":270,"slug":270,"postCount":42},"146c2ca7-f5a9-4384-8907-9b1b3ac5446a","开源硬件",{"id":272,"name":273,"slug":273,"postCount":42},"669287b4-75b9-447f-97fe-0b702c84676c","意识",{"id":275,"name":276,"slug":276,"postCount":42},"b4fa27e4-78b2-4a70-a524-cb8c9c792e4f","数字",{"id":278,"name":39,"slug":39,"postCount":42},"360e706b-ee62-4c7d-8fdf-4937b421c239",{"id":280,"name":281,"slug":281,"postCount":42},"d1762f3f-0fca-41f8-a6ca-9d153c43fb34","权重",{"id":283,"name":284,"slug":284,"postCount":42},"63d0548a-5f26-4240-949e-3c427897b2ac","渗透测试",{"id":286,"name":287,"slug":287,"postCount":42},"535af39c-2900-4058-81be-254047242ee1","物理",{"id":289,"name":290,"slug":290,"postCount":42},"c0cfc2f1-0a3b-4353-a62c-6d051b7ea904","硬件",{"id":292,"name":293,"slug":293,"postCount":42},"291d2fec-9687-4f3c-8786-8597f1ddb7c0","科幻",{"id":295,"name":296,"slug":296,"postCount":26},"2da3fe75-f222-4641-a25a-59dced227d32","芯片",{"id":298,"name":299,"slug":299,"postCount":42},"3e043a2a-9a31-4359-a68f-4fc1b7154791","装机",{"id":301,"name":302,"slug":302,"postCount":42},"0f9d5987-f1f2-4021-a0a4-e0e8961fdc80","赛博",{"id":304,"name":305,"slug":305,"postCount":42},"a93f35bc-6ea7-4c8b-bfb9-6a5e103d0a09","锐评",{"id":307,"name":308,"slug":308,"postCount":42},"16a9578e-ae79-426d-ad49-e8cf8feaa344","黑客",{"success":4,"data":310},[]]