14 comments

[ 2.7 ms ] story [ 48.4 ms ] thread
Jeez, what a disaster. More and more it’s becoming clear that you cannot actually trust anyone else’s code unless you audit it yourself.
> 1,283 with known malicious code (229 million installs)

Not expecting that many.

I sometimes randomly try interesting extensions out. Will not do this again. Should only install extensions recommended by Microsoft I guess.

Maybe the same applies for browser extensions?

Please don't be a dev with access to things my security depends on.
> Please don't be a dev with access to things my security depends on.

Devs just want “Do Anything Now mode”, who doesn't? :)

I doubt at most shops VSCode extension security is considered differently from any extensions or libraries used throughout the codebase.

Almost nobody reads every line of their includes. (Sadly, but obviously.)

If all your includes can come only from an artifact depot or mirror because your build system can't reach the Internet, and those only get there with a PR and code review, you're on a good start. Operationalizing that to stay current with zero day fixes and the like, starts to be "a thing", which is why there's so much energy in software-supply chain security, through industry efforts like SLSA and GUAC and firms like https://www.kusari.dev/.

Read a decent checkpoint and overview on this emerging ecosystem here (from 2022):

https://security.googleblog.com/2022/10/announcing-guac-grea...

C# Dev Kit is not only recommended by Microsoft, but developed by and for them.

It still has a serious license footgun built-in, Oracle-style.

Confusing marketing and description about it are unfortunate - DevKit provides Visual Studio style solution and text explorers, and maybe additional features since last time I verified this.

In order to write C#, however, you do not need that - base C# extension that has no licensing strings attached is the actual language server you need. And solution explorer, should you want that, can be restored with Ionide which doubles as a language server for F#.

And, hey, at least it's not like with Oracle where SDK distribution itself that has a trap :)

In other words: water is wet.

I kinda get the impression, the author of the original articles has little understanding of what they are actually talking about. The numbers of concerning extensions they found is rather low, and their claims of concern are very questionable, especially when they bring s** like a "reverse shell" to a local IP as a security-problem. My impression is, they heard about problems, poked around and found things they do not understand and then claim problems. This is just poor rage bait for the alarmist mindset than real meat.