Personally I think Microsoft was in the right. Obfuscated code like this shouldn't be in an extension, at least with out a very big warning and a red flag.
"Researchers Amit Assaraf and Itay Kruk, who were deploying AI-powered scanners seeking suspicious submissions on VSCode, first flagged them as potentially malicious."
Well flagging as “potentially malicious” seems fine and super useful. Companies just need to have competent investigation of the reports and avoid the dark side of automating action just because it’s cheaper.
8 comments
[ 4.0 ms ] story [ 34.2 ms ] threadhttps://github.com/t3dotgg/vsc-material-but-i-wont-sue-you
Also,
> obfuscated code which spawns child processes to download data for unnecessary reasons
https://github.com/microsoft/vsmarketplace/issues/1168#issue...
No one in the right mind would expect a theme to do this. Its only purpose is to provide static data to the editor.
AI-powered vulnerability reporting is a scourge.
AI-powered bots can generate a flood of reports of "potentially malicious" code. No company could possibly keep up. Effective DDOS attack on security. Not even the NIST can keep up. https://www.theregister.com/2024/10/02/cve_pileup_nvd_missed...
1 https://sgringwe.com/2019/10/10/Please-just-stop-saying-just...
https://thebullshitmachines.com/lesson-16-the-first-step-fal...