VS Code

991 readers

1 users here now

founded 2 years ago

MODERATORS

Ategon@programming.dev

Lodra@programming.dev

VSCode extensions with 9 million installs pulled over security risks (www.bleepingcomputer.com)

submitted 5 months ago* (last edited 5 months ago) by neme@lemm.ee to c/vscode@programming.dev

3 comments fedilink hide all child comments

top 3 comments

sorted by: hot top controversial new old

[–] Hirom@beehaw.org 4 points 5 months ago

What are the malicious behaviours? The article is very vague.

[–] Kissaki@programming.dev 3 points 5 months ago

lol, release-notes.js - obfuscated; at first I thought it was the release notes data or content, but maybe it's the logic for displaying it?

Outdated sanity-io dependency somehow led to compromise? I still don't get how. It wouldn't suddenly integrate something else. Does it source data from elsewhere during build, and that was compromised too? Does it call into the web for no reason in the first place?

Either way, it's an issue of their integration. Claiming "it's not an issue in our extension" while shipping compromised code is just wrong.

Obfuscating their index.js theme logic because it's closed source may seem fine if they're trustworthy, but with this violation and breach, that trust is gone.

[–] FizzyOrange@programming.dev 3 points 5 months ago

There must be dozens of malicious extensions. I'm honestly surprised we haven't seen it more. Chrome extensions get sold to shady people all the time; I would have thought VSCode extensions are even higher value targets.