VS Code

867 readers

2 users here now

founded 2 years ago

MODERATORS

Ategon@programming.dev

Lodra@programming.dev

VSCode extensions with 9 million installs pulled over security risks (www.bleepingcomputer.com)

submitted 1 week ago* (last edited 1 week ago) by neme@lemm.ee to c/vscode@programming.dev

10 comments fedilink hide all child comments

you are viewing a single comment's thread
view the rest of the comments

[–] thyristor@lemmy.ml 23 points 1 week ago (7 children)

'Material Theme – Free' and 'Material Theme Icons – Free,'

[–] Kelly@programming.dev 5 points 1 week ago (3 children)

"We just had an outdated sanity.io dependency used since 2016 to show release notes from sanity headless CMS, that was the only issue they found."

"That dependency has been there since 2016 and passed every check since then, now it looks compromised but NO ONE from Microsoft reached us to remove it. They just pulled down everything causing issues to millions of users, and causing a loop in vscode (yep, it's their fault)"

If the dependency has been compromised then extensions that use that dependency and ship compromised code are also compromised. Its a transitive property if it ships bad code.

With that in mind Microsoft yoinking the extension from the market place and user devices seems reasonable. But what was the "loop" they mention?

[–] Novack@programming.dev 2 points 6 days ago* (last edited 6 days ago)

From user devices? I for sure, dont want Microsoft to do nothing on my devices. My device, my place, my decision.

load more comments (2 replies)

load more comments (5 replies)