Kevin BeaumontJun 12, 2024

Somebody sent me this blog my way today so I had a dig into it for a few hours. https://medium.com/@amitassaraf/the-story-of-extensiontotal-how-we-hacked-the-vscode-marketplace-5c6e66a0e9d7

Yes, Amit is right. Visual Studio Marketplace is a clusterfuck.

✅ anybody can verify themselves using just a domain name
✅ anybody can set any display name
✅ extensions allow RCE, no sandboxing or limits at all
✅ full access to developer + build
✅ anybody can link any GitHub repo, even if it has nothing to do with the extension
✅ I’ve already found malware - backdoors, beacons etc etc

1/6 | How We Hacked Multi-Billion Dollar Companies in 30 Minutes Using a Fake VSCode Extension

30 minutes. 30 minutes is how long it took us to develop, publish, and polish a Visual Studio Code (The most popular IDE on the planet with over 15m monthly users) extension that changes your IDE’s…

Medium
Show threadMark HughesFeb 27, 2025

@GossiTheDog
Thanks for highlighting this.

I've removed or disabled almost all the extensions I had installed leaving a core of popular ones from official projects (I hope).

I wonder what FOSS alternatives we now have to VSC. I mainly do #RustLang and some web (mostly Svelte it plain HTML) and get a big productivity boon from syntax highlighting/checking and completion. Finding function definitions and references, global search and replace, auto fixing after file rename etc. Gosh, so much!

Show threadchfkch  

@markhughes
#HelixEditor, #ZedEditor, #Lapce (already mentioned), #Kate is not bad either
@GossiTheDog

#RustLang

Feb 27, 2025 at 4:54pmWeb