Kevin BeaumontMay 20

RE: https://hachyderm.io/@ChrisShort/116606591908387955

If you want on to Microsoft's internal network, CORPNET, publish or own an existing a VSCode extension.

The Visual Studio Code Marketplace, which Microsoft own, is completely uncontrolled.

Anybody can publish an extension, it provides code execution on endpoints, extensions auto update by default, "verified" blue tick extensions just need any domain registration, and there's no endpoint security controls at all around what users can install.

VSCode is an absolute security shittip as a result.

Show threadEmily_S

@GossiTheDog hell even opening a repo in vscode can cause code execution in multiple ways. It is basically impossible to use securely.

https://github.com/emilyselwood/self_deleting_repo

GitHub - emilyselwood/self_deleting_repo: A repo that deletes it self when it opens in an editor.

A repo that deletes it self when it opens in an editor. - emilyselwood/self_deleting_repo

GitHub
May 20 at 11:55amWeb
Show threadBen Ford May 21
@emily_s @GossiTheDog sounds like this only happens when you trust the folder when it asks for permission. https://www.devclass.com/development/2026/01/22/vs-code-tasks-config-file-abused-to-run-malicious-code/4079547
VS Code tasks config file abused to run malicious code

Security researchers have found new instances of code repositories with malicious code in the tasks.json configuration file, set […]

devclass
Show threadEmily_SMay 21

@binford2k @GossiTheDog yes... Do you know every single thing you need to check before clicking that button on a repo? Do you check all changes to all repos you've clicked that button on before you open your editor? Do you keep track of all changes to all of your plug-ins to check if they've added yet another way to trip this class of thing? (plugin's that silently update by default)

That button is entirely so lawyers can say "Well we warned you" and not actually provide any security.

Show threadBen Ford May 21
@emily_s @GossiTheDog I’m just saying that if you open a freshly cloned repo and vscode says “yo dude, can this repo run some code?” and you say “hell yeah sounds like a great time, I trust that repo, run some code” then you shouldn’t be surprised when the repo runs some code.
Show threadAndreas KMay 21

@binford2k
Yeah the point is that it's an utterly bad design:

So you have to blindly trust the workspace directory to "auto run" in undefined (because extensions can add/modify behaviour).

Or you have to accept that a certain part of the functionality (again undefined) will be not working or working suboptimal.

And there is literally no way to safely review: give me an overview what commands does this repo configure to run.

The point is @emily_s @GossiTheDog

Show threadAndreas KMay 21
some of these configuration is totally benign and makes sense, like LSP support etc (although just blindly configuring it, risks configuring tools that are not installed on the system, but that's another story).
@emily_s @GossiTheDog @binford2k