Mastodawn

Matthew Martin 2d ago

RE: https://hachyderm.io/@ChrisShort/116606591908387955

If you want on to Microsoft's internal network, CORPNET, publish or own an existing a VSCode extension.

The Visual Studio Code Marketplace, which Microsoft own, is completely uncontrolled.

Anybody can publish an extension, it provides code execution on endpoints, extensions auto update by default, "verified" blue tick extensions just need any domain registration, and there's no endpoint security controls at all around what users can install.

VSCode is an absolute security shittip as a result.

Kevin Beaumont 2d ago

Also - if you think 'none of our users run VSCode', check your telemetry. They do. It doesn't even need local admin rights to install.

I've tooted about this one for about two years now, Microsoft have created their own security bonfire and it's going off in their own backyard, they just haven't realised yet.

@GossiTheDog make it the trifecta by dropping malware that abuses the vscode uninstaller

fellmoon 🏴2d ago

@GossiTheDog winget install anthropic.ClaudeCode... it'll be fine, it's just userspace... Like a gazillion other things...

Steve Loughran 2d ago

@GossiTheDog it is permanently trying to make you add extensions, and the whole "trust this directory" prompt mapping to "run any code in this external repo" feature seems designed to fund the north korean government.

It's reasonably lightweight, but I don't trust it any more as even if I only use it for text editing, it's too willing to run code from external sources

Steve Loughran 2d ago

@GossiTheDog in their favour: MSFT are showing how they've successfully implemented a cross-platform vulnerability ecosystem. ActiveX was windows only

Andreas K 1d ago

@stevel
Do you know my CEO colleague, he insists on positive formulations even if you just report the end of world. "And finally I've got an incredible deal at the end of the world sales for cloud resources for the period after the big rock will hit earth and exterminate all life more advanced than bacteria. Our year-end bonuses are safe!"

But yes active-x was unfairly windows only, we non windows users were discriminated against.
@GossiTheDog

Steve Loughran 1d ago

@yacc143 @GossiTheDog did get an IE3 patch out to fix an ActiveX control vulnerability back in the late 90s, it was such an easy target.

Has anything that bad shipped between then and vs.code plugins? Doubtful. Flash and java applets were trying to run in sandboxes...
#cybersecurity

@stevel @GossiTheDog all this complexity to replace gedit and grep programs

Steve Loughran 17h ago

@seepr @GossiTheDog ripgrep please. Grep doesn't scale to debugging a 30 MB zip file of logs across a cluster,

@stevel @GossiTheDog ... you can search text in zipfiles? searching compressed logs ... hmm does this also work with gziped files

Steve Loughran 16h ago

@seepr @GossiTheDog of course.
https://ripgrep.dev/docs/guide/

ripgrep User Guide - Complete Documentation

Comprehensive ripgrep user guide covering recursive search, automatic and manual filtering, file types, replacements, file encoding, preprocessors, and configuration files.

ripgrep

Andrew Golding 2d ago

@GossiTheDog I remember your earlier writings on this subject and I have been extremely paranoid about the VSCode extensions I've put on my work-owned machine.

I've also switched away from VSCode-based editors on my personal machines, partially because of this and also because of all the other happy horseshit MS has been pulling.

D Ingram 2d ago

@GossiTheDog And this is why my work PC is locked down so tight I can't even make and run my own batch files, let alone anything .exe. The organisation actually practices the Essential Eight.

Kevin Beaumont 2d ago

@ingram you can probably install VSCode 😅

Andreas K 1d ago

@GossiTheDog
Not really, VSC let extensions bring their own binaries too, doesn't it?
@ingram

D Ingram 1d ago

@GossiTheDog I'm not going to try, but from experience anything that isn't on the allow-list is blocked. Staff can request the thing to be added to the list, but default is "computer says no". VSCode isn't one of the supported tools. On of the tools I use brings in libraries and some have DLLs, and these get blocked by default too.

Companies can protect themselves, but staff will gnash teeth and wail.

VessOnSecurity 2d ago

@GossiTheDog Also check if they are running Cursor (the AI thing). It's VSCode in disguise, uses the same plugins, can import all the settings, etc.

Sass, David 2d ago

@GossiTheDog this is exactly why we delivered this session last year at #PSConfEU

https://youtu.be/deBTJdjMc5o

VSCode Extension Deployment with Intune - Björn Sundling, David Sass - PSConfEU 2025

YouTube

"but it's for developers it's allowed to be insecure they surely know what they're doing and think perfectly rationally at all times!"

@GossiTheDog I installed VSCodium yesterday for a project and @Sempf was nice enough to suggest looking at the extensions with the warning that the extensions were a bit of a wild west.

It was shockingly terrible! You can't find or use ANYTHING safely in that tool.

I haven't installed anything in yet because frankly, I don't trust it yet. I'd rather walk slowly and safe.

@GossiTheDog lol MS didn't even follow their own guidelines

*sigh*Ber nard 2d ago

@GossiTheDog "how can you be so mean! We added a dialog bump 'do you trust this developer XiJinPing'"

Same thing all over again, applications, consent dialogs, browser extensions, IDE plugins, ...
Trusting that your users have sane judgement, prepare to mop!

Paco Hope 2d ago

@brnrd Seems like they pioneered this model back with ActiveX plugins:
(A) trust this plugin to do anything it wants, even if it’s malicious,
(B) don’t let this plugin do anything, no matter how useful
(C) Maybe later (the 2020s enhanced version of this choice)

@GossiTheDog Was a bit shocked, when I discovered it's just installed into the user's home directory.

Chris Adams 2d ago

@GossiTheDog especially bad in light of rejecting the requests for cooldowns in the past https://github.com/microsoft/vscode/issues/79689

[Feature Request] Fine grained control on extension auto updates · Issue #79689 · microsoft/vscode

BACKROUND When an extension is updated, I am notified in the sidebar. I always check the changelog before clicking "update". Too often I will waste time by updating to a newer version, which is bug...

GitHub

They recently added a feature to control what publishers are allowed

https://code.visualstudio.com/docs/enterprise/policies

Centrally manage VS Code settings with policies

Enterprise policies in Visual Studio Code enable organizations to centrally manage settings for their development teams. This reference details the available policies and how to implement them.

Epic Null 2d ago

@ConanChiles @GossiTheDog And here I am just thinking "An open repository system where you add allowed sources would have allowed for better control from the start"

Jonathan Arnold 🇺🇦2d ago

@GossiTheDog wonder if that’s why at my company they’ve had a crack down on VS code extensions. Now they have an allow list of extensions that can be installed and nothing else.

@GossiTheDog hell even opening a repo in vscode can cause code execution in multiple ways. It is basically impossible to use securely.

https://github.com/emilyselwood/self_deleting_repo

GitHub - emilyselwood/self_deleting_repo: A repo that deletes it self when it opens in an editor.

A repo that deletes it self when it opens in an editor. - emilyselwood/self_deleting_repo

GitHub

@emily_s @GossiTheDog sounds like this only happens when you trust the folder when it asks for permission. https://www.devclass.com/development/2026/01/22/vs-code-tasks-config-file-abused-to-run-malicious-code/4079547

VS Code tasks config file abused to run malicious code

Security researchers have found new instances of code repositories with malicious code in the tasks.json configuration file, set […]

devclass

@binford2k @GossiTheDog yes... Do you know every single thing you need to check before clicking that button on a repo? Do you check all changes to all repos you've clicked that button on before you open your editor? Do you keep track of all changes to all of your plug-ins to check if they've added yet another way to trip this class of thing? (plugin's that silently update by default)

That button is entirely so lawyers can say "Well we warned you" and not actually provide any security.

@emily_s @GossiTheDog I’m just saying that if you open a freshly cloned repo and vscode says “yo dude, can this repo run some code?” and you say “hell yeah sounds like a great time, I trust that repo, run some code” then you shouldn’t be surprised when the repo runs some code.

Andreas K 1d ago

@binford2k
Yeah the point is that it's an utterly bad design:

So you have to blindly trust the workspace directory to "auto run" in undefined (because extensions can add/modify behaviour).

Or you have to accept that a certain part of the functionality (again undefined) will be not working or working suboptimal.

And there is literally no way to safely review: give me an overview what commands does this repo configure to run.

The point is @emily_s @GossiTheDog

Andreas K 1d ago

some of these configuration is totally benign and makes sense, like LSP support etc (although just blindly configuring it, risks configuring tools that are not installed on the system, but that's another story).
@emily_s @GossiTheDog @binford2k

Vlad 🇺🇦2d ago

@GossiTheDog @tymwol Something macros something something word documents 🎻

@GossiTheDog One day, I might figure out why I'd ever want to install VSCode, but this is not that day. May it rot in hell for completely destroying search results between it and the real VS, both ways.

Stephen Gentle 2d ago

@GossiTheDog And the editor itself makes extensions necessary. Like want to highlight trailing white space (something that should be built into a code editor)? Nope, you need to install a random 3rd party extension!

MacCruiskeen 2d ago

@GossiTheDog I realize that this is tangential, but the network is named CORPNET? Really? Are we in a cheap 1980s techno-thriller?

Kevin Beaumont 2d ago

@maccruiskeen that's the main AD domain, yep. Keep in mind MS is an 80s company 😅

Michael Newton 2d ago

@[email protected] @[email protected] also, this is the company that chose to call a flagship product family .NET

Kevin Beaumont (@[email protected])

4.39K Posts, 776 Following, 72.4K Followers · Cybersecurity weather person and award winning shitposter. Shitposting is an anagram of Top Insights. You may be surprised to know I am not representing my employer here and these are not their opinions. I have Direct Messages disabled - you can send them, but I will never receive them.

Cyberplace

@GossiTheDog @maccruiskeen is it pronounced corEnet or corPnet?

ingmarvandijk 2d ago

@neffo @GossiTheDog @maccruiskeen coreP0WNED

David Chisnall (*Now with 50% more sarcasm!*)2d ago

VS Code started to be a thing people used when I was at MS. A lot of folks were using the remote extensions for working in Azure VMs. I saw that there was an open issue about FreeBSD support, so I reached out to some of the folks responsible internally. The things I learned about how that worked made me back away slowly and be very happy I used vim.

@GossiTheDog One of the top 10 extensions, with 73 million downloads, looks like its owned by a single dev on his personal github account.

I wonder how many fishing attempts he gets per day.

potion_genderqueer

@GossiTheDog ....

.......

and here I thought npm was bad. Sweet moldy cheezus on stale wonderbread with a radiator moonshine chaser and a frop stash full of ergot.

Tried VScode, it was not really bad - except for my taste ate too much RAM, which becomes precious with all that AI and Browser-engine Apps.

Still looking for something better than Notepad++ having:
- low mem footprint
- (relatively) fast
- plugin/built-in support for couple languages I need

Andrew Bennett 2d ago

@GossiTheDog Just got notified by regular old Visual Studio that there is an update 18.6.1 except there are no release notes for 18.6.1.

So now I'm left wondering if this is a fix for a security flaw I should install right now or the result of a supply side attack facilitated by a security flaw I should definitely not install.

Whichever is the truth, I'm sure the correct approach is to ask CoPilot what to do, right Microsoft?

Matěj Cepl 🇪🇺 🇨🇿 🇺🇦1d ago

And if you like me don’t use VS Code, don’t feel smug: our editors ($VIM, Emacs, etc.) don’t even have any marketplace and pull executable code from completely random places on the Internet (mostly GitHub, which we know how secure it is).

#Fail #NoSecurity

Andreas K 1d ago

@GossiTheDog
Nothing surprising here.

Microsoft traditionally has the MSDOS & Windows 3.11 security mindset, which only is replaced surgically with something better. But the default is no security.

Prove me wrong.

@GossiTheDog Politicians do not understand complexity really, they are specialists in tapping into the vibes of public sentiment and then crafting rhetoric to get those vibes resonating in their preferred direction.

Security is like this fractal mandelbrot surface of complexity where the more surface you generate or explore, the more vectors of attack there are. It's way too much for most people, and way too much for politicians who are only interested in what most people think.

@GossiTheDog Google is probably thinking how this will simplify their own job - no more worrying about malware or unsafe sites or anything. Users just poke the stochastic text machine and text is generated for them. No more spidering or security monitoring of websites needed. They are no doubt fantasizing about all the layoffs they can do

@GossiTheDog My guess is if this is true, we might see them try to exit the browser space entirely... that might take a while though