scottleyMay 27
Tanawts

Visual Studio Code Extensions lack a means of enforcing a minimum age to protect against updates that spread worms. There is a feature request to compel Microsoft to add this festure functionality, it only has 212 likes today.
Please help give it a BIG signal boost!

https://github.com/Microsoft/vscode/issues/316867

Security: minimumReleaseAge setting for mitigating supply chain attacks on extensions · Issue #316867 · microsoft/vscode

In the last years, supply chain attacks have increased dramatically. A few examples in the VS Code extension ecosystem: AI-Slop ransomware test sneaks on to VS Code marketplace - BleepingComputer M...

GitHub
May 27 at 2:24pmWeb
Show threadTanawtsMay 27

@briankrebs can we get a piece on the state of package/plugin/extensions Marketplaces being unconscionably behind on hygiene controls that have resulted in these supply chain worms?

Lack of MFA for publishers, lack of hygiene control on 3rd party submitted content, lack of cool down timers on packages/clients to protect themselves from rapidly spreading infections.

The whole framework has been ripe for exploitation. The garden has been left poorly tended we are now subject to the invasion of the worms as a result.

Show threadBrianKrebsMay 27
@Enigma Sounds like a worthy project. Can you name names? I'm not a programmer really.
Show threadTanawtsMay 27
@briankrebs I can get you bootstrapped. What's the best means to get you my contact info.
Show threadBrianKrebsMay 27
@Enigma signal: briankrebs.07 (it's in my profile here)
Show threadTanawtsMay 28
@GossiTheDog , can we get a signal boost? Cooldown enforcement on Extensions, Packages, and Plugins are Table stakes and should not be optional or missing features from MS.
Show threadUSB Type-Steve May 28
@Enigma Now that's age verification we can get behind.
Show threadپویان Pouyan May 28
@Enigma didn't @andrewnez mentioned a similar issue a while ago?

EDIT: found it:

https://mastodon.social/@andrewnez/116607969423764121
Show threadNumerfoltMay 28
@Enigma I was wondering why age verification for VSCode would be a good thing. Until I read "release age" 😅