And yet, this entire class of abuse is only possible because Microsoft refuse to implement any kind of permission management or sandboxing for extensions.
If the team put those filters in place, then it was the team. Anyone implementing automation gets to be held responsible for its failure, but also its successes.
Unfortunately the marketplace ecosystem is why I went back to VSCode from Cursor. I'm a bit upset by this because I don't quite appreciate that Microsoft has a closed ecosystem for the marketplace and does not open it to Cursor but the reality is, that Open VSX does not have all extensions and little vetting.
Well this was an extremely unsophisticated attack. The malware wasn't hidden and they didn't even bother to actually copy the real extension.
If I were doing this I would copy the real extension, give it a name that made it sound official but in the README say it is a tweaked version with some improvements or whatever. Also actually add some improvements, but hide the malware in those changes.
worble|7 months ago
https://github.com/microsoft/vscode/issues/52116
rs186|7 months ago
As a vscode extension author, I am scared by the power I have. I am not at all surprised by what happened in this story.
jowea|7 months ago
nkrisc|7 months ago
bootsmann|7 months ago
the_mitsuhiko|7 months ago
notpushkin|7 months ago
This can be solved quite easily for open source extensions: https://github.com/EclipseFdn/open-vsx.org/wiki/Auto-Publish...
Vetting however is trickier. I hope Cursor can fund this effort!
delusional|7 months ago
Quarrel|7 months ago
https://github.com/microsoft/vsmarketplace/blob/main/Removed...
IshKebab|7 months ago
If I were doing this I would copy the real extension, give it a name that made it sound official but in the README say it is a tweaked version with some improvements or whatever. Also actually add some improvements, but hide the malware in those changes.
Good luck finding that. (brb going to try this)
raincole|7 months ago