The (lack of) security of VSCode has always been astounding. People have asked for sandboxing extensions for years [0] with little to no progress, and issues have been discussed a lot (e.g. [1][2]). I guess it hasn't been a big issue, likely because most developers are not complete idiots. But it only takes one developer and one bad extension to consequences like this.
I mean, I understand that it is hard to sandbox Node.js applications, but apparently Microsoft has put way more effort into their Copilot slop than security.
[0] https://github.com/microsoft/vscode/issues/52116
You don’t have to be an idiot to be hacked. A legit extension can be sold or compromised due to no fault of the engineer
Don’t attack individuals for mistakes of a system.
I am so, so stressed about Sublime Text... It feels like a massive disaster just waiting to happen. They don't even run their own package marketplace :(
There are so few users of sublime text that it likely isn’t a juicy enough target for these sorts of exploits.
> but apparently Microsoft has put way more effort into their Copilot slop than security.
Your security or their money (selling Copilot to enterprise customers): what would they choose, hmm? Surprise!
Why would you sandbox extension?
Just don’t install crap maybe.
Any good, benign extension can be taken over and weaponized with malware.
Even if you don't install crap, the latest strategy is attacking the developer of one of the extensions or their build process so you can push a malware update to an otherwise legitimate extension.
thanks for the sage advice. Next time you are infected with the flu you should just don't breath maybe.
This mans security onion has one layer.