Hacker News new | past | comments | ask | show | jobs | submit
wvh | on: GitHub confirms breach of 3,800 repos via malicious VSCode extension
I've been telling less computer literate folks not to install random stuff since the nineties, and I can't understand how many devs are doing just that these days.

I used to work in security auditing, and it makes me feel pretty jaded to think of the gigabytes upon gigabytes of random stuff that just gets pulled in from everywhere in IDEs, package managers, build pipelines and container images.

At least back then there was still a chance to read a significant part of the code and find problems before they found you.

Sweepi | parent | next
Answer: Because the "random stuff" (plugins for VS Code and other IDEs) solves real problems and nothing bad happens most of the time.

Almost no manager will sign-off spending time on building stuff in-house if its available "for free".

This is also in no way a new thing. How much code was written in notepad++ in the '00ies? Did anyone bother to check if the plugins did sth. malicious? We also used some weird closed-src "addon" for the Nullsoft installer to get a product out of the door, dont remember what the problem was exactly....

loading story #48224612
loading story #48224529
loading story #48222114
cess11 | root | parent | next
"solves real problems and nothing bad happens most of the time."

Like Wordpress plugins previously that'll work for now but we're now on the trajectory of relearning that same lesson, because people are automating discovery and exploitation of these extensions and plugins and whatnot around text editors and MCP and so on.

Though I suspect we'll first see a torrent of exploitation similar to what was done to Wordpress instances, and then a change of behaviour, because as you allude to, the people with influence didn't learn from previous experiences with similar technologies.

loading story #48223920
loading story #48222305
axegon_ | parent | next
The vast majority of devs in the last few years have either been raised as sloppers or transitioned from developers to sloppers. Programming has evolved into a blackbox where fewer than ever people know how a program works, despite the numbers of "programmers" has skyrocketed. Just a few months ago a friend had a job interview(fake one obviously) where he was asked to clone a repo and do some stuff on it. The repo contained some vs code hooks which did a ton of stuff in the background installing backdoors and whatnot. In my friend's case, that was a non-issue since he was running it in a VM but I recon thousands of others have fallen victim of such attacks and have no clue still.
loading story #48222716
loading story #48223517
loading story #48220468
keyle | parent | next
Never underestimate the power of procastination disguised as productivity!
ofjcihen | parent | next
Did work for a company last week that get popped pretty badly during a round of Shai even though they were aware of the packages.

Turns out no amount of communication to the team matters when you set Copilot to autopilot and it’s not aware of the compromised packages.

I suspect that’s going to be a trend.

loading story #48222264
locallost | parent | next
Because you need to install things to get things done. In the world of perfect security and order it's impossible to get anything done, much the same as it's impossible to do in complete chaos.

I am telling people to wear helmets when they drive a car, this would save hundreds of thousands of lives every year in the world, but somehow I cannot convince them.

emsign | parent
It's stupid but understandable. Be it browsers or IDEs they lack much needed functionality but instead of completing their products so they can be used productively out of the box, they outsource this to the community and call it a feature. Doesn't matter how good your bug fixing and security policies are if you allow basically everyone to circumvent it. In a nutshell Microsoft is lazy. Don't use their products and beware of the extension/module creep elsewhere.