Previous thread in sequence:
GitHub is investigating unauthorized access to their internal repositories - https://news.ycombinator.com/item?id=48201316 - May 2026 (321 comments)
Advertisement
Advertisement
⚡ Community Insights
Discussion Sentiment
48% Positive
Analyzed from 11358 words in the discussion.
Trending Topics
#github#code#extensions#https#vscode#extension#don#com#repos#security
Discussion (401 Comments)Read Original on HackerNews
I used to work in security auditing, and it makes me feel pretty jaded to think of the gigabytes upon gigabytes of random stuff that just gets pulled in from everywhere in IDEs, package managers, build pipelines and container images.
At least back then there was still a chance to read a significant part of the code and find problems before they found you.
Almost no manager will sign-off spending time on building stuff in-house if its available "for free".
This is also in no way a new thing. How much code was written in notepad++ in the '00ies? Did anyone bother to check if the plugins did sth. malicious? We also used some weird closed-src "addon" for the Nullsoft installer to get a product out of the door, dont remember what the problem was exactly....
Like Wordpress plugins previously that'll work for now but we're now on the trajectory of relearning that same lesson, because people are automating discovery and exploitation of these extensions and plugins and whatnot around text editors and MCP and so on.
Though I suspect we'll first see a torrent of exploitation similar to what was done to Wordpress instances, and then a change of behaviour, because as you allude to, the people with influence didn't learn from previous experiences with similar technologies.
Turns out no amount of communication to the team matters when you set Copilot to autopilot and it’s not aware of the compromised packages.
I suspect that’s going to be a trend.
I am telling people to wear helmets when they drive a car, this would save hundreds of thousands of lives every year in the world, but somehow I cannot convince them.
https://github.com/microsoft/vscode/issues/52116
And even if this exists, and you are sandboxed, with all guardrails and such, if you trust an extension that later gets compromised, you'd get the same sadness. It's the problems with trusting trust all over again...
Maybe sandboxing, plus freezing updates for at least a week, then on each update reviewing the permissions for each extension, then reviewing the extension itself for compromises. Something that should be done not by the user but by the supply chain itself.
I heared zed sandboxes extensions. I should have a look at that editor some day.
Finally I have decided to start using Zed, which isn’t perfect on the security front, but much better IMHO. The combination of WASM extensions, and the ability to put language servers, etc, in dev-containers seems like a great step forward.
I hope Zed continues to improve their extension and language server security model. Actually I hope VSCode does too, but honestly, I am not optimistic.
[1] https://www.reddit.com/r/programming/comments/1tapmvi/mass_n...
Software that is mostly an electron app. I start using my browser for a web edition, or run it in a container/sandbox!
I'm guessing you're referring to https://coder.com/docs/code-server ?
The best case for Microsoft software I hope for is that they do only some minor UI cosmetic changes, but even that often goes catastrophically wrong.
To be honest I doubt there's much that they can do. Many many language servers cannot run in WASM, or it would be super hard to compile them to WASM. So Zed either has to allow running arbitrary binaries like VSCode, or accept that they're going to have really poor extension support.
I should be able to limit what binaries extensions have access to though.
I just don't use VSCode and I discourage its use in any environment in which I have to work. It has already been demonstrated that it is a major security hole - not just through the public extensions, but also in terms of the telemetry data transmitted back to Microsoft in order that they can invest millions in it and yet charge nothing for it...
https://fosstodon.org/@lukewrites/100907932236227641
The problem is really how the very popular recent things on top have been built: Docker, npm, pip.
I personally do not have docker, npm or pip installed on my workstation because I know that any `xxx install` is almost the equivalent of downloading and executing a `.exe` on a Windows 95 back in the days.
Apparently what happened here is a Github employee VScode downloaded a compromised extension and it ran wild in his $HOME (npm, another Microsoft gem is involved here if I remember correctly).
How was the OS supposed to prevent that?
Migrate off vscode already.
I guess I'd say "you take my VS Code ... willingly ... but only after M$ fucks it up and makes me not want it anymore (like they've done to everything else they acquired)".
Not for lack of trying, the amount of CoPilot cruft bundled with the core IDE is growing quarterly.
I beg to differ. Have you inspected its network traffic?
And are you a vscode original? or came from vim/emacs?
If you start with an IDE first you likely need far fewer extensions.
Zed is the closest thing I've found to meet my needs, and I do plan to try it. However it's dev container support looks to be lacking in some important ways so we'll see.
I'm not saying its package ecosystem isn't vulnerable to these kind of attacks, it is, but it's at least developed by folks with very different goals and ambitions than Microsoft.
[0]: https://github.com/emacs-mirror/emacs/blob/master/etc/NEWS
It's not the IDE, though. Any extensible, customizable display editor can be coerced into behaving badly by installing external code. Even this one: https://www.gnu.org/software/emacs/emacs-paper.html
The root(-ish) cause here is the ease of publishing and installing extension code, and in particular the fact that there's no independent validation/verification step between the upstream author and armageddon. And upstream authors aren't set up with the needed precautions themselves, they're just hackers.
Basically if you phish Just One Account with write access to an extension you wan pwn everyone who's running it.
But I think only VS Code (And Jetbrain's ones) is so pushy about installing extensions. With Emacs, you actually have to go find them and install it. And then you actually have to make a conscious effort to update them. Same with vim. I'm pretty sure VS Code enable auto updates. And I would guess the people publishing Emacs's package and Vim's plugin are way more conscious about security.
If these claims were true, why don't they point the agents at the numerous stability and security issues they have across their various platforms?
I use Emacs for my day-to-day stuff. I don't think Emacs extensions are more secure by design. Pretty sure that, if I wanted to, I could craft an extension that does bad things. I'm not sure how hard it would've been to sneak it past MELPA or (is there really anything else people are using these days? Used to be Marmalade, but I think it's gone), but, it's people, and people make mistakes, so, there's some % chance that a bad extension can be inserted there. Such security problems happen to a lesser extent (if at all?) in the Emacs world because of the size of the user base. It's simply impractical to target a small community, as it's always a numbers game.
Very unwillingly, and with a lot of contempt, I use Android, where this "explicit permissions system" you speak of exists. There are many reasons to hate Android, and the "explicit permissions system" is a prominent member in that collective.
Companies like MS, Google etc. always default to this way of solving their security issues: by restricting their users from doing useful things. They model their users as a herd of brainless lemmings who must be herded with an iron fist in order for them not to plunge to their deaths (yes, I know, real-life lemmings don't do that, but we all know the metaphor). And this tactics is so common that the MS-lemmings learn to yearn for it.
The solution I want to see to this and similar problems is two-fold:
1. Users learn to use their tools.
2. Users learn to treat important information on their computers in a more defensive way, if they open the door for outside, potentially bad, software providers.
This is, of course, a pie in the sky sort of wish... But, imagine it was achievable, wouldn't the world be a better place? Now, I believe it's possible to approach these goals gradually, and it would still be better than a system imposed by the software provider that prevents users from doing useful things.
For example, Emacs has a mechanism to prompt users when attempting to use a particular functionality. Some of it is because the functionality can be surprising for the novice, some of it is because it could be dangerous from the security standpoint. So, in principle, VSCode could do that too. Eg. a user would have to interactively grant its extensions permissions to call whatever functionality within the editor, while some "dangerous" functionality would have to be removed from the JavaScript runtime available to VSCode and only made available in this interactive way (eg. when JavaScript code in VSCode extensions wants to call exec() or similar, it would have to call an overloaded exec() provided by VSCode, that would inform the user that such-and-such extension wishes to run such-and-such command, and that it needs their permission to do it).
That Just Won't Happen. Especially not in a corporate/government setting. In my experience, it's rare for people to actually want to improve how they work without there being external pressure. Workflows once learned become very, very hard to unlearn and it's already a massive issue when you are responsible for a piece of business software that's used by a hundred users - I once was on a team responsible for the software used by tens of thousands of people. Major changes always, always had to be accompanied by training material and the time for that training had to be budgeted as well.
A large part of the issue is cultural/financial realities. People are already overloaded with work as penny pinchers think it's wise to keep people at 100% utilization leaving no gaps for anything - they know that if they become more efficient, their workload will not go down, their bosses will just dump more things on their table. And people don't want to train for their job if they're not paid for it, as well.
Please, read what you quoted to the end. The answer is right there.
Anyways. Here are examples to the contrary: cars and driving. Somehow, collectively, we realized that driving requires learning the tools to a minimal proficiency level. This doesn't prevent anyone from driving a car w/o a license (a document certifying one's learned the tools), but it puts the blame for a certain category of accidents on the driver, thus making it unnecessary to demand absolute road safety from car manufacturers.
What if we treated computers more like cars? Perhaps, in a situation like this, products s.a. VSCode wouldn't even exist in the same way how there aren't cars that don't come equipped with safety belts?
Right now, parent suggests, metaphorically, to equip cars with a system that plans the route in advance, has a required number of passengers for each planned trip and won't even open the doors unless the car reaches its destination. This is what "explicit permission system" is to a computer user lucky enough to have avoided most of the MS / Google / Apple and Co products.
What I ended up changing after contemplating this matter: all my MCP servers are scripts from my repository and not npm packages. All the information about the scopes these servers can use is contained explicitly in my context file (certain directories, certain tools). There's nothing untrusted reaching my filesystem/tokens.
There's the same supply chain problem in VSCode extensions as there is with the MCP servers. Very few companies that audit their extensions started auditing their MCP servers.
GitHub is investigating unauthorized access to their internal repositories - https://news.ycombinator.com/item?id=48201316 - May 2026 (321 comments)
A company that wants to remain secure would have to employ strict restrictions on installing software. Only installing npm packages and plugins from an internal preapproved repo for example.
You regularly run tons of untrusted code when visiting websites. That code can't wreak havoc on your machine because it's well-sandboxed. Yet, if we advocate for sandboxing in more places, the "gun nuts of tech" scream about monopolistic practices and taking away user control.
I rarely see people complain about sandboxing.
What people complain about is when devices are locked down in a way where you are only allowed to install software that is approved by a central gatekeeper, even though sandboxing is in place that should make it far safer to run arbitrary safer than on traditional desktop systems.
Sandboxing plugins is pretty much universally desired? You seem to be conflating this with the issue of platform gatekeepers deciding which software is allowed to run on our own hardware
We've had the solution to shit like this, and it's called the SecurityManager in Java. No one wants to configure the damn thing, but it is there. Also, auditing the code you pull in. Yeah. Reading code sucks. Yeah. It's a lotta work. But if you don't check, you don't effing know.
All y'all want the fun of unprotected sex (rawdogging the ecosystem) and are starting to get burned by the VD's we old-timers have been hollerin' at you telling you will be coming the more you do this promiscuous dependency inclusion.
But hey. Enjoy it I guess. No skin off my nose.
I do agree though that it is incredibly important to start taking sandboxing seriously. But there is a lot of difficulty and friction, and most of the users will scream and cry about extensions being limited.
Sublime's de facto package control repository is handled by an Uber engineer and father of 5 in his spare time, not someone currently at Sublime per https://packagecontrol.io/about / https://packagecontrol.io/say_thanks and his linked site.
VS Code Marketplace seems to have a number of protections in place: https://code.visualstudio.com/docs/configure/extensions/exte... / https://code.visualstudio.com/api/advanced-topics/extension-...
It also appears that Sublime doesn't have sandboxing: https://github.com/sublimehq/sublime_text/issues/6915
> I love to see …
Be kind to others. https://news.ycombinator.com/newsguidelines.html
> "VSCode is perfect"
Is the claim "VSCode is perfect" one that you've regularly run across, that you specifically called it out?
(I'm personally happy that multiple editor options exist.)
(Separately, it doesn't help that MS doesn't allow VS Code forks to use the official marketplace, including as verified publisher doesn't seem to exist there - example: https://open-vsx.org/extension/esbenp/prettier-vscode )
(Ancillary links: https://code.visualstudio.com/docs/configure/extensions/exte... / https://marketplace.visualstudio.com/VSCode )
At this point I try and get the most done with the least amount of extensions period. That and trying to get the rest of my code off of Github is the other.
Which is really insane when you think about it. Plan 9 had this sorted out decades ago.
Plan 9 was designed, Linux accreted.
It is the largest project I have ever build and I code since 25 years.
I was just not satisfied with the agentic tools out there, nor with the CI / build infrastructure. Nix is nice, but the way packages are build / signed is just half way to perfect.
We can be lucky that the github hack did not infect the CI infrastructure. Imagine you infect the compilers in github CI to add a sleeper worm that does nothing for a month...
Only if you have multiple parties, building the same software with bootstrapped compilers and every artifact is hash compared, you can be sure it is legit
When I left about a year ago, we had just started (after being on Github for almost 8 years) an ongoing project of first archiving old/outdated repos in place, and then moving them to an "archived" sub-org, and waiting to see if anyone complained.
Previously no one wanted to outright delete or remove repos because of the risk that someone somewhere was relying on it, and also there was no actual downside to just leaving them there (no cost savings, no imminent danger other than clutter, etc), so resources were never allocated to do it. There was always something more important to work on.
In an org with a higher floor of engineering management, a proactive program for removing unused or outdated repos would absolutely be expected though I think.
And it was each team owning multiple internal repos of their own deployments/libraries, and not, primarily, clones of public repos.
https://github.com/livegrep/livegrep
The ones used for running the site itself.
Though, its so many that i think there are some customer ones in there too.
AI is making this even worse. With coding agents, anyone can throw together a quick internal prototype of any idea they have, even if it has no hope of ever making it to production.
Some of those could be forks.
All used techniques and mitigation strategies, including this one: https://npm-supply-chain-attack-techniques.pagey.site/
I wonder how many other secrets and tokens have been stolen, just waiting to be abused to publish a malicious version of.. something.
IMO, the problem is [1] that actually rotation all secrets just because you might have installed a compromised packe is a huuge PITA. So it's tempting to take it lightly and hope for the best. And even if you really try, it's easy to miss one.
1: in addition to "running code from whereever" with little sandboxing
It's gotten a lot worse (and made news) more recently, as the downtime as increased.
The dreaded "process" to get a single tool registered, working and allowed, is the reason a company is slow, dysfunctional and usually failing at a task.
The security tax and speeding tickets on everything are a luxury destroying much value.
The problem with controlled environments is that even when done sensibly by people with good intentions they do slow things down and a lot of orgs will decide the trade off isn’t worth that.
I’ve worked for companies that did have much more controlled environments but given everything is made of a thousand packages these days and those packages have CVE’s and you do need to patch doing it after the fact is a recipe for paralysis.
The friction they should have probably had here is: did this employee need access to 3,800 internal repos?
I'm with the poster above in believing restricting what you can install makes a lot of things more difficult, but if you're going to take the risk you should be limiting the blast radius.
Problem is: most employees don’t care to read these. Although I’m sure something like this could have been checked for during commit.
Like, I use a VSCode fork at work, but the enforced extensions store backend is based on an allowlist and extensions need reviewing to be available there.
Big tech can be suprisingly not locked down!
I mean, I understand that it is hard to sandbox Node.js applications, but apparently Microsoft has put way more effort into their Copilot slop than security.
[0] https://github.com/microsoft/vscode/issues/52116
[1] https://news.ycombinator.com/item?id=42979994
[2] https://news.ycombinator.com/item?id=46855527
Don’t attack individuals for mistakes of a system.
Your security or their money (selling Copilot to enterprise customers): what would they choose, hmm? Surprise!
Just don’t install crap maybe.
We aren't talking about a single dev developing an IDE on their spare time. We are talking about a company with expenses and revenues in billions. They could develop and support replacement for every single extension in the vscode marketplace (most are redundants) and it would still be an invisible blip in their financial numbers.
A fine grained token is likely to have read access to the IaaS repo as that is likely the very repo they are operating on when the malware compromises them.
3800 repos up for blackmail may make a good headline but it's likely that Github don't really care about 3798 of those repos being made public. It'd be annoying for those 3798 to be made public but they can deal with that. It's the 2 repos that contain really important stuff that they really don't want to be made public. You can't rely on fine grained tokens to limit the leak of these things as, at some point, someone with that very access will get compromised.
Limiting TTL on tokens/auth isn't a perfect solution either. If the token is leaked via some malware it can be used to clone repos within minutes (even seconds) of being leaked. No-one wants to have to perform 2FA every few seconds in order to get on with their day.
IP based restrictions may help, but then the malware would probably evolve to include a tailscale/wireguard key so that the clone/exfiltration is done from the existing IP address and then the data is proxied away separately.
Future dev environments are going to be heavily sandboxed in terms of "do github stuff in this sandbox, copy files to another sandbox to do package updates, vet everything coming back, etc"
agree generally with what your getting at though: doesn't solve this problem. but even just a basic reduction in blast radius would be nice.
Having to switch between accounts with different tokens with vastly pared down access is going to feel quite restrictive and suffocating.
Some devs won't have the patience to wait for some other department to vet and import a new npm package, or the latest update to it, before it can be used.
Some devs will be frustrated not being able to run their favourite IDE which isn't on the approved list, or their favourite plugins which haven't been vetted yet.
Some devs will get annoyed that they have to reboot more and more frequently to get the latest OS updates because things like Copy-Fail/CVE-2026-31431 appear out of nowhere and can be weaponised by malware to break between accounts or out of VMs and other sandboxed envs to get access to more keys/PATs/etc.
Another alternative is endless MFA requests which leads to request fatigue and accidentally approving the malicious/unwanted action.
It's going to be interesting how the industry deals with all of this. I can see it getting a lot worse with some even more significant breaches before it starts to get better.
https://github.blog/security/investigating-unauthorized-acce... links to https://github.com/nrwl/nx-console/security/advisories/GHSA-... Nx Console
Source: https://news.ycombinator.com/item?id=48216614
https://bonkersworld.net/organizational-charts
Guess what they did a year ago.
They removed 700 or so packages from NuGet proactively but those turned out to be false positives.
It is hard to do the right things.
I keep reading about vscode extensions going malicious and I feel the same way as I did when I was reading (and still am) about all the malicious browser extensions. I don't understand the lack of security around "extensions" in all sectors..
- Enable audit log streaming[1] on your enterprise including source IPs and API requests, even if it’s just going to an S3 bucket nobody looks at it, your incident response team will thank you later.
- Enforce the use of SSO on your GitHub organization[2], not just because SSO is good but because it forces an explicit authorization action[3] by users to grant an SSH key/PAT access to your organization resources, instead of granting access implicitly. That way the PAT created for someone’s weekend project won’t have access to your organization resources.
- Enforce an IP allowlist[4] for your organization from a set of known trusted VPN/corporate IPs. This is by-far the strongest control (and the most painful to rollout) as it will prevent stolen credentials (even if still valid) from being used by an attacker except on the intended systems where you (hopefully) have other visibility/alerting via EDR or related tooling.
- If you can, restrict access from personal access tokens[5] to your organization resources. Blocking classic PATs and enforcing a maximum expiration (ex: 3 months) on fine-grained PATs is a great way to reduce risk if you can’t eliminate PATs altogether[6].
- If you use GitHub enterprise (on-prem), configure collection of the raw HTTP access logs[7] in addition to native GitHub audit logs, it may prove critical during incident response.
[1]: https://docs.github.com/en/enterprise-cloud@latest/admin/mon... [2]: https://docs.github.com/en/enterprise-cloud@latest/authentic... [3]: https://docs.github.com/en/enterprise-cloud@latest/authentic... [4]: https://docs.github.com/en/enterprise-cloud@latest/organizat... [5]: https://docs.github.com/en/enterprise-cloud@latest/organizat... [6]: https://edu.chainguard.dev/open-source/octo-sts/overview/ [7]: https://docs.github.com/en/enterprise-server@3.16/admin/moni...
I was also toying with comparimg timestamps of git tags / GitHub releases / GitHub actions / plugin update timestamps as one indicator of potential tempering.
But not ideal.
How is this not really, really bad?
Security researchers identified a series of exploitable vulnerabilities in github.com by using LLMs to review the compiled GitHub Enterprise Server binaries: https://www.wiz.io/blog/github-rce-vulnerability-cve-2026-38...
- disable auto-updates for extensions in VS Code/Cursor
- use static analysis for GitHub Actions to catch security issues in pre-commit hook and on ci: https://github.com/zizmorcore/zizmor
- set locally: pnpm config set minimum-release-age 4320 # 3 days in minutes https://pnpm.io/supply-chain-security
- for other package managers check: https://gist.github.com/mcollina/b294a6c39ee700d24073c0e5a4e...
- add Socket Free Firewall when installing npm packages on CI to catch malware https://docs.socket.dev/docs/socket-firewall-free#github-act...
> for other package managers
For other js package managers. Sadly such functionality seems far less common for c# (nuget) or rust (cargo).
> add Socket Free Firewall when installing npm packages on CI to catch malware
It appears that functionality depends on blacklisting malware from being downloaded? But don't the repositories (npm, etc) take down malware once it's identified - is socket actually blacklisting malware faster than npm? That sounds unlikely, but maybe? For the vs code extension from the op post, it seems like it was live for like 18 minutes on the official vs code marketplace, and slightly longer on openvsx as ms sadly doesn't allow vs code clones to use the official marketplace.
Take for example this activity from a malicious extension:
https://securitylabs.datadoghq.com/articles/mut-9332-malicio...Or this one:
they also establishes outbound connections to dropbox and other not expected domains:https://www.aikido.dev/blog/fake-clawdbot-vscode-extension-m...
so maybe it's not bulletproof, but it helps to mitigate these threats.
If you don't (or can't) install extensions, it also doesn't matter which IDE you use.
yesterday discussion https://news.ycombinator.com/item?id=48191680
vscode has no security model. It's not like swiss cheese where there are holes and some of the go all the way through. vscode is all hole with some cheese on the side. There is absolutely no isolation between the front-end process, the backend size (the thing that runs in the remote or the devcontainer), and any extensions or anything that might be in a repository whose authors you "trust".
A vscode workspace can trivially execute code on the machine that runs the server end of vscode. (This is how building works -- there is no sandbox unless the workspace config explicitly uses some kind of sandbox.) So the workspace can usually trivially elevate permissions to take over the vscode server, including installing extensions on it without asking you.
In principle, there is a teeny tiny bit of isolation between the local and remote sides, so the remote side cannot trivially execute code on the local machine. But I recommend reading this rather long-standing ticket:
https://github.com/microsoft/vscode-remote-release/issues/66...
This is my position as well, but it's rarely received well. Usually, a response like "why would I rewrite something that's already been written and available?" By writing the code, I know how it works. I know it is not infected with crap. I know it will not in the future be infected with crap from a down stream dependency. It seems to me this really took off with node to the point that it's laughable at what people will include with no thought at all. I know component libraries have existed for many other languages before, but node just stands out to me
Dude, get real. We don't all have the luxury of being able to engage in endless IDE extension programming side quests just to do our day jobs. And even if we did, there's the reality that whatever you produce is probably not nearly as feature complete or bug free as the extension someone spent years writing. Hence why people want to reach for off the shelf solutions.
The malware (be it a VSCode plugin, an npm package, or whatever is next) simply slurps up all of the users private keys/tokens/env-vars it can find and sends this off somewhere covertly.
It's trivial to do this in a way to avoid detection. The small payload can be encrypted (so it can't be pattern matched) and then the destination can be one of millions of already compromised websites found via a google search and made to look like a small upload (it could even be chunked and uploaded via query parameters in a HTTP GET request).
The hackers receive the bundle of compromised tokens/keys and go look at what they give access to. Most of the time it's going to be someone's boring home network and a couple of public or private github repos. But every once in a while it's a developer who works at a big organisation (e.g. Github) with access to lots of private repos.
The hackers can then use the keys to clone all of the internal/private repos for that organisation that the compromised keys have access to. Some organisations may have alerts setup for this, but by the time they fire or are actioned upon the data will probably be downloaded. There's no re-auth or 2FA required for "git clone" in most organisations.
With this data the hackers have further options:
a) attempt to extort the company to pay a ransom on the promise of deleting the data
b) look for more access/keys/etc buried somewhere in the downloaded repos and see what else they can find with those
c) publish it for shits and giggles
d) try and make changes to further propagate the malware via similar or new attack vectors
e) analyse what has been downloaded to work out future attack vectors on the product itself
Right now Github (and others recently compromised in similar ways) will be thinking about what information is in those internal repos and what damage would it cause if that information became public, or what that information could be used to find out further down the line.
"Customer data should not be in a github repo" is all well and good, but if the customer data is actually stored in a database somewhere in AWS and there's even just one read-only access token stored somewhere in one private github repo, then there's a chance that the hackers will find that and exfiltrate the customer data that way.
Preventing the breach is hard. There will always be someone in an org who downloads and installs something on their dev machine that they shouldn't, or uses their dev machine for personal browsing, or playing games, or the company dev infra relies on something that is a known attack vector (like npm).
Preventing the exfiltration is virtually impossible. If you have a machine with access to the Internet and allow people to use a browser to google things then small payloads of data can be exfiltrated trivially. (I used to work somewhere where the dev network was air-gapped. The only way to get things onto it was typing it in, floppy or QIC-150 tape - in the days before USB memory sticks.)
Detecting the breach is nigh on impossible if the keys are not used egregiously. Sure some companies can limit access to things like Github to specific IPs, but it wouldn't take much for the malware to do something to work around this. (I can see things like a wireguard/tailscale client being embedded in malware to allow the compromised machine to be used as a proxy in such cases.)
Alerting that requires manual response is nigh on useless as by the time someone has been paged about something the horse has already bolted.
Knowing what has been taken is also a huge burden. 3800 repos that people now have to think about and decide what the implications are. Having been through something like this in the past there are plenty of times people go "I know that repo, it's fine, we can ignore that one" only for it to contain something they don't realise could be important.
These kind of attacks are going to become increasingly common as they're proven to work well and the mitigations for them are HARD. It doesn't need to be targeted at all either, you just infect a bunch of different things and see what gets sent in.
If companies continue to not pay the ransom then we're going to get a lot more things published and many companies having to apologise for all manner of things that end up being leaked.
I'd love to see a real example/PoC.
Anyway, we discussed this issue in the other thread. For me, unrestricted outbound requests to any url, whether it's well known domains like api.github.com or any other domain, are a red flag.
Why does VS need to establish outbound requests to any domain, without authorization?
There's no magic solution, and these attacks will evolve, but I still think that restricting outbound requests is a good measure to mitigate these attacks.
> slurps up all of the users private keys/tokens/env-vars it can find and sends this off somewhere covertly.
Isolating applications can also mitigate the impact of these attacks. For example, you can restrict VS code to only share with the host .vscode/, .git/ and other directories. Even by project. Again, it's not bulletproof, but helps.
I don't know but it's very standard practice in most applications, because telemetry. But VS code is one of the worst: just check open snitch when running VS code, it's constantly phoning to a bunch of IPs.
It is 100% necessary, but doesn't stop most attacks quick enough.
If you're posting to github.com/acmecompany then attackers love to do things like add their own user github.com/acemcompany and just upload your data to that. Generally it doesn't last very long, but with CI/CD they can get thousands of keys in a minute and be gone seconds later.
https://github.com/nrwl/nx-console/security/advisories/GHSA-...
https://github.com/nrwl/nx-console/issues/3148
So the extension basically rewrites files in `.github/workflows` and pushes them to GitHub, which then sends all the sensitive information to the attacker. It also attempts to plant a malware on the local machine, too.
My impression is that it would be hard for an OS-level sandbox to completely stop this attack. The sandbox needs to determine whether if a git push originating from an IDE is malicious.
The trick is to infect a plugin that has a legitimate reason for accessing the internet or running certain commands, and then coming up with ways to abuse that to exfiltrate the data. Or exfiltrating via DNS queries, or some other vector that isn't so obvious as "allow TCP/UDP connections to the whole world".
That or just repeatedly pester a user for permissions until one user (and you only need one within the organisation) relents and grants it.
Paying the ransom means your data still gets leaked and now you're out of money and embarrassed.
Why would they ever, ever, delete the data?
Not the first time we've seen a developer get popped thanks to a malicious game mod either...
So great that they removed the extension! Do they do it only after their own employee was infected? And why "unnamed" extension?
> “unnamed”
Why is “unnamed” in quotation marks?
I'm not saying it was whatwedo.twig, but I'm not saying it wasn't, either.
Edit: If anyone's got a good recommendation for a twig formatter for Cursor / VS Code, please let me know.
They also have an online demo/playground so you can at least give it a shot to see if it works.
I’ve used the twiggy LSP before and there seems to be a few VS code extensions for it: https://marketplace.visualstudio.com/items?itemName=moetelo.... and https://marketplace.visualstudio.com/items?itemName=Stanisla...
I wonder if it was open-vsx specific?
https://github.com/nrwl/nx-console/security/advisories/GHSA-...
https://www.stepsecurity.io/blog/nx-console-vs-code-extensio...
...which in turn was caused by bad design of github's CI pipeline. Funny how it all comes back around like that.
Am I blind or did they never say which extension that was?
* There's a line of "blessed plugins" that your own company supports, maintains and guarantees, and everything else is considered "not trusted" or
* Plugins have explicit permissions - like phone apps do. "This plugin can make external calls/write to the filesystem inside a dedicated folder/read and set cookies". And then you are in charge of enforcing that with the strongest sandbox you can make.
Plugin ecosystems without these rules are just the wild west.
I'm also mirroring public ones to Codeberg.
I'll write about it when I'm done.
Funny / Odd Names
old-man-yells-at extremely-verbose-application mildly-sentient-scripts awful-git-machine awful-archive-machine slop-trap yaktriage yakety-yak what-in-the-shell gh-hell amen afk beer coffee
Octo-Themed
octoqueer octogatos octokeg octopets-prototype octoquarium octodex force-directed-octocat
Animal / Random Names
kittens Cats-of-GitHub accesscats-and-friends adacats-and-friends suave-capybaras nifty-armadillos cuddly-broccoli torched-marshmallows
AI / Experimental
reflect-gpt reflect-gpt-reloaded experimental-copilot-server agentic-memory-playground codeml-autofix copilot-mission-control llm-assist snippet-gpt meeting-summarizer
Internal Culture / Tools
no-meeting-friday-reminder engineering-deadlines engineering-operations-playground forced-deploys four-nines-alerts incident-responder oncall-issue-creator alert-routing-verifier dependency-audit availability-risk-register
Misc / Interesting
the-after-party pong gameoff github-games caption-this haikus-for-codespaces this-day-in-github-history
Maybe they looked it up and there wasn't anything interesting but then why take the risk for this kind of money?
Something doesn't make sense.
You have to take their words for it but how can you trust crooks?
Because these are repeat actors. If they take a ransom and then re-sell it, no company will pay them ever again.
Don't think of experienced criminal enterprises as "groups of irrational scoundrels." They are companies, with employees, who understand game theory.
It is a blind auction with a $50k minimum bid.
Me: "Okay, I'd like to make signed trusted code, how do I do that?"
Microsoft: "don't worry, we have the most expensive and tedious signing process in the industry."
Me: "okay, will users be properly protected from malicious code then?"
Microsoft: "Nope!"
And vim has package managers that make installing and updating packages as easy as vs code.
VS Code like npm are only the targets because they are the most popular, not because they are uniquely vulnerable.