[spcharc]

> 1,283 with known malicious code (229 million installs)

Not expecting that many.

I sometimes randomly try interesting extensions out. Will not do this again. Should only install extensions recommended by Microsoft I guess.

Maybe the same applies for browser extensions?

[DANmode]

Please don't be a dev with access to things my security depends on.

[Terretta]

> Please don't be a dev with access to things my security depends on.

Devs just want “Do Anything Now mode”, who doesn't? :)

I doubt at most shops VSCode extension security is considered differently from any extensions or libraries used throughout the codebase.

Almost nobody reads every line of their includes. (Sadly, but obviously.)

If all your includes can come only from an artifact depot or mirror because your build system can't reach the Internet, and those only get there with a PR and code review, you're on a good start. Operationalizing that to stay current with zero day fixes and the like, starts to be "a thing", which is why there's so much energy in software-supply chain security, through industry efforts like SLSA and GUAC and firms like https://www.kusari.dev/.

Read a decent checkpoint and overview on this emerging ecosystem here (from 2022):

https://security.googleblog.com/2022/10/announcing-guac-grea...

[LikesPwsh]

C# Dev Kit is not only recommended by Microsoft, but developed by and for them.

It still has a serious license footgun built-in, Oracle-style.

[neonsunset]

Confusing marketing and description about it are unfortunate - DevKit provides Visual Studio style solution and text explorers, and maybe additional features since last time I verified this.

In order to write C#, however, you do not need that - base C# extension that has no licensing strings attached is the actual language server you need. And solution explorer, should you want that, can be restored with Ionide which doubles as a language server for F#.

And, hey, at least it's not like with Oracle where SDK distribution itself that has a trap :)