[__jonas]

I’m a little confused, how does npm play into this?

The article describes a vscode extension on vscode marketplace squatting the name of an existing extension, from how it’s worded it sounds like the extension directly contains the malware rather than being compromised through a dependency, what does it have to do with npm?

[lolinder]

The connection appears to be simply that this is content marketing for Mend, which sells dependency vulnerability scanning software, so NPM is an important keyword for them to stuff in regardless of its relevance.

[pentel-0_5]

It doesn't directly. These are malicious VS Code extensions. It's completely Microsoft's fault for poorly managing the ecosystem. They must curate extensions with security audits prior to publication and sandbox them with advertised entitlements. Without these, it's running untrusted code from the internet putting users at risk for ransomware, password and cc skimmers, data harvesting, and other malware.

[tomabai]

The package was published on npm, the original extension, has a private component on npm with a similar name to that package, and that the squat the attacker tried to take advantage of

[shakna]

Whilst it could just be the company's need to market their NPM scanner... The article does appear to be at least edited through AI. Which could easily bleugh out the wrong target marketplace.

[illusive4080]

Maybe the vscode extension is just an npm package? I also couldn’t find the link to npm in the article.