[ajross]

> Migrate off vscode already.

It's not the IDE, though. Any extensible, customizable display editor can be coerced into behaving badly by installing external code. Even this one: https://www.gnu.org/software/emacs/emacs-paper.html

The root(-ish) cause here is the ease of publishing and installing extension code, and in particular the fact that there's no independent validation/verification step between the upstream author and armageddon. And upstream authors aren't set up with the needed precautions themselves, they're just hackers.

Basically if you phish Just One Account with write access to an extension you wan pwn everyone who's running it.

[skydhash]

> Any extensible, customizable display editor can be coerced into behaving badly by installing external code.

But I think only VS Code (And Jetbrain's ones) is so pushy about installing extensions. With Emacs, you actually have to go find them and install it. And then you actually have to make a conscious effort to update them. Same with vim. I'm pretty sure VS Code enable auto updates. And I would guess the people publishing Emacs's package and Vim's plugin are way more conscious about security.

[prmoustache]

I like neovim but I am under no illusion that plugins developers would be more conscious about security. The thing is there is no marketplace so it is less easy to make your plugin suddently advertised and installed by thousands of people without having a killer feature.

[skydhash]

To hijack a vim plugin/emacs package, you would have to take over the repo. Or take over elpa/melpa (for emacs) or vim awesome (to redirect users to your malicious repo). Both are way tricker than the exploitation tactics used on JS based projects.