[Sweepi]

Answer: Because the "random stuff" (plugins for VS Code and other IDEs) solves real problems and nothing bad happens most of the time.

Almost no manager will sign-off spending time on building stuff in-house if its available "for free".

This is also in no way a new thing. How much code was written in notepad++ in the '00ies? Did anyone bother to check if the plugins did sth. malicious? We also used some weird closed-src "addon" for the Nullsoft installer to get a product out of the door, dont remember what the problem was exactly....

[cess11]

"solves real problems and nothing bad happens most of the time."

Like Wordpress plugins previously that'll work for now but we're now on the trajectory of relearning that same lesson, because people are automating discovery and exploitation of these extensions and plugins and whatnot around text editors and MCP and so on.

Though I suspect we'll first see a torrent of exploitation similar to what was done to Wordpress instances, and then a change of behaviour, because as you allude to, the people with influence didn't learn from previous experiences with similar technologies.

[dividedbyzero]

I suppose people did learn that it isn't that bad or costly after all and the risk and the bandaids are still better than the cost of being the first to try and fix software supply chains for good. As things stand, I don't know how that might even be done if it's supposed to not be a better bandaid and someone has to do the legwork and it can't be so costly or impractical to overworked IT teams that everyone is just going to ignore it.

[zitterbewegung]

At least in my experience depending on how serious the company was about security plugin downloading would be prohibited.

[ferguess_k]

Can relate. A lot of the times it is the process that is slowing people down, and it is unrealistic for any corporation to do security audition for everything developers need on time, so unfortunately rules have to be bent.

Some big corps resort to a different tactics: they ONLY allow in-house tools. IDEs, communication tools, everything you need on a daily basis, they make in-house tools for that. It costs a lot of money but they care about security.

[tracker1]

Worse, is when the "team" doing the auditing is one guy, and that guy leaves with no replacement... and you need to explain to mgt that their new product release hasn't gone out for 3 months because you can't get the new versions of modules cleared and into the internal repo for production apps.

Actually happened at one of the largest banks in the world when I was contracting there. And that was mostly just a license/legal audit, not even a full source/security audit.

[rTX5CMRXIfFG]

> solves real problems and nothing bad happens most of the time

Aaand this is why AI is taking our jobs and we all rightfully deserve to be laid off. This utter lack of risk awareness and care for quality is what created the need for autonomous agents to dig through and build upon man-made slop.

Honestly, I find it rich that we’re the ones who think that AI is the one that’s producing slop. Give any agent clear harnesses and it’ll produce better code than a human would close to 100% of the time. That’s still as indeterministic as the way you used “most of the time”, but the deviation tends to be smaller and the quality and rigor is much higher.

[TheFlyingFish]

Are you suggesting that AI-written code tends to be more secure than human-written code? Because there are many examples to the contrary, starting with MoltBook.

[rTX5CMRXIfFG]

Not really, no. That's not even the point. Say for example they're just the same level of security. Then what value does a human even offer to a company if AI can do the same quality of work faster? It's not as if the company benefits from something like "human discernment", because as predicated in this thread, developers exactly have none of that, since they don't care about the security aspect of the VSCode extensions that they use. Might as well lay off the human developers and just use AI for as long as the latter is cheaper. How many people does a company really need to update its VSCode to the version that blocks the malicious extension? Do you need more than one and does that person have to be full-time?

[stalfosknight]

This is how you end up with the total dumpster fire known as npm.