Comment by fg137

3 hours ago

The (lack of) security of VSCode has always been astounding. People have asked for sandboxing extensions for years [0] with little to no progress, and issues have been discussed a lot (e.g. [1][2]). I guess it hasn't been a big issue, likely because most developers are not complete idiots. But it only takes one developer and one bad extension to consequences like this.

I mean, I understand that it is hard to sandbox Node.js applications, but apparently Microsoft has put way more effort into their Copilot slop than security.

[0] https://news.ycombinator.com/item?id=46855527

6 comments

fg137

bbor 1 hour ago

I am so, so stressed about Sublime Text... It feels like a massive disaster just waiting to happen. They don't even run their own package marketplace :(

zx8080 3 hours ago

> but apparently Microsoft has put way more effort into their Copilot slop than security.

Your security or their money (selling Copilot to enterprise customers): what would they choose, hmm? Surprise!

ozim 2 hours ago

Why would you sandbox extension?

Just don’t install crap maybe.

Gigachad 14 minutes ago

Even if you don't install crap, the latest strategy is attacking the developer of one of the extensions or their build process so you can push a malware update to an otherwise legitimate extension.
Hackbraten 2 hours ago

Any good, benign extension can be taken over and weaponized with malware.
pixl97 1 hour ago

This mans security onion has one layer.