Comment by mattfields
5 days ago
That's the thing: they do bear responsibility in allowing the situation to get to this point and are very pointedly not connecting the dots with their response.
Microsoft which owns GitHub, has been washing their hands if any responsibility in helping to resolve the ongoing supply chain catastrophe which is hosted and spread nearly entirely via Github repositories: not responding to security researchers flagging malware hosted on GitHub; doing nothing to address the proliferation of open source malware across their platform, giving no recourse for action, not applying their tremendous resources to the problem, fiddling as the open source community burns and leaving the devs to fend for themselves. Let's not mention the recent very hostile and trust-erodibg behavior towards bug bounty security researchers.
The *&$@ finally spread all the way up to the top of the hill in a compromise of Microsoft's own repos, which I think highlights the scale of the problem.
And in response, they offer a watery corporate platitude, "a few customers were affected in a recent incident, and we're looking into it."
Microsoft's introduction of 2 hour latencies for vscode extension installations to mitigate the ongoing worm spread is absolutely bonkers.
They did not read the source code of the worm implant and have absolutely no clue how the worm works, if that is their response.
The only way to meaningfully stop the worm is by requiring manual confirmations for git commit/push actions and for the auto-executed hooks in all IDEs. Also, these scripts should be sandboxed to only be allowed to run and interact with files inside the same opened project folder.
Well, that, or setting the host system language to Russian. Which I am kind of expecting Microsoft to do next...