The problem extends far beyond VS code. All extensions and executable code has the same problem. There was a case where Disney was hacked because an employee installed a BeamNG mod that had bundled malware.
replyA company that wants to remain secure would have to employ strict restrictions on installing software. Only installing npm packages and plugins from an internal preapproved repo for example.
Running code isn't the problem. The fact that (almost) all code runs at the same security level is.
replyYou regularly run tons of untrusted code when visiting websites. That code can't wreak havoc on your machine because it's well-sandboxed. Yet, if we advocate for sandboxing in more places, the "gun nuts of tech" scream about monopolistic practices and taking away user control.
I don’t understand why we don’t just sandbox everything. We have done it for web browsers, we can definitely do it for VSCode extensions.
replyWhat are you withholding from the sandbox without making it useless?
replyI've become equally paranoid about VSCode extensions. I remember using several other IDE's like Brackets, JetBrains, Sublime Text or Bluefish only having a few solid extensions to rely on to get my dev work done. Now it seems like anything you do, someone or some company has built an extension specifically for your task.
replyAt this point I try and get the most done with the least amount of extensions period. That and trying to get the rest of my code off of Github is the other.
About the level of security in software I expect from the vendor who came up with “screenshotting your desktop every few seconds, OCRing those, and dumping the results to disk unencrypted in plain text”
reply