I have been targeted with this attack in the wild where '.vscode/tasks.json' had the auto-run code.
replyI smelled something fishy and never ran it though.
VS Code will helpfully warn you when you open a folder that has a git repository.. it asks if you trust the developers since opening the folder could result in bad things happening. So this might not be such a big deal for VS Code users.
replyI think that assumption is very dangerous: if your editor only prompts when you first open the project, it won’t help when that project is compromised later or if you checkout a merge request from someone untrustworthy/compromised and are mentally thinking “my project is safe” even though you’re a single gh/glab command away from that directory having anything an outside party wants.
replyYou know they're just gonna click yes, right?
replyThat prompt is just there so they can say "your fault!"
Well, in that case it totally is their fault...
replyOnly juniors are suing VSCode? What are others using?
replyprob Cursor (also affected). at least that's preferred in my org
replyPoint them at for what?
reply