VS Code
Coverage of VS Code in the Nexus archive.
- Hijacked npm and Go Packages Use VS Code Tasks to Deploy Python Infostealer
Cybersecurity researchers discovered hijacked npm and Go packages that deploy a Python-based information stealer using VS Code tasks on Windows, Linux, and macOS systems. The attack bypasses common npm execution paths to avoid detection by security measures like those in npm v12.
- Researcher publishes GitHub token-stealing exploit, blames Microsoft’s disclosure process
Security researcher Ammar Askar published a GitHub token-stealing proof-of-concept exploit on his blog and a public tracker for VS Code issues, notifying GitHub's security contact about an hour before the release. He criticized Microsoft's disclosure process for contributing to the situation.
- GitHub faces a fight for its survival at Microsoft
GitHub is struggling with multiple crises including major outages, security vulnerabilities, and internal code repository breaches following Microsoft's $7.5 billion acquisition in 2018. The platform faces mounting pressure from competitors and internal challenges that threaten its stability. Current and former employees describe a concerning situation for the platform's future.
- GitHub links repo breach to TanStack npm supply-chain attack
GitHub disclosed that hackers breached 3,800 internal repositories by exploiting a malicious version of the Nx Console VS Code extension, which was compromised during last week's TanStack npm supply-chain attack. The incident represents a significant security vulnerability in the software development supply chain.
- GitHub confirms breach of 3,800 repos via malicious VSCode extension
GitHub experienced a breach of approximately 3,800 internal repositories due to a malicious Visual Studio Code extension installed by an employee. The breach was confirmed by GitHub. The incident highlights security concerns related to third-party extensions.
- GitHub Internal Repositories Breached via VS Code Extension
GitHub's internal repositories were breached through a Visual Studio Code extension. The breach was reported and GitHub is investigating the incident. The cause of the breach is attributed to a VS Code extension.
- Compromised Nx Console 18.95.0 Targeted VS Code Developers with Credential Stealer
A compromised version of the Nx Console extension was published to the Microsoft Visual Studio Code Marketplace, targeting VS Code developers with a credential stealer. The affected extension is rwl.angular-console, version 18.95.0, with over 2.2 million installations. Cybersecurity researchers have flagged this compromise.
- Microsoft fixes VS Code after app gives Copilot credit for human's work
Microsoft fixed an issue in VS Code where the Git extension added Copilot as a co-author by default, claiming credit for human-authored code. The change was reversed after user complaints. Developers were not thrilled about the attribution notice.
- Microsoft fixes VS Code after app gives Copilot credit for human's work
Microsoft has reversed a change in VS Code that added a default AI attribution notice after user complaints. The change was intended to add attribution for AI-generated code, but developers reported it was being added even when not using Microsoft's Copilot AI assistant. The fix is scheduled to appear in VS Code's upcoming 1.119 release.