Visual Studio Code
Coverage of Visual Studio Code in the Nexus archive.
- VS Code Adds 2-Hour Extension Auto-Update Delay to Limit Supply Chain Attacks
Microsoft has introduced a two-hour delay for automatic updates of Visual Studio Code extensions to mitigate software supply chain threats. This change aims to add an extra layer of protection by preventing immediate updates to newly published versions.
- Another bug hunter leaks Microsoft exploits in defiance of company’s handling of vulnerability disclosures
Ammar Askar, a bug hunter, leaked a vulnerability in Microsoft's Visual Studio Code after becoming disillusioned with the company's handling of security reports. The exploit allows attackers to steal OAuth tokens via malicious extensions, compromising GitHub repos, and was disclosed publicly due to past negative experiences with Microsoft Security Response Center (MSRC).
- VS Code zero-day lets hackers steal GitHub tokens in one click
A security researcher disclosed a Visual Studio Code zero-day vulnerability that allows attackers to steal GitHub authentication tokens by tricking users into clicking a malicious link. The exploit code has been released.
- XLIDE: VBA without excel
XLIDE is a new tool that allows users to run Visual Basic for Applications (VBA) code in Visual Studio Code without requiring Excel. The project, hosted on GitHub by WilliamSmithEdward, aims to provide a more flexible development environment for VBA automation tasks.
- GitHub Confirms 3,800 Internal Repos Stolen Through Poisoned VS Code Extension
GitHub confirmed that 3,800 internal repositories were stolen through a poisoned Visual Studio Code extension. The breach occurred after an employee installed a malicious coding tool, giving TeamPCP access to GitHub's private source code. This incident highlights a significant security vulnerability.
- GitHub says internal repositories were taken in poisoned VS Code extension attack
GitHub internal repositories were compromised through a poisoned Visual Studio Code extension, with the company detecting and containing the compromise and rotating critical secrets. The incident underscores growing risks in software development platforms. GitHub assesses that only internal repositories were affected.
- GitHub confirms breach of 3,800 repos via malicious VSCode extension
GitHub has confirmed a breach of approximately 3,800 repositories due to a malicious Visual Studio Code extension. The incident is related to an ongoing investigation into unauthorized access to GitHub's internal repositories. GitHub is working to address the issue.
- GitHub says internal repos exfiltrated after poisoned VS Code extension attack
GitHub was compromised due to a malicious Visual Studio Code extension, resulting in the exfiltration of internal repositories. The company is analyzing logs and monitoring for further activity. The incident has raised concerns about the security of private repositories and credentials.
- GitHub confirms breach of 3,800 repos via malicious VSCode extension
GitHub experienced a breach of approximately 3,800 internal repositories due to a malicious Visual Studio Code extension installed by an employee. The breach was confirmed by GitHub. The incident highlights security concerns related to third-party extensions.
- GitHub Internal Repositories Breached via VS Code Extension
GitHub's internal repositories were breached through a Visual Studio Code extension. The breach was reported and GitHub is investigating the incident. The cause of the breach is attributed to a VS Code extension.
- VS Code inserting 'Co-Authored-by Copilot' into commits regardless of usage
Visual Studio Code is automatically inserting 'Co-Authored-by Copilot' into Git commits regardless of whether GitHub Copilot was used, raising concerns about incorrect attribution. The change originated from a GitHub pull request and has sparked discussion on Hacker News.
- New Checkmarx supply-chain breach affects KICS analysis tool
Hackers compromised Docker images, VSCode, and Open VSX extensions for Checkmarx's KICS analysis tool to steal sensitive data from developer environments. The breach exploits the supply chain to harvest information from affected systems.