security

How big is the security risk if a VSCode extension gets compromised?

And is there anything we can do to mitigate the potential risk?

Co-Founder at sablier.com, and open-source developer. I have a broad range of interests, including longevity, epistemology, physics, and psychology.

hmm I wonder if cursor can be set up to analyze extensions for compromises/malicious code.

Web3 consultant | senior engineer @lazertech | crypto dinosaur 🦖

fair enough. I guess it will be a never ending battle.

However, a friend of mine has actually been studying technical interview scams on linkedIn and 90% of the time its the same kind of malicious technique (he built a tool to detect them).

So I would imagine a pattern will emerge here too. It would be the newest ones we have to watch out for.

You can try, but it's mostly a losing battle. You can verify the supply chain, but if a trusted publisher is compromised, judging the intent of a piece of code is basically impossible.

You can tell if it's funny looking, or heavily obfuscated, but if you want to catch the bad stuff it's also going to catch many false positives.