• kinttach@lemm.ee
    link
    fedilink
    English
    arrow-up
    4
    ·
    5 months ago

    True, it’s a private (not local) IP. It could easily have connected to a remote system, as their proof-of-concept did.

    This code execs cmd.exe and pipes output to and from a hardcoded IP. That’s pretty weird. What’s running on that IP? How does the extension know something is there?

    It looks like VS Code has no review — human or automated — or enforced entitlement system that would have stopped this or at least had someone verify it was legit.

    • Kuinox@lemmy.world
      link
      fedilink
      arrow-up
      1
      arrow-down
      3
      ·
      5 months ago

      Thing is, tons of code extensions have an RCE in one form or another, but they always hit a localhost, or configurable IP. How do there automated analysis did any difference ?
      Tons of extensions summon the cmd to summon the language devtools, their automated analysis flagged tons of package and they infer millions of infeections from that.