RE: https://hachyderm.io/@ChrisShort/116606591908387955

If you want on to Microsoft's internal network, CORPNET, publish or own an existing a VSCode extension.

The Visual Studio Code Marketplace, which Microsoft own, is completely uncontrolled.

Anybody can publish an extension, it provides code execution on endpoints, extensions auto update by default, "verified" blue tick extensions just need any domain registration, and there's no endpoint security controls at all around what users can install.

VSCode is an absolute security shittip as a result.

Also - if you think 'none of our users run VSCode', check your telemetry. They do. It doesn't even need local admin rights to install.

I've tooted about this one for about two years now, Microsoft have created their own security bonfire and it's going off in their own backyard, they just haven't realised yet.

@GossiTheDog winget install anthropic.ClaudeCode... it'll be fine, it's just userspace... Like a gazillion other things...

@GossiTheDog I remember your earlier writings on this subject and I have been extremely paranoid about the VSCode extensions I've put on my work-owned machine.

I've also switched away from VSCode-based editors on my personal machines, partially because of this and also because of all the other happy horseshit MS has been pulling.

@GossiTheDog Also check if they are running Cursor (the AI thing). It's VSCode in disguise, uses the same plugins, can import all the settings, etc.

@GossiTheDog this is exactly why we delivered this session last year at #PSConfEU

https://youtu.be/deBTJdjMc5o

@GossiTheDog And the editor itself makes extensions necessary. Like want to highlight trailing white space (something that should be built into a code editor)? Nope, you need to install a random 3rd party extension!

@GossiTheDog I installed VSCodium yesterday for a project and @Sempf was nice enough to suggest extensions with the warning that the extensions were a bit of a wild west.

It was shockingly terrible! You can't find or use ANYTHING safely in that tool.

I haven't installed anything in yet because frankly, I don't trust it yet. I'd rather walk slowly and safe.

@GossiTheDog I installed VSCodium yesterday for a project and @Sempf was nice enough to suggest looking at the extensions with the warning that the extensions were a bit of a wild west.

It was shockingly terrible! You can't find or use ANYTHING safely in that tool.

I haven't installed anything in yet because frankly, I don't trust it yet. I'd rather walk slowly and safe.

@GossiTheDog

VS Code started to be a thing people used when I was at MS. A lot of folks were using the remote extensions for working in Azure VMs. I saw that there was an open issue about FreeBSD support, so I reached out to some of the folks responsible internally. The things I learned about how that worked made me back away slowly and be very happy I used vim.

@GossiTheDog I realize that this is tangential, but the network is named CORPNET? Really? Are we in a cheap 1980s techno-thriller?

@maccruiskeen that's the main AD domain, yep. Keep in mind MS is an 80s company 😅

@GossiTheDog And this is why my work PC is locked down so tight I can't even make and run my own batch files, let alone anything .exe. The organisation actually practices the Essential Eight.

@ingram you can probably install VSCode 😅

@GossiTheDog lol MS didn't even follow their own guidelines

This one by @sassdawe deserves some more love in these trying days:

#VSCode Extension Deployment with Intune - Björn Sundling, David Sass - PSConfEU 2025

https://www.youtube.com/watch?v=deBTJdjMc5o

RE: https://infosec.exchange/@sassdawe/116606877612791531

@buherator and my LinkedIn post as well https://www.linkedin.com/posts/sassdawe_vscode-powershell-psconfeu-share-7462850056849670144-VCXZ 🙈