RE: https://hachyderm.io/@ChrisShort/116606591908387955

If you want on to Microsoft's internal network, CORPNET, publish or own an existing a VSCode extension.

The Visual Studio Code Marketplace, which Microsoft own, is completely uncontrolled.

Anybody can publish an extension, it provides code execution on endpoints, extensions auto update by default, "verified" blue tick extensions just need any domain registration, and there's no endpoint security controls at all around what users can install.

VSCode is an absolute security shittip as a result.

Also - if you think 'none of our users run VSCode', check your telemetry. They do. It doesn't even need local admin rights to install.

I've tooted about this one for about two years now, Microsoft have created their own security bonfire and it's going off in their own backyard, they just haven't realised yet.

@GossiTheDog winget install anthropic.ClaudeCode... it'll be fine, it's just userspace... Like a gazillion other things...

@GossiTheDog I remember your earlier writings on this subject and I have been extremely paranoid about the VSCode extensions I've put on my work-owned machine.

I've also switched away from VSCode-based editors on my personal machines, partially because of this and also because of all the other happy horseshit MS has been pulling.

@GossiTheDog Also check if they are running Cursor (the AI thing). It's VSCode in disguise, uses the same plugins, can import all the settings, etc.

@GossiTheDog this is exactly why we delivered this session last year at #PSConfEU

https://youtu.be/deBTJdjMc5o

@GossiTheDog And the editor itself makes extensions necessary. Like want to highlight trailing white space (something that should be built into a code editor)? Nope, you need to install a random 3rd party extension!

@GossiTheDog I installed VSCodium yesterday for a project and @Sempf was nice enough to suggest extensions with the warning that the extensions were a bit of a wild west.

It was shockingly terrible! You can't find or use ANYTHING safely in that tool.

I haven't installed anything in yet because frankly, I don't trust it yet. I'd rather walk slowly and safe.

@GossiTheDog I installed VSCodium yesterday for a project and @Sempf was nice enough to suggest looking at the extensions with the warning that the extensions were a bit of a wild west.

It was shockingly terrible! You can't find or use ANYTHING safely in that tool.

I haven't installed anything in yet because frankly, I don't trust it yet. I'd rather walk slowly and safe.

@GossiTheDog

VS Code started to be a thing people used when I was at MS. A lot of folks were using the remote extensions for working in Azure VMs. I saw that there was an open issue about FreeBSD support, so I reached out to some of the folks responsible internally. The things I learned about how that worked made me back away slowly and be very happy I used vim.

@GossiTheDog I realize that this is tangential, but the network is named CORPNET? Really? Are we in a cheap 1980s techno-thriller?

@GossiTheDog And this is why my work PC is locked down so tight I can't even make and run my own batch files, let alone anything .exe. The organisation actually practices the Essential Eight.

@GossiTheDog lol MS didn't even follow their own guidelines

This one by @sassdawe deserves some more love in these trying days:

#VSCode Extension Deployment with Intune - Björn Sundling, David Sass - PSConfEU 2025

https://www.youtube.com/watch?v=deBTJdjMc5o

RE: https://infosec.exchange/@sassdawe/116606877612791531

@buherator and my LinkedIn post as well https://www.linkedin.com/posts/sassdawe_vscode-powershell-psconfeu-share-7462850056849670144-VCXZ 🙈

@GossiTheDog Was a bit shocked, when I discovered it's just installed into the user's home directory.

@buherator This VSCode issue can also take some love from the community:

https://github.com/microsoft/vscode/issues/229861

@GossiTheDog Politicians do not understand complexity really, they are specialists in tapping into the vibes of public sentiment and then crafting rhetoric to get those vibes resonating in their preferred direction.

Security is like this fractal mandelbrot surface of complexity where the more surface you generate or explore, the more vectors of attack there are. It's way too much for most people, and way too much for politicians who are only interested in what most people think.

@GossiTheDog Google is probably thinking how this will simplify their own job - no more worrying about malware or unsafe sites or anything. Users just poke the stochastic text machine and text is generated for them. No more spidering or security monitoring of websites needed. They are no doubt fantasizing about all the layoffs they can do

@GossiTheDog My guess is if this is true, we might see them try to exit the browser space entirely... that might take a while though

@GossiTheDog it is permanently trying to make you add extensions, and the whole "trust this directory" prompt mapping to "run any code in this external repo" feature seems designed to fund the north korean government.

It's reasonably lightweight, but I don't trust it any more as even if I only use it for text editing, it's too willing to run code from external sources

@GossiTheDog in their favour: MSFT are showing how they've successfully implemented a cross-platform vulnerability ecosystem. ActiveX was windows only

@stevel @GossiTheDog all this complexity to replace gedit and grep programs

@seepr @GossiTheDog ripgrep please. Grep doesn't scale to debugging a 30 MB zip file of logs across a cluster,