this post was submitted on 07 Apr 2025
113 points (98.3% liked)

Programming

19457 readers
179 users here now

Welcome to the main community in programming.dev! Feel free to post anything relating to programming here!

Cross posting is strongly encouraged in the instance. If you feel your post or another person's post makes sense in another community cross post into it.

Hope you enjoy the instance!

Rules

Rules

  • Follow the programming.dev instance rules
  • Keep content related to programming in some way
  • If you're posting long videos try to add in some form of tldr for those who don't want to watch videos

Wormhole

Follow the wormhole through a path of communities [email protected]

founded 2 years ago
MODERATORS
[email protected]
[email protected]
[email protected]
113
Malicious VSCode extensions infect Windows with cryptominers (www.bleepingcomputer.com)
submitted 6 days ago* (last edited 4 days ago) by [email protected] to c/[email protected]
31 comments fedilink hide all child comments
 

Edit 2025-04-09 16:42Z - article was updated with a tenth package (Prettier - Code)

A set of ten VSCode extensions on Microsoft's Visual Studio Code Marketplace pose as legitimate development tools while infecting users with the XMRig cryptominer for Monero.

ExtensionTotal researcher Yuval Ronen has uncovered ten VSCode extensions published on Microsoft's portal on April 4, 2025.

The package names are:

  1. Prettier - Code for VSCode (by prettier) - 486K installs
  2. Discord Rich Presence for VS Code (by Mark H) - 189K installs
  3. Rojo – Roblox Studio Sync (by evaera) - 117K installs
  4. Solidity Compiler (by VSCode Developer) - 1.3K installs
  5. Claude AI (by Mark H)
  6. Golang Compiler (by Mark H)
  7. ChatGPT Agent for VSCode (by Mark H)
  8. HTML Obfuscator (by Mark H)
  9. Python Obfuscator for VSCode (by Mark H)
  10. Rust Compiler for VSCode (by Mark H)
you are viewing a single comment's thread
view the rest of the comments
[–] [email protected] 2 points 6 days ago (1 children)

It seems so far Zed is cautious, providing api only for specific extensions - i.e. language servers and gui themes.

add a line ... right before you run it

I run stuff from the command line using a trusted build tool (Mill, in scala), or via a local server (where js is sandboxed).
But indeed, a tricky language server or AI tool (I don't use yet) might inject code where I don't inspect before running it. That's a risk even with java-based IDEs - java has security permissions, not in js (vscode) or rust (zed), but are they applied...? As for audits, a problem with vscode is the marketplace got too big, so many extensions, many lookalikes, nobody can check them all...

[–] [email protected] 2 points 5 days ago

well the language server plugins all run a binary language server out of sandbox so zed doesn't really do anything safer in particular there either. no ide has solutions, solutions don't really exist right now. it's not a problem of features of the language as much as it is features developers expect in extensions. I suppose there is a hypothetical "the extension wants to make this change to this file, approve" type flow like AI tools have now, but that sounds unpleasant to use. it still doesn't get around things like language servers being designed to run as standalone processes out of sandbox.

by audits I meant you individually go and read all the code of all the extensions you use. of course that's impossible too, but that was my point