| ▲ | 0cf8612b2e1e 6 hours ago | |||||||
I would have thought, but it has been how many years, and as far as I know, there is still no segregation for VSCode extensions. Microsoft has all the money and if they cannot be bothered, not encouraged that smaller applications will be able to iron out the details. | ||||||||
| ▲ | jabbany 6 hours ago | parent [-] | |||||||
I think it's just because supply-chain attacks are not common enough / their attack surfaces not large enough to be worth the dev time... yet... Sneak in a malicious browser extension that breaks the permissions sandbox, and you have hundreds of thousands to millions of users as an attack surface. Make a malicious VSCode/IDE extension and maybe you hit some hundreds or thousands of devs, a couple of smaller companies, and probably can get on some infosec blogs... | ||||||||
| ||||||||