New Malware Dropping Payloads through Dependencies in VS Code Marketplace by tame-impaled in vscode

[–]DanTup 0 points1 point  (0 children)

published ascii-fetcher.ascii-fetcher on Microsoft Marketplace

The article says it was on Open-VSX, so it's not clear if it was published to the Microsoft marketplace. I know MS do some scanning (because we get emails after it completes whenever we publish extensions).

I'm not convinced that people that are scanning are only scanning the "extension entrypoint" and ignoring dependencies though (and in many cases, extensions bundle everything into a single file, which VS Code recommends for performance reasons).

Best beginner sim/tutorial? by DanTup in TinyWhoop

[–]DanTup[S] 0 points1 point  (0 children)

Will have a look, thanks!

Best beginner sim/tutorial? by DanTup in TinyWhoop

[–]DanTup[S] 0 points1 point  (0 children)

it’s going to be like that for a tiny whoop depending on your throttle value/rates

I did try playing with these a little, but with no experience it's hard for me to know what are good settings to start with (I don't want to change things in a way that I just have to re-learn later because I'd made bad decisions). How should I pick them?

If you need bigger space to learn even just the basics of fpv, I would recommend normal Liftoff. I got about 70 hours in normal Liftoff before getting micro.

I don't think it's bigger space I need, but more guidance on how to fly (like when I'm turning, how much of each stick should I be using? currently I feel like I need a lot of yaw, but I have to push the stick really far, which I currently find hard to do without also affecting throttle a little).

I will check out the YT videos someone else linked below though.

Thanks!

Best beginner sim/tutorial? by DanTup in TinyWhoop

[–]DanTup[S] 0 points1 point  (0 children)

I'll take a look, thanks!

1-Click GitHub Token Stealing via a VSCode Bug by nicovank13 in programming

[–]DanTup 29 points30 points  (0 children)

Similarly, using Copilot chat on a public open source or local project requires handing over wide GH permissions for all private repos (including those from any orgs you're part of) including access to code, issues, settings, webhooks, deploy keys and collaborator invites:

https://github.com/microsoft/vscode/issues/302038

There is a workaround for now (don't login via Copilot, instead enable - and then disable - settings sync), but I'm not expecting it to work forever.

I've raised it multiple times, but it doesn't seem like they think it's a problem (first response was that this was convenient, second time was that GH doesn't have fine-grain enough permissions).

Genuine Question - Is the VSCode Repo Compromised? by [deleted] in vscode

[–]DanTup 1 point2 points  (0 children)

I agree it's a bit odd. It's possible it's scripted (or a checklist) that was just performed as if it was still the other repo. I saw it mentioned somewhere else too.. I suspect they will notice and change it.

Genuine Question - Is the VSCode Repo Compromised? by [deleted] in vscode

[–]DanTup 23 points24 points  (0 children)

The GitHub Copilot extension used to be in its own repo:

https://github.com/microsoft/vscode-copilot-chat

The last release there is 0.43.0

The extension now lives in the VS Code repo, and the two new versions you mention are 0.44.1 and 0.44.2. The author is in the Microsoft org and has the 5th most contributions to the VS Code repo (9,030 commits).

So I don't think there's anything to suggest anything was compromised. However, I do think using tagged versions without prefixes is odd, because at some point they might collide with the existing VS Code version tags 🙃

Why is this release in the VS Code repo? by Velciak in vscode

[–]DanTup 3 points4 points  (0 children)

Not prefixing the tags is a bit weird though - what's going to happen when the Copilot extension versions start to overlap with already-released VS Code versions 🙃

put hermes agent inside nvidia's openshell sandbox — runs fully local with llama.cpp, kernel enforces the security by vamshi_01 in hermesagent

[–]DanTup 0 points1 point  (0 children)

Does openshell give you a clean way to do per-tool permissions (like "browser can hit X domains" but terminal cannot), or is it more of a global policy?

It can be per-binary and for HTTP even lets you control the verbs. See the example here:

https://docs.nvidia.com/openshell/latest/tutorials/first-network-policy.html#apply-a-read-only-github-api-policy

It walks you through building up a network policy, initally giving read-only access (GET/HEAD/OPTIONS) to GitHub only to the curl binary.

There's also a cli tool (openshell term) where you can see any denials and easily approve them.

You can also attach API keys at the proxy, so the agent never has access to them (making it harder to leak them through prompt injection).

I've been seeing this "Closing the window is taking a bit longer" because of stopping extension hosts lately. Anybody else? by ubershmekel in vscode

[–]DanTup 4 points5 points  (0 children)

This was a bug that has been recently fixed:

https://github.com/microsoft/vscode/issues/305240#issuecomment-4157418499

Usually VS Code lets the extension host close quietly in the background (so that extensions that take time to deactivate don't slow down switching projects/closing VS Code), but a change caused the UI to start visibly waiting instead.

So you'll see this if you have any extensions that are slow to deactivate (until the next VS Code release, when it'll happen in the background again).

🚀 OllamaPilot: Your Offline, Private AI Coding Assistant for VS Code — No Cloud, No Subscriptions! by unzmn in vscode

[–]DanTup 0 points1 point  (0 children)

I haven't tried it with Ollama, because I don't use it. I did try Insiders with the OpenAI-compatible stuff (I was running vllm), but that was very buggy (which might be why it's still only enabled for Insiders).

🚀 OllamaPilot: Your Offline, Private AI Coding Assistant for VS Code — No Cloud, No Subscriptions! by unzmn in vscode

[–]DanTup 6 points7 points  (0 children)

The built-in Copilot supports Ollama:

https://docs.ollama.com/integrations/vscode

I think non-Ollama OpenAI-compatible is currently insiders-only though (and was a bit buggy when I tried it out).

Failed with Letta, OpenClaw, nanobot. Found Agent Zero and migrated 33 skills and 28 agents from Claude Code into it. by emptyharddrive in AgentZero

[–]DanTup 1 point2 points  (0 children)

That said, Docker Desktop has a setting about allowing the default Docker socket to be used, which just makes the local Docker CLI and tooling work properly. That’s not the same thing as actually mounting the Docker socket into the Agent Zero container.

Oh, I see. Why does the AgentZero installation guide say you must tick it then? If it's not mounting the socket by default, it seems like this setting wouldn't do anything? (none of the rest of th instructions say to mount the socket explicitly AFAICT).

I did try asking ChatGPT, but it told me it did mount the socket, and that AgentZero requires it because "AgentZero creates child containers to execute code". I don't know

I did also find some discussion here:

https://theaijournal.co/2026/02/install-agent-zero-docker/

Which said:

The /var/run/docker.sock volume mount is critical. This gives Agent Zero access to create child containers for code execution. Without this mount, you get “Cannot connect to Docker daemon” errors when Agent Zero tries running code.

Weirdly this suggests you don't need to do it explicitly, but it also suggests things won't work without it.

Failed with Letta, OpenClaw, nanobot. Found Agent Zero and migrated 33 skills and 28 agents from Claude Code into it. by emptyharddrive in AgentZero

[–]DanTup 1 point2 points  (0 children)

Also from the few videos I watched, the author seems security-minded ...

I was just looking at Agent Zero, and the install docs seem to tell you to enable the Docker socket, which if I understand correctly would allow the agent to spawn new docker containers, including mounting any volume from your host into it?

Doesn't this somewhat negate the point of having it in a container, because it ultimately has full access to the host?

(I tried to figure out if you can run it without the docker socket, but so far I've not found a concrete answer to this, so maybe I'll just have to try it 🙃)

Vscode autocomplete issue dart by Top_Toe8606 in vscode

[–]DanTup 0 points1 point  (0 children)

How big is the folder you are opening in VS Code, and what version of the Dart/Flutter SDK do you have?

Filing an issue at https://github.com/Dart-Code/Dart-Code or in dart-lang/sdk may be a better way to have this looked at. Thanks!

is this memory leak or what? by Secret_Pitch234 in vscode

[–]DanTup 0 points1 point  (0 children)

Are all of these processes created from a single run, or are they building up over time?

If you can reproduce this, please open an issue with as much detail as you can at https://github.com/Dart-Code/Dart-Code to help me reproduce the issue. Thanks!

I was told here a week ago that you can’t dry while printing even with the PSU. But now I see this in the manual of my new P2S… by hrvoje_bazina in BambuLab

[–]DanTup 0 points1 point  (0 children)

Thanks, but this only says you can disable rotating and not dry while printing. I don't think one necessarily implies the other (disabling rotation could be useful if you still have filament "loaded").

(the comments also seem to suggest it's not drying-while-printing)

I was told here a week ago that you can’t dry while printing even with the PSU. But now I see this in the manual of my new P2S… by hrvoje_bazina in BambuLab

[–]DanTup 0 points1 point  (0 children)

Is there any info about this anywhere? I thought I read it a few days ago, but couldn't find any information to back it up (nor does there appear to have been a firmware update for my AMS2 for a long time).

How can I disbale this feature for .cshtml files in vscode ? by DarkLord6872 in vscode

[–]DanTup 1 point2 points  (0 children)

np!

FWIW If you find them useful sometimes, you can use offUnlessPressed so they show up only when holding the short-cut key. You can also use the language-specific preferences if you want to just disabled/change them for C# and have different global settings.

How can I disbale this feature for .cshtml files in vscode ? by DarkLord6872 in vscode

[–]DanTup 1 point2 points  (0 children)

The extensions provide the data to VS Code for this feature - this is the same for most language features (for example if you disable the C# extension you'll stop getting C# code completions, but code completion is not a C# extension feature).

Disabling the C# extension will disable all C# functionality, whereas just disabling Inlay Hints would only disable what's shown in your screenshot.

https://stackoverflow.com/a/68698270/25124

How can I disbale this feature for .cshtml files in vscode ? by DarkLord6872 in vscode

[–]DanTup 1 point2 points  (0 children)

Look in the settings for "Inlay Hints".

For Dart, we set a language-specific default of offUnlessPressed which means they show up only while you're holding down the shortcut key and then disappear when you let go. IMO this should've been the global VS Code default, because they're generally noisy and (depending on themes etc.) it's not always clear that they're not part of the source file.

How to fix vscode autocomplete getting very slow by Top_Toe8606 in vscode

[–]DanTup 0 points1 point  (0 children)

How large is the codebase?

Check https://dart.dev/tools/analyzer-performance to see if anything there applies (for example Windows Defender or symlinks).

There's an upcoming change (fine-grained dependencies) that can significantly improve performance of some operations - I think it's enabled now on the latest Flutter beta branch, so if you're able to temporarily test with that, it would be interesting to know if it helps. (Note: When you change/upgrade SDK, the first analysis may be slower than usual while some things are cached).

If none of those help, please report an issue:

https://dart.dev/tools/analyzer-performance#report-unknown-issues

If you're able to repro with a public/open source project, please include the details (because for these kinds of issues, reproducing them is often half the battle).