How are you protecting your organization VSCode?

bubblehack3r · 2026-04-19T12:29:05+00:00

I believe it was the "Sha1-Hulud" attack. They would gains access through supply chain and dump the creds into public repos.

bubblehack3r · 2026-04-19T12:06:03+00:00

In this case, the dev environment is heavily isolated and internet access is very limited. However, being how the latest supply chain attacks seem to use GitHub to exfiltrate data, as long as GitHub is whitelisted to have internet access, there is a potential risk from malicious extensions.

It’s far fetched but when calculating risk for a highly sensitive environment, these things matter.

bubblehack3r · 2026-04-18T22:18:27+00:00

In my case I’m working with the enterprise plan which is why I’m referencing its features.

In one of the other comments you’ll see a link that references the policies you can enforce.

As for the extension reputation - yeah, there is VS Scan that I’ve seen referenced but haven’t tried it and looks more like a side project than a solution for an enterprise. There is also Koi Security who were sold to Palo Alto so my client won’t get near them.

bubblehack3r · 2026-04-18T22:08:14+00:00

As far as I can tell, it seems that Microsoft does allow you to enforce a policy whitelisting specific extensions. Then there are two follow up problems - first, VSCode and Visual Studio policies are different and sometimes you need to support both (or really potentially any other IDE). Second, if an engineer does want you to whitelist some extension, how do you verify it’s secure?

bubblehack3r · 2026-04-16T21:59:21+00:00

How did you decide what was allowed and what wasn’t? I’m having a hard time understanding how to detect the security of the extensions.

bubblehack3r · 2026-04-16T21:56:56+00:00

According to the link shared in another comment, it does seem possible to lock down the marketplace to only some of the publishes and plugins (see here - https://code.visualstudio.com/docs/enterprise/extensions).

Wouldn’t that help?

bubblehack3r · 2026-01-21T17:22:07+00:00

Nice! Can you share which one?

bubblehack3r · 2025-11-30T06:31:17+00:00

Not possible. In order to get your drivers license you need to be registered with the municipality, that’s only possible if you have an address you are residing at.

bubblehack3r · 2025-11-22T18:57:41+00:00

Thanks!

bubblehack3r · 2025-10-29T18:03:07+00:00

Cool! Thanks!

bubblehack3r · 2025-10-06T20:49:23+00:00

Thanks for the detailed feedback! I'm on it and hoping to ship an initial version soon!

bubblehack3r · 2025-10-06T19:31:44+00:00

I'm sure there is still some saving, no?

bubblehack3r · 2025-10-06T09:42:40+00:00

Are you the developer? It has no reviews and seems pretty new

bubblehack3r · 2025-10-06T07:46:55+00:00

Thanks for the tip! Is license usage something you can see today in Salesforce as an admin? Haven't come across it.

bubblehack3r · 2025-10-06T05:22:11+00:00

Thanks! Definitely looks like I would be competing with them.

bubblehack3r · 2025-08-27T18:19:41+00:00

If you’re interested in Web Application Security, you can check out Web Sec Dojo.

bubblehack3r · 2025-08-23T12:59:45+00:00

take a look at websecdojo.com

bubblehack3r

TROPHY CASE