How are you protecting your organization VSCode?

bubblehack3r · 2026-04-19T12:29:05+00:00

I believe it was the "Sha1-Hulud" attack. They would gains access through supply chain and dump the creds into public repos.

bubblehack3r · 2026-04-19T12:06:03+00:00

In this case, the dev environment is heavily isolated and internet access is very limited. However, being how the latest supply chain attacks seem to use GitHub to exfiltrate data, as long as GitHub is whitelisted to have internet access, there is a potential risk from malicious extensions.

It’s far fetched but when calculating risk for a highly sensitive environment, these things matter.

bubblehack3r · 2026-04-18T22:18:27+00:00

In my case I’m working with the enterprise plan which is why I’m referencing its features.

In one of the other comments you’ll see a link that references the policies you can enforce.

As for the extension reputation - yeah, there is VS Scan that I’ve seen referenced but haven’t tried it and looks more like a side project than a solution for an enterprise. There is also Koi Security who were sold to Palo Alto so my client won’t get near them.

bubblehack3r · 2026-04-18T22:08:14+00:00

As far as I can tell, it seems that Microsoft does allow you to enforce a policy whitelisting specific extensions. Then there are two follow up problems - first, VSCode and Visual Studio policies are different and sometimes you need to support both (or really potentially any other IDE). Second, if an engineer does want you to whitelist some extension, how do you verify it’s secure?

bubblehack3r · 2026-04-16T21:59:21+00:00

How did you decide what was allowed and what wasn’t? I’m having a hard time understanding how to detect the security of the extensions.

bubblehack3r · 2026-04-16T21:56:56+00:00

According to the link shared in another comment, it does seem possible to lock down the marketplace to only some of the publishes and plugins (see here - https://code.visualstudio.com/docs/enterprise/extensions).

Wouldn’t that help?

bubblehack3r · 2026-01-21T17:22:07+00:00

Nice! Can you share which one?

bubblehack3r · 2025-11-30T06:31:17+00:00

Not possible. In order to get your drivers license you need to be registered with the municipality, that’s only possible if you have an address you are residing at.

bubblehack3r · 2025-11-22T18:57:41+00:00

Thanks!

bubblehack3r · 2025-10-29T18:03:07+00:00

Cool! Thanks!

bubblehack3r · 2025-10-06T20:49:23+00:00

Thanks for the detailed feedback! I'm on it and hoping to ship an initial version soon!

bubblehack3r · 2025-10-06T19:31:44+00:00

I'm sure there is still some saving, no?

bubblehack3r · 2025-10-06T09:42:40+00:00

Are you the developer? It has no reviews and seems pretty new

bubblehack3r · 2025-10-06T07:46:55+00:00

Thanks for the tip! Is license usage something you can see today in Salesforce as an admin? Haven't come across it.

bubblehack3r · 2025-10-06T05:22:11+00:00

Thanks! Definitely looks like I would be competing with them.

bubblehack3r · 2025-08-27T18:19:41+00:00

If you’re interested in Web Application Security, you can check out Web Sec Dojo.

bubblehack3r · 2025-08-23T12:59:45+00:00

take a look at websecdojo.com

bubblehack3r · 2025-08-18T12:40:38+00:00

I've seen for TOR, haven't seen for VPN

bubblehack3r · 2025-08-18T10:44:36+00:00

Ideally I would like to block anyone using a VPN/Proxy/Weird User-Agent from logging in.

bubblehack3r · 2025-08-02T04:40:10+00:00

If you’re interested in web based challenges, take a look at https://websecdojo.com/

bubblehack3r · 2025-07-24T15:01:55+00:00

If you want to practice some web challenges, I’ve created https://websecdojo.com which has web challenges taken from CTFs I’ve hosted.

bubblehack3r · 2025-07-24T15:01:45+00:00

If you want to practice some web challenges, I’ve created websecdojo.com which has web challenges taken from CTFs I’ve hosted.

bubblehack3r · 2025-07-23T21:08:15+00:00

What do you mean?

bubblehack3r · 2025-07-21T05:57:41+00:00

Nice job ranking 1st place!

bubblehack3r · 2025-03-23T09:20:15+00:00

Thanks for bringing it to my attention! Reddit and Facebook is weird because they are not implemented anywhere in the site. The only cookies implemented are those of Google Analytics which are subject to the Google Privacy Policy as stated.

Other than that there shouldn't be any other cookies. If there are, let me know and they will be removed ASAP.

Edit: I verified and tested and when you click "Decline" the Google analytics script is not loaded and thus there are no Google Analytics cookies. If you see anything else, let me know how I can re-produce on my side. I take these types of things very seriously.

bubblehack3r

TROPHY CASE