6mile
105
Karma2020-12-30
CreatedAbout Me
Software supply chain research, created GitHax, threat intel platform for supply chain threats and former founder of SecureStack. Author of open-source projects like the DevSecOps Playbook, TVPO threat modelling framework, and more.
Recent Activity
Commented: "GitHub Accounts Compromised"
The bash script for checking for infection? is that what you are talking about?
Submitted: "GitHub Accounts Compromised"
13 points2 commentsopensourcemalware.com
Security professionals sharing intelligence on malicious packages, repositories, and CDNs to protect the open source ecosystem.
1 points0 commentsopensourcemalware.com
Security professionals sharing intelligence on malicious packages, repositories, and CDNs to protect the open source ecosystem.
181 points87 commentsopensourcemalware.com
Security professionals sharing intelligence on malicious packages, repositories, and CDNs to protect the open source ecosystem.
Hi, I'm one of the researchers that identified this threat and I blogged about it back in November (https://opensourcemalware.com/blog/contagious-interview-vsco...)
First, @Tyriar thanks for being a part of this conversation. I know you don't have to, and I want to let you know I get that you are choosing to contribute, and I personally appreciate it.
The reality is that VS Code ships in a way that is perfect for attackers to use tasks files to compromise developers:
1. You have to click "trust this code" on every repo you open, which is just noise and desensitizes the user to the real underlying security threat. What VS Code should do is warn you when there is a tasks file, especially if there is a "command" parameter in that tasks file.
2. You can add parameters like these to tasks files to disable some of the notification features so devs never see the notifications you are talking about: "presentation": { "reveal": "never", "echo": false, "focus": false, "close": true, "panel": "dedicated", "showReuseMessage": false}
3. Regardless of Microsofts observations that opening other people's code is risky, I want to remind you that all of us open other peoples code all day long, so it seems a little duplicitous to say "you'd still be vulnerable if you trust the workspace". I mean, that's kind of our jobs. Your "Workspaces" abstraction is great on paper, especially for project based workflows, but that's not the only way that most of us use VS Code. The issue here is that Microsoft created a new feature (tasks files) that executes things when I open code in VS Code. This is new, and separate from the intrinsic risk of opening other people's code. To ignore that fact to me seems like you are running away from the responsibility to address what you've created.
Because of the above points we are quickly seeing VS Code tasks file become the number one way that developers are being compromised by nation state actors (typically North Korea/Lazarus).
Just search github and you'll see what I mean: https://github.com/search?q=path%3Atasks.json+vercel.app&ref...
There are dozens and dozens of bad guys using this technique right now. Microsoft needs to step up. End of story.
HackerNews
About this project
This project is an enhanced reader for Ycombinator Hacker News: https://news.ycombinator.com/.
The interface also allow to comment, post and interact with the original HN platform. Credentials are stored locally and are never sent to any server, you can check the source code here: https://github.com/GabrielePicco/hacker-news-rich.
For suggestions and features requests you can write me here: gabrielepicco.github.io
