Closed Daijobou closed 1 year ago
Thanks for the link to the blog post. I'm the developer of one of the listed extensions, cesium.gltf-vscode
. I pushed an update this morning to fix it, but hours later the marketplace still lists it as "malicious."
I love VSCode, and I love many aspects of the ecosystem of extensions, but the handling of this issue has been extremely poor for extension developers. End users had extensions yanked out from under them, but the developers of those extensions were never notified. Even after pushing a fix, the marketplace sends the developer a "success!" email, while continuing to show a "Malware" banner to end users.
The developer portal shows no sign of the problem. It does not indicate that the extension is flagged as malware. It does not offer any link to get help or even re-run the malware test.
I'm concerned that my users have lost faith in the security of my extension. The messaging inside of VSCode itself appears to indicate that it is the extension's fault the malware is there. In fact the malware came in as a sub-dependency of the VSCode extension API itself (the vscode
reference in package.json
), so any extension that was updated and published during the time the NPM compromise went un-detected will contain a copy.
Even after this is all fixed and resolved, thousands of former users of my extension will have to manually re-download and re-install, hoping that it's safe this time.
I love you guys, but, I think there should be a review of how these things are handled, indicated, and communicated.
I'm concerned that my users have lost faith in the security of my extension. The messaging inside of VSCode itself appears to indicate that it is the extension's fault the malware is there.
That was what I thought. (in my case) Here is definitly a link missing that explains in few words the reason. Not only for the sake of extension, I am also worried if I have problems now.
Its was here blocked too https://marketplace.visualstudio.com/items?itemName=tomoki1207.pdf, so here is the perfect place to explain the reason and link to it. :)
EDIT: Its unblocked now.
The malware was originally uploaded to NPM's servers. Here's their report of the cleanup:
https://blog.npmjs.org/post/180565383195/details-about-the-event-stream-incident
VSCode extensions make use of NPM packages, including the affected event-stream
package. The VSCode team has their own write-up of the incident here:
https://code.visualstudio.com/blogs/2018/11/26/event-stream
They write:
TL;DR: Visual Studio Code is not affected by the industry-wide NPM event-stream package security issue, and we've proactively protected our user base by temporarily removing extensions affected by this package from the VS Code Marketplace.
The good news is the attack was targeted at Copay Bitcoin software developers, not VSCode or its extensions. So, no VSCode users should suffer any ill effects from this.
But I do take issue with the message provided by the VSCode team, saying VSCode was un-affected and essentially passing the blame to the extensions. All extensions are required to talk to the host VSCode using an npm package called vscode
. The package.json
file for this project pulls in a copy of gulp-remote-src-vscode
. That project then pulls in event-stream, which was the package that pulled in the malware.
In other words, had the malware remained undetected on NPM's servers indefinitely, all VSCode extensions would eventually have gotten a copy of the malware, because we all depend on the vscode
extension API package.
But the malware was noticed (after about 2 months), so, only those extensions that are actively getting updates and npm upgrade
type refreshes during those 2 months are the ones that got stuck with a copy of the bad stuff. The VSCode marketplace listed these extensions as "malicious", when in fact it was the vscode extension API itself that was bringing in the malware.
In any case, the malware was thankfully rapidly removed from NPM's servers. And due to the nature of the attack, users don't have to worry about it, unless they happen to own a copy of "Copay" Bitcoin wallet software versions 5.0.2 through 5.1.0 (in which case, get your bitcoins into new wallets ASAP).
This issue is caused by an extension, please file it with the repository (or contact) the extension has linked in its overview in VS Code or the marketplace for VS Code. See also our issue reporting guidelines.
Happy Coding!
@rebornix can you elaborate how a terribly written error message that blames extension developers even though VSCode forced them to use their vulnerable package is caused by the extension?
I mislabeled this issue, sorry for that. @auchenberg , do you have any idea of how we can better handle this warning?
We closed this issue because we don't plan to address it in the foreseeable future. If you disagree and feel that this issue is crucial: we are happy to listen and to reconsider.
If you wonder what we are up to, please see our roadmap and issue reporting guidelines.
Thanks for your understanding, and happy coding!
Version: 1.29.1 (system setup) Commit: bc24f98b5f70467bc689abf41cc5550ca637088e Datum: 2018-11-15T19:13:36.375Z Electron: 2.0.12 Chrome: 61.0.3163.100 Node.js: 8.9.3 V8: 6.1.534.41 Architektur: x64 Windows 10
I get today this message in the right bottom corner:
translated means:
So first think was: I have no file "tomoki1207.pdf" open in my vscode, because this messsage look like for a normal pdf-file. So what is this strange message box? A pdf is "uninstalled"?
With searchmachine I found the explaination: https://github.com/tomoki1207/vscode-pdfviewer Its means the extension "vscode-pdfviewer". So please write "Extension" at beginning of the warning and better use the name of extension and not the cryptic filename of extension.
More information about "problematic " with this extension would be nice. Found answer here: https://github.com/tomoki1207/vscode-pdfviewer/issues/33