【未修复】通过 VSCode 实现一键窃取 GitHub Token

作为桌面上的 Electron 应用程序,在 VSCode 内部执行任意 JavaScript 无异于完全的远程代码执行。这就是 VSCode 实施一些沙盒化方法的原因,我们将重点讨论的是 VSCode 的 Webview。
GitHub

rogalmic/vscode-bash-debug

This is a SIMPLE bashdb debugger frontend. Useful for learning bash shell usage and writing simple scripts. Useful hint: shellcheck extension does a great job with finding common script errors before ...
GitHub

Kite Autocomplete Plugin for Visual Studio Code

Kite is an AI-powered programming assistant that helps you write code faster inside Visual Studio Code. Kite helps you write code faster by saving you keystrokes and showing you the right information ...
InfoWorld

Hole in GitHub’s browser-based VSCode editor could lead to stolen token

Its disclosure raises questions about what security researchers should expect from vendors, and how far in advance of its publication they should notify vendors about a bug. A vulnerability in ...

Another bug hunter leaks Microsoft exploits in defiance of company’s handling of ...

D Yet another aggrieved bug hunter has leaked a vulnerability affecting a Microsoft product after becoming disillusioned with the way the company handles security reports. A ...

VS Code 再次倒戈!正式切到 Vite+!

但如果仔细看就会发现,目前 npm.scriptRunner 支持的其实都是 JavaScript 生态最主流的工具: 很多人第一次听到 Vite+ 时,会下意识认为它是: ...

Attack on GitHub.dev steals OAuth token for all repos

The web version of the VS Code editor on GitHub.dev had a security vulnerability that allowed attackers to take over all of a victim's repositories, including private ones. They could have initiated ...

Claude Code让代码活了!终端里直接长出网页

【新智元导读】 终端党狂喜!Anthropic甩出Claude Code重磅更新:工作成果一键化身实时交互网页。无需部署、隐私安全,不管是PR演示还是数据可视化,都能从终端长出。速来解锁,让你的代码工作流直接起飞!
The Hacker News

North Korean Hackers Are Turning Developer Tools Into Malware Delivery Channels

Proofpoint says UNK_DeadDrop sent 250+ phishing emails to nearly 100 firms, using GitHub and VS Code lures to steal ...