fsebugoutzone.org:9999

       Post B2VViQtfR71UzLCZLE by 0xabad1dea@infosec.exchange
 (DIR) More posts by 0xabad1dea@infosec.exchange
 (DIR) Post #B2VViLK2AAY5hNUXbc by 0xabad1dea@infosec.exchange
       2026-01-21T07:56:51Z
       
       4 likes, 2 repeats
       
       so it turns out that when VS Code asks you “do you trust the authors of this folder?” what they mean is that it’ll auto-execute .vscode/tasks.json if it exists, which can include shell commands. maybe that’s too many features. you can’t hold all these features. put a few features back
       
 (DIR) Post #B2VViQtfR71UzLCZLE by 0xabad1dea@infosec.exchange
       2026-01-21T08:08:35Z
       
       0 likes, 1 repeats
       
       apparently malware gangs have exploited this by offering software engineers “interviews” with a “take-home assignment” so keep that in mind the next time VS Code annoys you with the “do you trust this folder” popup
       
 (DIR) Post #B2VVkRmD8WKcIPfsZc by emily_s@mastodon.me.uk
       2026-01-21T08:01:49Z
       
       0 likes, 0 repeats
       
       @0xabad1dea wonder how much validation they put on that... if that tasks.json includes a command to delete the current directory?
       
 (DIR) Post #B2VVkShzfgYJBci1dg by 0xabad1dea@infosec.exchange
       2026-01-21T08:03:45Z
       
       0 likes, 0 repeats
       
       @emily_s none, it’s intended for doing exactly that sort of thing
       
 (DIR) Post #B2VVkTSmrhyzWkbOZk by emily_s@mastodon.me.uk
       2026-01-21T08:07:29Z
       
       0 likes, 0 repeats
       
       @0xabad1dea oh no...
       
 (DIR) Post #B2VVkUIBmb6E6AeRhA by SecurityWriter@infosec.exchange
       2026-01-21T08:36:05Z
       
       1 likes, 0 repeats
       
       @emily_s @0xabad1dea As with almost everything in software development; security isn’t an afterthought. It’s not a thought at all.And somehow we’re seen as alarmists when we point these things out.
       
 (DIR) Post #B2VVlfhYqhlnm05EsS by mushu@social.troll.academy
       2026-01-21T09:08:16Z
       
       1 likes, 1 repeats
       
       @0xabad1dea oh hey, thanks for highlighting this 💖. It may have come just in in time to safe me 😅.Hard to say what would&#39;ve happened otherwise, but I believe I&#39;ve just been invited to a private repo on GitHub that has funny stuff in the tasks.json.There are some spaces between the command key and value to shift the command out of view when opening the tasks.json in the editor 🍿.It appears they&#39;ve got a (git) history of hopping between free projects on vercel to host some stuff.