Hello and welcome to the Thursday, January 22nd, 2006 edition of the Sands Internet Storm Center's Stormcast.

My name is Johannes Ulrich and today I'm recording from Jacksonville, Florida.

And this episode is brought you by the sands.edu bachelor's degree program in

applied cyber security. In diaries today, we have Xavier talk about the automatic script execution

in Visual Studio Code. Visual Studio Code is a development environment. It's much more than a simple

editor. And like most of these

idees, it has the ability to execute code. One way this is done in Visual Studio code is by

using a dot vS code directory and inside that a tasks.jason file. What happens is as Visual Studio code opens a file,

it checks for this directory, and the task.Jason file will then define certain actions to execute

on specific events, like in the example that Xavier presents whenever

a new folder is opened. So that main attacker can easily smuggle code as part of some

project that they're offering, for example, for download and then execute it inside the developer's

editor. This is a technique that has been used in several attacks, so there's nothing really new.

Some of stuff has been done with Visual Studio Code extensions, for example. But I think

the most important lesson here is whenever you download like source

code and then open it in a complex environment like Vizzle Studio code, well, there is a possibility

that code is being executed, so you better trust that code. Some development environments,

like for example the ones developed by JetBrains that

are very popular, will give you sort of a warning when you open a file. It asks, well, do you trust

the file or not, which will then trigger this behavior or keep it just in sort of a normal

editor mode where it doesn't execute any code. Either way,

whenever you edit code, make sure that you trust the code and you may want to check for

...