> Because threat actors find new ways to evade detection on public repositories used for software development, it is recommended that users inspect packages before installation, especially when the source is not a reputable publisher.
Serious question: what is realistically meant by "inspect packages before installation" here? I assume they don't mean "review all the code in the packaged node_modules to find any trojans." Maybe "don't install plugins with packaged dependencies" but I'm not sure how common it is in this context.
My takeaway will just be "continue to use the default VSCode theme."
> Because threat actors find new ways to evade detection on public repositories used for software development, it is recommended that users inspect packages before installation, especially when the source is not a reputable publisher.
Serious question: what is realistically meant by "inspect packages before installation" here? I assume they don't mean "review all the code in the packaged node_modules to find any trojans." Maybe "don't install plugins with packaged dependencies" but I'm not sure how common it is in this context.
My takeaway will just be "continue to use the default VSCode theme."
I thought image files don't act as executables?
A "corrupted" PNG brings less suspicion, and triggers less heuristics than a long chunk of Base64.
And that's assuming they didn't encode it into a valid PNG.