VS Code Configs Expose GitHub Codespaces to Attacks
securityweekVS Code-integrated configuration files are automatically executed in Codespaces when the user opens a repository or pull request.
The automatic execution of VS Code-integrated configuration files when opening a repository or pull request in GitHub Codespaces could lead to supply chain attacks, Orca Security reports.
A cloud-hosted developer environment, Codespaces allows users to create a fully configured Visual Studio Code instance almost instantly, providing them with tight repository integration and container support.
It allows developers to test code, review pull requests, and more, but also exposes them to attacks via repository-defined configuration files, Orca says.
“Codespaces is essentially VS Code running in the cloud, backed by Ubuntu containers, with built-in GitHub authentication and repository integration. This means any VS Code feature that touches execution, secrets, or extensions can potentially be abused when attackers control the repository content,” the cybersecurity firm notes.
The issue, it explains, is that Codespaces automatically respects ...
Copyright of this story solely belongs to securityweek . To see the full text click HERE