I have been leery of VSCode for this reason. The bare product isn’t very special, so you have to download extensions to get the functionality you need. However, there is nothing keeping the extension from communicating. Suddenly, you get malicious extensions that leak data.
It’s not just malicious extension authors. Compromised developers of good extensions are just as much, if not bigger, of a risk.
> It’s not just malicious extension authors. Compromised developers of good extensions are just as much, if not bigger, of a risk.
If this is your reason to avoid VSCode, then you should probably start avoiding basically all other code, too. It is after all written by developers, who can and has been compromised. All over the supply chain. Over and over again. And so on.
replace VSCode with any other code editor and it will still work.
Vim, Emacs, Sublime are all examples of bare products that aren't very special unless you add extensions that could potentially leak data and run arbitrary commands.
the fact that only a couple extensions have been found leaking some data involving only a few thousands installs, it's honestly a very good record if you ask me.
It’s not just malicious extension authors. Compromised developers of good extensions are just as much, if not bigger, of a risk.