This is really interesting! Is it possible for you to add a unique identifier in both sheets so the rows in the first sheet can be connected to the second sheet? Tia!
nice video but you should point out that not every plugin with code injection is vulnerable. in fact some of the plugins that their job to allow you run code or command. same goes for a lot of vulns you showed like xss etc. which not exactly vuln in those examples. but probably some of them is a real vulnerable and some even exploitable
vscode's "verified" is misleading, it only shows if they've proven access to a domain, everyone can easily do this, it does NOT indicate if an extension is secure or checked by Microsoft itself
You should do another one but with Discord Bots, knowing that Discord is a "Trusted" source for malicous file hosting, this could also give interesting results.
What does it means that an extension is vulnerable? I understand the fact that an extension may have a backdoor of some type, but I don't understand who can exploit the other vulnerabilities... Yourself 😅?
Firstly wanted to say I enjoy your videos. However, I have noticed over time that you are not very clear with stating that you are being sponsored to use a piece of software. Even if you think you were going to use it anyway etc, I think this is something that should be very clearly stated.
lets say you have nice csv viewer plugin which view csv file in a nice way. it does that by take the csv content and run it through some js plugin code. if in some way I can inject code to run through my own csv. then all I need is to send you that csv file and you open it. that is just one example
JH, been following your work since your root of the mal days. Another quality video! Love this stuff and can't get enough.
1:30 "Missouri hacking" is the funniest thing I've heard today 😆
This is awesome John, very cool idea that ive never really thought about. Keep it up!
how big was 39k repos 💀
I wonder how much of that was just config files like .editorrc, .prettierrc, .eslintrc, etc. lmao
Curious too
I tried to implement a scrape project as well, I cloned down about 8000 repos and it was around 130 GB
Correlation to the “dependency confusion” attack system would be a nice and interconnected sequel.
Thanks for producing these resources!
if you want to be blackout drunk, take a swig every time john says "hey,"
hey
@@_JohnHammond Hey Bro I want to know,How u organise your notes and maintain your system like using both windows and Linux...
Make video on it ....😊
Hay Bro John, lots ❤ from 🇮🇳
I'm following you from your starting day, Huge fan dude.. 😎
Nice video...🎉
The second he said that he wanted to look through the code of all extensions I knew this would turn into an Snyk ad.
This is really interesting!
Is it possible for you to add a unique identifier in both sheets so the rows in the first sheet can be connected to the second sheet?
Tia!
Killer project/PoC John. Thanks for this contribution!
Checked out some of my own extensions in the spreadsheet. Thanks for the info.
all day long watching John's videos on YT, you're even appearing in my dreams X)
"Missouri Hacking" Had me going.
I love those "FROGS"
thanks John for the vids
This is great work John, very interesting to see
nice video but you should point out that not every plugin with code injection is vulnerable. in fact some of the plugins that their job to allow you run code or command. same goes for a lot of vulns you showed like xss etc. which not exactly vuln in those examples. but probably some of them is a real vulnerable and some even exploitable
Great video!
Very interesting video, thanks for sharing.
vscode's "verified" is misleading, it only shows if they've proven access to a domain, everyone can easily do this, it does NOT indicate if an extension is secure or checked by Microsoft itself
You should do another one but with Discord Bots, knowing that Discord is a "Trusted" source for malicous file hosting, this could also give interesting results.
Hey interesting!
Could you show us exploiting one command injection from that result :).
What is the font that you use in your IDE? Looks really good.
I’ll think about this next time I feel the crippling urge to change my colour theme
John the kind of guy to be treading in unwanted waters sensational!!!
What does it means that an extension is vulnerable? I understand the fact that an extension may have a backdoor of some type, but I don't understand who can exploit the other vulnerabilities... Yourself 😅?
i could have sat here for like 3 hours watching you go through these vulns lol
Very cool!
I'd say the real question may not be how many of them being vulnerable but how many of them being straight malicious.
Firstly wanted to say I enjoy your videos. However, I have noticed over time that you are not very clear with stating that you are being sponsored to use a piece of software. Even if you think you were going to use it anyway etc, I think this is something that should be very clearly stated.
Sir please help me some scammers stolen my funds
Finally a new video
Missouri hacking 😂 1:30
Im using this daily 🙄
even verified extensions have vulnerabilities...
hi
Where did you steal your chair ?
At the fiery but mostly peaceful protests in Philly. Hey, "everybody gotta eat"!
I’m sure there are alot of vulns in those extensions. But SAST tools produce a crap ton of false positives
personally we should avoid downloading any form of extension or plugin
Okay, but how can these injections and stuff snyk spits out be exploited in the wild?
lets say you have nice csv viewer plugin which view csv file in a nice way. it does that by take the csv content and run it through some js plugin code. if in some way I can inject code to run through my own csv. then all I need is to send you that csv file and you open it. that is just one example
@@elichen4440 so the way that plugin handles csv makes it vulnerable. Still, you would have to know the extensions the target uses
Snyk seems cool, the united states government should use it. 🤣
❤
😮
Hence I use vim. Lol.
next video will have to be on "backdoored vim extensions" 🤪
@@_JohnHammond 😱 hahahaha.
Visual studio hacked you and give your malware
epic
All of then lol
first one here
First Comment 😀
first
Help_Me.exe Reserve Engineering Video I Can't See On The TH-cam Please... Make Public... 🙏🙏🙏🙏Please... I Am Telling About Autoit Malware