Security notice for Apollo VS Code11/28/18 A security vulnerability affecting Apollo VS Code requires your attention
James Baxley III
tldr; A wide-spread, industry-wide security vulnerability impacted a dependency of a dependency of the Apollo VS Code plugin called event-stream . The editor extension (along with 38 others) was removed from the VS Code Marketplace . These extensions were also uninstalled for users and flagged as “malicious” within VS Code. We locked our extension to a safe version of the dependency and worked with the VS Code team to republish the Apollo package which is now safely back on the marketplace for download Timeline ofevents Monday November26On Monday morning news broke of a security vulnerability that impacted the javascript ecosystem at large. A popular dependency called event-stream was discovered to have been compromised. The package, when installed alongside a bitcoin wallet tool called copay or copay-dash , would attempt to siphon and steal bitcoins from users.
We determined that the vscode package that we use to build the Apollo VS Code editor extension was installing event-stream . We locked our versions down to a previous safe version and uploaded a release to the VS Code Marketplace.
Tuesday November27We received reports of the editor extension being removed from the marketplace and flagged as malicious. Our team reached out to the VS Code team to ask what was happening and why were flagged.
The prior night, the VS Code team removed 38 extensions that depended on the vscode or other related projects that brought the compromised package into builds. After receiving our message on Tuesday, they responded to our team letting us know they were reviewing our new build.
Wednesday November28The VS Code team let us know that our changes were sufficient and that the Apollo VS Code extension was published back onto the marketplace.
Next stepsDue to the way VS Code extensions are installed, there is only a small chance that the vulnerability would have had any impact, however it is worth checking your machine to make sure that version of the package doesn’t exist. Lauren Elizabeth Tan put together a great tweet thread of steps to take:
