GitHub Copilot Chat 0.44.1 – Possible Malicious Release
Hi All,
Not really sure if this is the correct place to post this, but it looks like the VS Code release mechanism might have been compromised. The Visual Studio Marketplace has a release today of 0.44.1, but the github page shows no such release present (not even 0.44.0). Given the recent slew of supply chain hits I am a bit suspicious. The better place to flag this would probably be on their issue tracker. The release on the marketplace being five hours ago, it's not unlikely that GH releases are manual and lagging behind (seeing plenty of this in projects that publish container images, the updated image comes through Renovate hours before anything shows up on release pages). Thanks, I followed their security.md to contact them. Appreciate the insight on a possible standard lack of synchronous versions. > Appreciate the insight on a possible standard lack of synchronous versions. Looking closer at the commit and release history, it looks like poor release hygiene, really. Commits hint at a 0.44.0 release that doesn't show up in tags and the changelog file that is included with the source (in the extension that you pull down and the repository) isn't readily maintained. The absence of a verifiable link between the marketplace artifacts and the underlying code should probably give people pause about the trustworthiness of the extension. I bet a good chunk of what's on that marketplace is in that situation.