Event-Stream Package Security Update

Updated: June 23, 2019

We have been working with extension authors to get their extensions and dependencies updated.

Below is the current list of blocked extensions:

  • JacobeanResearchandDevelopmentLLC.vscode-scxml-preview
  • joaquin6.package-watch
  • KazuoCode.gthubsum
  • MaxGotovkin.tslens

November 26, 2018 Kai Maetzel, @kaimaetzel

You might already have heard that the popular event-stream NPM package includes a malicious dependency. The details can be found in the following GitHub issue: https://github.com/dominictarr/event-stream/issues/116. This vulnerability has been in existence for about two months but was only recently discovered.

TL;DR: Visual Studio Code is not affected by the industry-wide NPM event-stream package security issue, and we've proactively protected our user base by temporarily removing extensions affected by this package from the VS Code Marketplace.

We immediately checked if and how we are affected. First, we scanned Visual Studio Code. Both product installs of Visual Studio Code (Stable as well as Insiders) are safe.

Secondly, we scanned all extensions in the VS Code Marketplace. We identified several extensions as affected. We decided to take aggressive actions to protect our users as well as the authors of those extensions and to automatically uninstall those extensions. Users don’t need to take any action to remove those extensions. The extensions will also be unlisted from the Marketplace.

At the time of the scan, the following extensions contained the malicious code:

  • aoisupersix.bve5-language-support
  • apollographql.vscode-apollo
  • ardenivanov.svelte-intellisense
  • ballerina.ballerina
  • BattleBas.kivy-vscode
  • cesium.gltf-vscode
  • christianvoigt.argdown-vscode
  • codemooseus.vscode-devtools-for-chrome
  • curlybracket.vlocode
  • ivory-lab.jenkinsfile-support
  • JacobeanResearchandDevelopmentLLC.vscode-scxml-preview
  • joe-re.sql-language-server
  • jomiller.rtags-client
  • jorithvdheuvel.webdav
  • KazuoCode.gthubsum
  • kddejong.vscode-cfn-lint
  • Koihik.vscode-lua-format
  • myxvisual.vscode-ts-uml
  • OptimaSystems.vscode-apl-language-client
  • Paul-Ehigie-Paul.nativescript-extend
  • qoretechnologies.qorus-vscode
  • quantum.quantum-devkit-vscode
  • ritwickdey.LiveServer
  • rkoubou.ksp
  • roboceo.robojsx-plugin
  • salbert.comment-ts
  • SiteGo.spgo
  • terminus.tangram-vscode-plugin
  • tintrinh.php-refactor
  • tomoki1207.pdf
  • vlopes11.advpls-client
  • webhint.vscode-webhint
  • wix.stylable-intelligence
  • Yseop.vscode-yseopml
  • zfzackfrost.commentbars
  • Zowe.vscode-extension-for-zowe

We are in the process of notifying the authors of those extensions. Once the authors have updated their extensions and we have received their notification, we will verify the update. You will then be able to reinstall the extension from the Marketplace.

A note to extension authors: When you generated an extension with the yeoman code generator, you may have installed the malicious code as part of the dev dependencies. Delete your node_modules folder, clean your npm cache with npm cache clean --force, and rerun npm install.

Extension authors needs to update the vscode module to 1.1.22.

We'll keep you posted.

Kai Maetzel (Microsoft)