VS Code

Microsoft warns of a phishing campaign targeting developers with fake Next.js job assessments. The attack uses VS Code workspace automation, npm build tasks, and backend scripts to install backdoors and exfiltrate credentials. Attackers leverage social engineering to compromise developer machines, gaining access to cloud secrets, tokens, and source code.

This report details a significant security and billing bypass vulnerability within the Copilot Chat extension for VS Code. The exploit leverages the architectural implementation of subagents and tool calls, which do not currently consume premium request credits. By initiating a session with a free model like GPT-5-mini and defining a custom agent configured to use a premium model such as Claude Opus 4.5, users can orchestrate 'free' premium model usage. The vulnerability allows the free orchestrator model to trigger expensive subagent calls indefinitely. Furthermore, the analyst identifies potential for automated loops and a lack of server-side API validation for message types, suggesting a broader risk of service abuse. Despite being reported to Microsoft Security Response Center, the issue was deemed out of scope for security rewards and redirected to public bug tracking.

The author shares a method for achieving seamless remote development on FreeBSD using Visual Studio Code's Remote SSH extension. By leveraging FreeBSD's Linuxulator to run Linux binaries, they overcome platform incompatibility, replacing slow NFS/SSHFS setups with a high-performance workflow that supports ARM64 environments and VS Code extensions flawlessly.