- A wide-spread, industry-wide security vulnerability impacted a dependency of a dependency of the Apollo VS Code plugin called
- The editor extension (along with 38 others) was removed from the VS Code Marketplace. These extensions were also uninstalled for users and flagged as “malicious” within VS Code.
- We locked our extension to a safe version of the dependency and worked with the VS Code team to republish the Apollo package which is now safely back on the marketplace for download
Timeline of events
Monday November 26
event-stream was discovered to have been compromised. The package, when installed alongside a bitcoin wallet tool called
copay-dash, would attempt to siphon and steal bitcoins from users.
We determined that the
vscode package that we use to build the Apollo VS Code editor extension was installing
event-stream. We locked our versions down to a previous safe version and uploaded a release to the VS Code Marketplace.
Tuesday November 27
We received reports of the editor extension being removed from the marketplace and flagged as malicious. Our team reached out to the VS Code team to ask what was happening and why were flagged.
The prior night, the VS Code team removed 38 extensions that depended on the
vscode or other related projects that brought the compromised package into builds. After receiving our message on Tuesday, they responded to our team letting us know they were reviewing our new build.
Wednesday November 28
The VS Code team let us know that our changes were sufficient and that the Apollo VS Code extension was published back onto the marketplace.
Due to the way VS Code extensions are installed, there is only a small chance that the vulnerability would have had any impact, however it is worth checking your machine to make sure that version of the package doesn’t exist. Lauren Elizabeth Tan put together a great tweet thread of steps to take:
Thanks for your continued support using the Apollo platform. We take your security seriously and will always responsibly disclose any security vulnerabilities in our tools. To report a security vulnerability, please contact firstname.lastname@example.org.
James Baxley III
Normally found on his farm working his bee hives or tending his flock of sheep, James is a believer in cultivating happy and healthly communities. He is a lover of design systems, roses, and fixing old land rovers.
Stay in our orbit!
Become an Apollo insider and get first access to new features, best practices, and community events. Oh, and no junk mail. Ever.
Make this article better!
Was this post helpful? Have suggestions? Consider so we can improve it for future readers ✨.