A poisoned VS Code extension led to a GitHub breach, and Microsoft owns every link in the chain
… The vetting, in other words, can miss real malware but also be blunt enough to flag code that turns out to be fine. Neither failure is reassuring when it's potentially the single point of defence against malware running on your machine. …