Before you go down this rabbit hole, consider that many extensions are slight forks of others. There isn't always malicious intent. Just people who try to extend the extensions and publish them without knowing otherwise.
For example go look at any popular "Hello world" type of extension and you'll see many results of extensions in this definition of "name squatting".
When you add telemetry to a fork of a thing that didn't previously have telemetry, you don't deserve the benefit of doubt. The original didn't need telemetry, so neither does your fork. Anybody who does this should be assumed malicious.
And telemetry for a fucking color theme? You've got shitting me. Whoever did this is a Grade-A scumbag. It didn't happen by accident and there is no possible benign motivation for it. I hope somebody has reported this to the FBI and other relevant authorities.
Non-malicious forks would choose a completely different name and mention the original in their README.
Name squatting relies on people making a typo and installing your stuff. That cannot be innocent, come on now.
Your link also does not prove anything except that people naively make extensions with the same name that feels cute or easily discoverable to them. I see no name squatting in that list, not in the top 10-20 anyway.
> Name squatting relies on people making a typo and installing your stuff. That cannot be innocent, come on now.
You are thinking of typosquatting. And my example shows people can publish extensions squatting on the same extension name as established ones while also changing other metadata to impersonate or spoof popular ones and confuse users quickly looking to install the extension.
But it does imply a trust and quality issue with the VSCode marketplace.
Combined with the lack of a proper sandbox or TCB for plugins, having an untrustworthy “marketplace” makes VSCode sound like a disaster waiting to be installed.
Another opinion is that there is plenty of crap on every registry and some are better at surfacing and cleaning up than others.
Similar to the US Navy and ships that are rust-free versus those battling rust. It doesn't affect the performance of those ships, just the perception. Left on for too long could eat away the actual integrity.
Not all problems are the registry's to burden. Trust and quality decisions are very individual for example. There's no same definition used between two people.
VSCode doesn’t even provide a framework for enabling that decision making. Sure, you could forgo the use of any plugins, but so much of VScode’s functionality is derived from plugins, you’d be better off just using notepad.
To be fair, vim and emacs aren’t any better.
Most of our dev tools are based on plug-in models that have zero security model baked in.
Most of those are social signals, and social engineering is a thing. Sure, you can read the code for every single update for every single plug-in you have to use for VSCode to function.
Having a proper set of API boundaries with security guarantees is the right solution. Even “notable publishers” can get hacked.
I don’t even understand why it’s an open question, tbh.
Darcula Dark could easily be what it says it is, which is an innocent take on the VS Code’s default Darcula theme. I’d be willing to bet there are innocent VSCode extensions with Darcula in the title, and I don’t think that’s unreasonable or traitorous of any kind of intent
