Weeknotes #81 (May 23, 2026)

Posted on: May 23, 2026

Things I found, read, did, and produced this past week.

Things I consumed

• GitHub internal repos were leaked due to malware in a VS Code extension. This maily was triggered due to the fact that VS Code auto-updates extensions by default which allowed for this exploit to be triggered even though the malicious version of the extension only was up on the marketplace for under 20 minutes
• As a follow up to this, people are recommending Microsoft add minimumReleaseAge for VS Code extensions such that it doesn't download brand new updates to be able to safeguard from this.
• Also on the security front from Microsoft, npm is rolling out staged publishing where you have to have a approve a npm publish via a 2FA flow before it goes fully live. We shall see if this helps out protecting against the mass amount of supply chain attacks that have been hitting npm for the past few years.