I work in this space and see these types of "hit articles" so often.
These "security researchers/products" aren't doing anything more than spreading FUD and trying to sell their own products. Most of the FUD they spread is so widely misunderstood and positioned as if X thousands of machines/developers were "affected". The reality is much different.
In the name of being a good security citizen, please just report these extensions so action can be taken and less copy cats occur. Stop writing about these non-events. The reality of each registry is that there will always be bad extensions/packages/etc. The stewards of each registry work very hard to keep them safe. These types of articles make their lives harder, not easier.
> The stewards of each registry work very hard to keep them safe.
What kinds of things do they do? Any idea how this slipped through? Do you know what the review process entails before a plugin is made available for download?
They scan for known malicious code/vulnerabilities.
They work with security researchers to take appropriate action on reports.
They enforce CoC and ToS policy to any that abuse it.
They work with the community to address any unrest.
They continuously monitor for suspicious activity.
They respond to active security incidents.
They work across many security working groups to stay current on best practices, latest standards, newest initiatives.
As to your other questions, this isn't "slipping through". These registries act under a "trust but verify" model. It simply would not scale if they had to manually review all submissions akin to the app store(Zero trust). Most of these registries run on volunteers or small pizza teams.
Every single registry has similar challenges. PyPi just last weekend had to halt user sign-ups and uploads due to these abuses.
These "security researchers/products" aren't doing anything more than spreading FUD and trying to sell their own products. Most of the FUD they spread is so widely misunderstood and positioned as if X thousands of machines/developers were "affected". The reality is much different.
In the name of being a good security citizen, please just report these extensions so action can be taken and less copy cats occur. Stop writing about these non-events. The reality of each registry is that there will always be bad extensions/packages/etc. The stewards of each registry work very hard to keep them safe. These types of articles make their lives harder, not easier.