[BREACH] VS Code extensions are now part of the supply chain
![[BREACH] VS Code extensions are now part of the supply chain](https://images.squarespace-cdn.com/content/v1/54bd1221e4b05e8a3646d021/1779808858948-BMRA8BFTOUVHF022ZDAH/zzz.png)
The plugin had keys. A VS Code extension sat beside repos, tokens, terminals, and AI configs. That is not just productivity. That is inherited access.
[FORECAST] Device-Bound Sessions Are Coming. Defaults Are the Hard Part.
![[FORECAST] Device-Bound Sessions Are Coming. Defaults Are the Hard Part.](https://images.squarespace-cdn.com/content/v1/54bd1221e4b05e8a3646d021/1778085280152-5T15KO073L1XKEUK2WU9/z.png)
“Secure by default” sounds great until it meets BYOD, VDI, federated SSO, and the help desk exception list from hell.
Device-bound sessions help.
Waiting for every SaaS vendor to flip the default is not a strategy.