VS Code’s AllowedExtensions policy shipped in November 2024. GitHub — a Microsoft subsidiary — wasn’t enforcing it when a poisoned Nx Console extension walked out with 3,800 internal repos in 11 minutes. The policy framework was never missing. The enforcement was. Here’s the Intune remediation script and the Copilot/MCP guardrails that close the exact attack path TeamPCP used.
