VS Code Extension Secrets Spill: A Comedy of Errors in the Supply Chain!
Developers of VS Code extensions have been leaking sensitive secrets left, right, and center. Wiz Security found over 550 leaks in more than 500 extensions, potentially leading to supply chain attacks. Microsoft has since implemented scanning to block such extensions, protecting countless developers from unintended “theme park” surprises.
Hot Take:
Who knew that the real secret to being a successful developer was to accidentally leak all your sensitive data for the world to see? VS Code extension developers are putting on a masterclass in how to make your security woes go viral. Maybe this is their way of reminding everyone that sharing is caring? But Microsoft swooped in and decided that these secrets are better left… well, secret. Good save, Microsoft! Now developers can get back to coding without inadvertently starring in the next episode of ‘When Tokens Attack.’
Key Points:
- Wiz Security found over 550 sensitive secrets in VS Code and Open VSX Marketplace extensions.
- These secrets included access tokens, credentials, and API keys.
- More than 100 secrets could have allowed attackers to update the extensions themselves.
- Microsoft has implemented secret-scanning to block leaky extensions.
- The focus is on protecting users from potential supply chain attacks.