VS Code Extensions Leak: A Comedy of Errors or Cybersecurity Catastrophe?
Visual Studio Code extensions are having a rough time, as over 100 of them leaked access tokens, opening the door for bad actors to distribute malware. Publishers must remember: secrets are like your internet history—best kept hidden! If only the extensions had a built-in cringe detector for poorly secured code.
Hot Take:
Visual Studio Code extensions are having a rough year – all thanks to some well-meaning developers who left the keys to the kingdom just lying around. It’s the digital equivalent of leaving the front door unlocked with a welcome mat that says “Bad Actors Welcome!” With over 100 extensions leaking access tokens, it’s no wonder these plug-ins have become the latest hot commodity for cybercriminals. It’s almost as if VS Code stood for “Very Susceptible Code” these days! Maybe next time, publishers will remember that secrets should stay secret, even if they’re buried inside a cool theme extension. After all, you wouldn’t leave your diary open on the kitchen table, would you?
Key Points:
- Over 100 VS Code extensions leaked access tokens, posing a software supply chain risk.
- More than 550 secrets from 500+ extensions were found, including AI provider and cloud service secrets.
- Wiz reported that extensions with leaked tokens have a combined install base of over 150,000 users.
- Threat actor ‘TigerJack’ targeted the VS Code Marketplace with malicious extensions.
- Microsoft has revoked leaked PATs and is adding secret scanning capabilities to tackle the issue.