This article discusses the security risks associated with leaked access tokens in over 100 VS Code extensions, which could allow attackers to distribute malicious updates. It highlights the discovery of numerous secrets and the threat of malicious campaigns like TigerJack targeting developers and organizations. #VisualStudioCode #TigerJack
Keypoints
- Over 100 VS Code extensions leaked access tokens, risking malware spread.
- Researchers found more than 550 secrets, including API keys and cloud credentials.
- Malicious actors like TigerJack have published extensions that steal source code and mine cryptocurrency.
- Microsoft has implemented security measures, but vulnerabilities remain in other marketplaces like Open VSX.
- Users and organizations should scrutinize extensions, limit installations, and develop inventory protocols.
Read More: https://thehackernews.com/2025/10/over-100-vs-code-extensions-exposed.html