Cybersecurity researchers uncovered a widespread issue of secret leakage in hundreds of Visual Studio Code and Open VSX extensions, risking supply chain attacks. These leaks include sensitive API keys and tokens that could allow attackers to push malicious updates or compromise enterprise systems. #VSCodeExtensions #SupplyChainThreats
Keypoints
- Researchers found over 550 leaked secrets across more than 500 extensions from various publishers.
- Leaked Personal Access Tokens (PATs) could enable attackers to update or publish malicious extensions.
- The majority of leaks stem from hidden configuration files like .env and AI-related JSON files.
- Even themes, often deemed safe, can be Trojan horses if compromised or containing malicious code.
- Platform safeguards were implemented after collaboration with Microsoft and Open VSX to address the vulnerabilities.
Read More: https://securityonline.info/critical-vscode-supply-chain-flaw/