Ethical Hacking News
Over 100 Visual Studio Code (VS Code) extensions have been exposed to critical software supply chain risks due to leaked access tokens, posing a significant threat to developers and organizations relying on these extensions.
Over 100 VS Code extensions exposed to hidden supply chain risks due to leaked access tokens. Leaked access tokens allow malicious actors to update extensions with malicious code, posing a risk to users' sensitive data. A study found over 550 validated secrets distributed across more than 500 extensions from hundreds of distinct publishers. Certain extensions, such as C++ Playground and HTTP Format, contain hardcoded secrets that can be exploited by malicious actors. Many developers ignore security implications of installing extensions, unaware of the risks posed by leaked access tokens.
The world of open-source software development is often touted as a beacon of transparency and collaboration. However, the recent revelations surrounding Visual Studio Code (VS Code) extensions have shed a harsh light on the darker aspects of this ecosystem. A new report by Wiz security has exposed over 100 VS Code extensions to hidden supply chain risks due to leaked access tokens. These tokens, which are used to authenticate users and manage access to sensitive data, have been found in various extensions, allowing malicious actors to update these extensions with malicious code.
The implications of this discovery are far-reaching. According to Rami McCarthy, a security researcher at Wiz, "A leaked VSCode Marketplace or Open VSX PAT [personal access token] allows an attacker to directly distribute a malicious extension update across the entire install base." This means that if a threat actor gains control over one of these extensions, they can potentially spread malware to all users who have installed it. The attack surface is further exacerbated by the fact that many developers often ignore the security implications of installing extensions, unaware of the risks posed by leaked access tokens.
The report found that over 550 validated secrets were distributed across more than 500 extensions from hundreds of distinct publishers. These secrets include sensitive information such as AI provider secrets, cloud service provider secrets, and database secrets. The most egregious offenders included themes, which often contain hardcoded secrets that can be exploited by malicious actors.
One extension in particular, C++ Playground, has been found to capture keystrokes in real-time through a listener triggered after a 500-millisecond delay. This allows the threat actor to steal C++ source code files without being detected. The HTTP Format extension, on the other hand, harbors nefarious code that can run the CoinIMP miner and stealthily mine cryptocurrency by abusing system resources.
Wiz noted that many of these extensions started off as benign tools before malicious modifications were introduced. This is a classic case of a Trojan horse approach, where threat actors establish legitimacy and gain traction among users before unleashing their malicious payloads. The company also pointed out that most of these extensions are still available on Open VSX, despite being removed from the Microsoft platform.
The security landscape across all marketplaces has been fragmented, creating dangerous blind spots for sophisticated threat actors. Even if a malicious extension is removed from one marketplace, it can easily migrate to less-secure alternatives. This highlights the need for a more comprehensive approach to software supply chain risk management, one that takes into account the complexities of open-source ecosystems.
Microsoft has taken steps to address this issue, including an initial scan of all incoming packages for malicious run-time behavior in a sandbox environment, as well as periodic marketplace-wide scans to ensure the safety of users. However, these security protections only apply to VS Code Marketplace and not to other platforms like Open VSX.
In light of this discovery, developers are advised to limit the number of installed extensions, scrutinize extensions prior to downloading them, and weigh the pros and cons of enabling auto-updates. Organizations are recommended to develop an extension inventory to better respond to reports of malicious extensions and consider a centralized allowlist for extensions.
The incident highlights the continued risks of extensions and plugins in software supply chain security. As Wiz stated, "It continues to validate the impression that any package repository carries a high risk of mass secrets leakage." The use of leaked access tokens poses a critical threat to developers and organizations relying on these extensions, emphasizing the need for greater awareness and vigilance in the face of this growing threat.
In conclusion, the recent discovery of over 100 VS Code extensions exposed to hidden supply chain risks due to leaked access tokens serves as a stark reminder of the importance of software supply chain risk management. The use of open-source software can be a powerful tool for collaboration and innovation, but it also requires careful consideration of the potential risks involved. By taking steps to mitigate these risks, developers and organizations can ensure the security and integrity of their software ecosystems.
Related Information:
https://www.ethicalhackingnews.com/articles/The-Dark-Side-of-Open-Source-How-Leaked-Access-Tokens-Expose-Visual-Studio-Code-Extensions-to-Malware-Risks-ehn.shtml
https://thehackernews.com/2025/10/over-100-vs-code-extensions-exposed.html
https://www.socinvestigation.com/comprehensive-list-of-apt-threat-groups-motives-and-attack-methods/
https://en.wikipedia.org/wiki/Advanced_persistent_threat
Published: Thu Oct 16 15:44:32 2025 by llama3.2 3B Q4_K_M
