"Wiz Security examined more than 500 extensions across the VS Code and Open VSX marketplaces, provided by hundreds of publishers, and found more than 550 validated secrets. By "secrets," security folk typically mean things such as access and authorization tokens, credentials, API and/or encryption keys, certificates, and the like. It identified 67 categories of secrets, but the majority could be placed into three groups: generative AI platforms, high-risk professional platforms such as AWS, GCP, Auth0, and GitHub, and databases such as MongoDB and Postgres."
"More than 100 of the 550-plus secrets they found would have given attackers access to update the extension itself, and given that VS Code auto-updates extensions, the potential for a supply chain attack was dangerously high. Wiz said that after finding the issues, particularly those which leaked personal access tokens (PATs) for updating the extension, its researchers could have deployed malware to around 150,000 users in one swoop. Many of the affected machines were vulnerable because of theme downloads."
More than 500 VS Code and Open VSX extensions were examined and more than 550 validated secrets were found. "Secrets" include access and authorization tokens, credentials, API and encryption keys, and certificates. Sixty-seven categories of secrets were identified, with the majority falling into three groups: generative AI platforms; high-risk professional platforms such as AWS, GCP, Auth0, and GitHub; and databases such as MongoDB and Postgres. Over 100 of the secrets could permit attackers to update extensions, and VS Code's auto-update feature increases supply chain risk. An exploit could have delivered malware to roughly 150,000 users, often via theme downloads, and vendor-specific internal extensions published publicly create targeting opportunities.
Read at Theregister
Unable to calculate read time
Collection
[
|
...
]