Information security
fromTheregister
10 hours agoDevs of VS Code extensions are leaking secrets en masse
VS Code extensions frequently expose sensitive secrets, enabling potential large-scale supply chain attacks.
"A leaked VSCode Marketplace or Open VSX PAT [personal access token] allows an attacker to directly distribute a malicious extension update across the entire install base," Wiz security researcher Rami McCarthy said in a report shared with The Hacker News. "An attacker who discovered this issue would have been able to directly distribute malware to the cumulative 150,000 install base."