Extensions in integrated development environments (IDEs) offer developers flexibility but introduce threats to supply chain security. Research indicates that verified extensions in platforms like Visual Studio Code and IntelliJ IDEA can be modified without losing their trusted status. This manipulation allows malicious versions to bypass verification mechanisms, enabling potential attackers to execute arbitrary commands unnoticed. Only 20% of organizations secure their software supply chain, presenting an attractive target for attackers who might exploit developers' access to sensitive data and internal systems. Many organizations lack sufficient oversight to address these vulnerabilities adequately.
Researchers found that verified extensions in Visual Studio Code, Visual Studio, and IntelliJ IDEA can retain their checkmark after being modified, allowing malicious versions to maintain trusted status.
Malicious actors have the ability to execute arbitrary code without developers noticing, significantly increasing the potential for exploitation in affected systems.
Only one in five organizations has secured their software supply chain, which raises the risk of compromise through developers—leading to theft of IP and sensitive information.
Almost half of organizations with vital infrastructure lack sufficient insight into cybersecurity vulnerabilities in their supply chains, which is exacerbated by developers' privileged access.
Collection
[
|
...
]