Security Flaws in VS Extensions Expose Developers to Threats

A recent investigation by security researchers has revealed a critical vulnerability in the Visual Studio Code (VSCode) and OpenVSX marketplaces. Developers, often unintentionally, have been uploading extensions containing sensitive access tokens and other confidential data, inadvertently creating avenues for exploitation by malicious actors. This discovery led to a collaborative effort with Microsoft and OpenVSX to enhance security protocols on their platforms.

The security vendor Wiz initiated the investigation earlier this year, identifying over 550 validated secrets embedded across more than 500 extensions from numerous publishers. These exposed secrets included credentials for major AI platforms like OpenAI, Gemini, and HuggingFace, as well as high-risk professional platforms such as AWS, GitHub, Stripe, Auth0, and Google Cloud Platform. Additionally, database secrets for MongoDB, Postgres, and Supabase were found. The extensive nature of these leaks underscores a pervasive issue within the developer ecosystem.

Uncovering Widespread Vulnerabilities in Developer Ecosystems

The Wiz report detailed that over 100 valid Azure DevOps Personal Access Tokens were leaked within VSCode Marketplace extensions, affecting an install base exceeding 85,000. Furthermore, more than thirty OpenVSX access tokens were discovered in both VSCode Marketplace and OpenVSX extensions, collectively representing over 100,000 installations. These statistics highlight the significant scale of the exposure.

A primary cause of these leaks was developers bundling hidden files, particularly .env files, which often contain sensitive configuration data. Hardcoded credentials directly within the extension source code were also a prevalent issue. Researchers observed a rise in secrets leaking through AI-related configuration files, including config.json, mcp.json, and .cursorrules, along with common sources like build configurations in package.json and even documentation such as README.md.

In response to these findings, Microsoft and Wiz launched a notification campaign to alert affected publishers and assist them in addressing vulnerabilities. Microsoft has since integrated secrets scanning capabilities into its marketplace, blocking extensions with verified secrets prior to publication and notifying owners of detected issues. OpenVSX is also implementing measures, including adding a unique prefix (ovsxp_) to its tokens to enhance identification and security.

The security firm noted that many publishers failed to recognize that all content within their uploaded packages would become publicly accessible. This oversight often led to a lack of proper sanitization, allowing hardcoded secrets to remain in the extensions. This vulnerability has been recognized and exploited by threat actors, who are actively attempting to compromise the extension supply chain, mirroring past successes in poisoning other open code repositories like NPM and GitHub.

The Wiz investigation was prompted by a discovery in February where threat actors attempted to introduce malware into the VSCode Marketplace via a supply chain attack. Such an attack, if successful, could have enabled direct distribution of malware to an estimated 150,000 installations. This incident serves as a stark reminder for developers to meticulously sanitize their code before publishing to open marketplaces and for Chief Security Officers (CSOs) to rigorously vet extensions used by their development teams.

The Growing Threat Landscape for Developers

Developers have become prime targets for cyberattacks, a trend underscored by the vulnerabilities in extension marketplaces. Johannes Ullrich, dean of research at the SANS Institute, highlighted that even seemingly benign extensions, like those modifying code colors, often possess full access to a developer’s codebase and can make unauthorized modifications. He noted that extension marketplaces suffer from the same lack of oversight as other code repositories (e.g., pip, npm, NuGet). Upon installation, extensions execute code, granting them extensive and persistent access to a developer’s projects.

David Shipley, head of Canadian security awareness firm Beauceron Security, emphasized that the software supplier ecosystem represents a new weak link in the security chain. He described this as a “clear, systemic issue” that cannot be resolved solely through artificial intelligence. Shipley warned that without fundamental changes, including shifts in legal liability, a cultural embrace of security by design, and continuous education for developers on security principles, organizations risk experiencing widespread attacks similar to WannaCry.

Visual Studio (VS) extensions and themes are designed to enhance developer productivity and functionality. Extensions can introduce new features, debuggers, or language support, while themes alter the editor’s appearance, controlling elements like colors and fonts. Microsoft’s VSCode Marketplace offers an accessible platform for developers to share these tools. However, developers who fail to sanitize their submissions before uploading to VSCode or OpenVSX marketplaces risk exposing access tokens. If these tokens are compromised, threat actors could automatically update all instances of an extension with a malicious version.

The Wiz report cautioned that not only poorly written or compromised extensions pose a risk, but themes can also introduce vulnerabilities. Despite themes generally being perceived as safer due to their lack of executable code, the report points out that they can still increase the attack surface because there are no technical controls preventing malware from being bundled within them. Many vulnerable installations identified in the report actually comprised themes, demonstrating that even seemingly innocuous components can pose a threat.

Ongoing Incidents and Remedial Actions

Rami McCarthy, principal security researcher at Wiz, confirmed that no organizations were directly impacted as a result of the specific issue identified by Wiz. However, this week, CSO reported a separate discovery by Koi Security of a threat group named TigerJack distributing malicious VSCode extensions. This group has achieved over 17,000 downloads across 11 malicious extensions from the VSC and Open VSX marketplaces. While two popular extensions, “C++ Payground” and “HTTP Format,” have been removed, TigerJack continues its operations by re-uploading malware-laden code using fresh accounts.

Koi Security’s findings indicate that some of TigerJack’s malicious extensions covertly upload a developer’s source code to external endpoints, while others exploit local resources for cryptomining. The most sophisticated variants can execute JavaScript remotely, allowing for functionality changes without requiring new updates. McCarthy asserted that the issue Wiz Research identified was even more severe, as it could have allowed attackers to weaponize over a hundred legitimate extensions, automatically installing malware on more than 185,000 developer machines. Wiz also observed “download pumping” tactics used by attackers to inflate download numbers, making installation figures unreliable.

McCarthy noted the absence of a consistent threat model for extension marketplaces, which complicates platforms’ ability to anticipate these risks. However, he acknowledged Microsoft’s marketplace has demonstrated greater security investment compared to OpenVSX, underscoring the importance of such commitments. He reiterated the necessity for developers to meticulously sanitize their code before publication, but also emphasized the role of platforms in building guardrails to mitigate risks stemming from individual developer errors. Developer security, McCarthy concluded, is a shared responsibility between publishers and the ecosystems hosting their work.

Recommendations for CSOs and Developers

To enhance security, Wiz offers specific advice for VSCode users:

• Limit installed extensions: Each extension expands the potential attack surface. Users should weigh the benefits against the security risks.
• Review trust criteria: Before adoption, evaluate an extension’s installation prevalence, user reviews, history, and publisher reputation.
• Consider auto-update tradeoffs: While auto-updates ensure timely security patches, they also introduce the risk of a compromised extension pushing malware to a machine.

Corporate security teams should implement robust strategies:

• Develop an IDE extension inventory: Maintain a comprehensive list of approved extensions to facilitate rapid responses to reports of malicious activity.
• Create a centralized allowlist: Consider establishing an approved list for VSCode extensions to manage and control what developers can install.
• Prioritize the VSCode Marketplace: Opt for extensions from the VSCode Marketplace, which currently offers stricter review processes and controls compared to OpenVSX.

McCarthy advised leaders to leverage device management and endpoint security tools to inventory and enforce extension allowlists. He stressed the importance of balancing centralized approval with developer flexibility, recognizing that extensions provide significant value and drive innovation. However, an unmanaged “long tail” of extensions can create a substantial attack surface. Ullrich of the SANS Institute cautioned that no single method can fully verify an application’s integrity. While standard endpoint and network security solutions can assist, they require careful tuning to avoid excessive false positives on developer workstations. Therefore, developers should strive to minimize the number of extensions they install.