Many developers upload extensions for tools like Visual Studio Code without fully securing them. A recent report from Wiz reveals that over 500 extensions contain hidden secrets like access tokens and passwords, which could be exploited by hackers. These leaks put thousands of users and their projects at risk, highlighting the need for better security practices.

What Wiz Found in Popular Extensions

Wiz’s investigation uncovered more than 550 secrets spread across hundreds of extensions. These included keys for AI services like OpenAI, HuggingFace, and Perplexity, as well as access to cloud platforms such as AWS, Google Cloud, and Azure DevOps. Many of these secrets were embedded directly into the code or stored in configuration files, making them easy targets for attackers.

The researchers also found that more than 100 Azure DevOps tokens were leaked, which could allow someone to access private projects or make unauthorized changes. The leak impacted over 85,000 extension installs. On top of that, around thirty access tokens from OpenVSX were discovered, affecting over 100,000 installs. This shows how widespread the problem is.

How Developers Are Leaving Secrets Exposed

Most of the secrets came from developers bundling hidden files called dotfiles, especially .env files that store sensitive information. Hardcoded credentials in the source code were also common. The Wiz team noticed an increase in secrets stored in AI configuration files, build files like package.json, and even in documentation such as README.md.

Many developers don’t realize that everything inside their extensions is publicly accessible once uploaded. This means secrets can be easily discovered if not properly removed or secured. Microsoft and OpenVSX have taken steps to address this by scanning extensions for secrets before they’re published. Microsoft now blocks extensions with verified secrets and notifies the owners, while OpenVSX is adding prefixes to token names to help identify leaks.

The Bigger Picture: Why This Matters

The risk isn’t just about accidental leaks. Hackers and nation-state actors see marketplaces as an easy way to distribute malicious code. In recent years, attackers have tried to plant malware in open-source repositories like NPM and GitHub. The Wiz report reveals that attackers previously attempted to insert malware into the VSCode marketplace, which could have affected thousands of developers and their projects.

If malicious extensions are uploaded, they can secretly update themselves with harmful code, giving hackers control over developer environments. This kind of attack can spread quickly, especially if developers aren’t careful about sanitizing their code or verifying the security of extensions before publishing.

Why Developers and Security Teams Need to Be Careful

Experts warn that developers often don’t realize the risks associated with installing third-party extensions. Johannes Ullrich from the SANS Institute explains that even seemingly harmless extensions can access and modify a developer’s code without warning. Since extension marketplaces don’t always have strict oversight, malicious code can slip through.

David Shipley from Beauceron Security emphasizes that this is a systemic issue. Cybercriminals and nation-states are exploiting the ecosystem of software supply chains, making it crucial for organizations to adopt better security practices. He recommends embedding security into the development process, educating developers on best practices, and considering legal measures to hold bad actors accountable.

Understanding Extensions and Themes in Visual Studio Code

Extensions add new features to Visual Studio Code, such as debuggers, new languages, or tools to improve productivity. Themes, meanwhile, change the appearance of the editor by adjusting colors and fonts. Both are available in the VSCode Marketplace, which makes browsing and installing them easy.

However, the Wiz report points out that even themes, which are generally safer because they don’t run code, can still introduce risks. Sometimes, malicious code can be bundled into themes, increasing the attack surface. Developers should be cautious and ensure they only install extensions and themes from trusted sources.

Other Recent Findings and Ongoing Threats

While no organizations have yet been impacted directly by these specific leaks, there are ongoing threats. Security firm Koi Security recently uncovered over 17,000 downloads of malicious extensions from the same marketplaces. These malicious tools can steal source code, mine cryptocurrencies, or remotely execute malicious scripts.

Wiz’s investigation also shows that attackers can manipulate download numbers to make malicious extensions appear more popular, making it harder for users to identify threats. This ongoing threat highlights the importance of careful extension management and security awareness among developers.

In summary, the report from Wiz underscores the importance of sanitizing code, securing secrets, and maintaining vigilance when using open marketplaces. As the ecosystem grows, so do the risks, making it essential for both developers and organizations to stay alert and proactive in safeguarding their projects.

Inspired by

• https://www.infoworld.com/article/4074939/threat-actors-are-spreading-malicious-extensions-via-vs-marketplaces.html

Sources

• gmpg.org
• wiz.io
• microsoft.com
• github.com
• csoonline.com