Over 100 VS Code Extensions Exposed Developers to Hidden Supply Chain Risks
Oct 15, 2025
Software Supply Chain / Malware
New research has uncovered that publishers of over 100 Visual Studio Code (VS Code) extensions leaked access tokens that could be exploited by bad actors to update the extensions, posing a critical software supply chain risk. "A leaked VS Code Marketplace or Open VSX PAT [personal access token] allows an attacker to directly distribute a malicious extension update across the entire install base," Wiz security researcher Rami McCarthy said in a report shared with The Hacker News. "An attacker who discovered this issue would have been able to directly distribute malware to the cumulative 150,000 install base." The cloud security firm noted in many cases publishers failed to account for the fact that VS Code extensions, while distributed as .vsix files, can be unzipped and inspected, exposing hard-coded secrets embedded into them. In all, Wiz said it found over 550 validated secrets, distributed across more than 500 extensions from hundreds of distinct publishers....
