Recent research has revealed that over 100 Visual Studio Code (VS Code) extensions have inadvertently exposed access tokens, creating significant software supply chain vulnerabilities. These leaked tokens could be exploited by malicious actors to distribute harmful updates to a vast user base.
Rami McCarthy, a security researcher at Wiz, highlighted the severity of the issue:
A leaked VSCode Marketplace or Open VSX PAT [personal access token] allows an attacker to directly distribute a malicious extension update across the entire install base. An attacker who discovered this issue would have been able to directly distribute malware to the cumulative 150,000 install base.
The problem arises from publishers embedding hard-coded secrets within their extensions. VS Code extensions are distributed as .vsix files, which can be unzipped and inspected, revealing these embedded secrets.
Wiz’s investigation uncovered over 550 validated secrets across more than 500 extensions from various publishers. These secrets encompass 67 distinct types, including:
– AI Provider Secrets: Credentials related to services like OpenAI, Gemini, Anthropic, XAI, DeepSeek, Hugging Face, and Perplexity.
– Cloud Service Provider Secrets: Access tokens for platforms such as Amazon Web Services (AWS), Google Cloud, GitHub, Stripe, and Auth0.
– Database Secrets: Credentials for databases like MongoDB, PostgreSQL, and Supabase.
Notably, over 100 extensions leaked VS Code Marketplace PATs, affecting more than 85,000 installations. Additionally, 30 extensions with a combined install base exceeding 100,000 were found to expose Open VSX Access Tokens. A significant portion of these vulnerable extensions are themes.
The integration of Open VSX into AI-powered VS Code forks, such as Cursor and Windsurf, amplifies the potential attack surface. Extensions leaking access tokens in these environments could have far-reaching consequences.
In one alarming instance, Wiz identified a VS Code Marketplace PAT that could have been exploited to push targeted malware to the workforce of a Chinese corporation with a market capitalization of $30 billion. This underscores that the issue extends beyond public extensions to internal or vendor-specific ones used within organizations.
Upon responsible disclosure to Microsoft in late March and April 2025, the company revoked the compromised PATs. Microsoft also announced the implementation of secret scanning capabilities to detect and block extensions containing verified secrets, notifying developers when such issues are identified.
Recommendations for VS Code Users:
– Limit Installed Extensions: Reduce the number of extensions to minimize potential vulnerabilities.
– Scrutinize Extensions Before Installation: Evaluate the credibility and necessity of extensions prior to downloading.
– Assess Auto-Update Settings: Weigh the benefits and risks of enabling automatic updates for extensions.
Recommendations for Organizations:
– Develop an Extension Inventory: Maintain a comprehensive list of approved extensions to facilitate swift responses to security reports.
– Implement a Centralized Allowlist: Establish a controlled list of permitted extensions to enhance security.
Wiz emphasized the broader implications:
The issue highlights the continued risks of extensions and plugins, and supply chain security in general. It continues to validate the impression that any package repository carries a high risk of mass secrets leakage.
Emerging Threat: TigerJack’s Malicious Extensions
In a related development, Koi Security disclosed details about a threat actor known as TigerJack. Since early 2025, TigerJack has published at least 11 seemingly legitimate yet malicious VS Code extensions under various publisher accounts. These extensions are designed to:
– Steal Source Code: Exfiltrate developers’ proprietary code.
– Mine Cryptocurrency: Utilize system resources for unauthorized cryptocurrency mining.
– Establish Remote Backdoors: Create unauthorized access points for complete system control.
This coordinated campaign underscores the necessity for developers and organizations to remain vigilant about the extensions they use and to implement robust security measures to protect their development environments.
