Dismantling a Critical Supply Chain Risk in VSCode Extension Marketplaces

Wiz Research identified a significant supply chain security risk within Visual Studio Code extension marketplaces. The investigation revealed over 550 exposed secrets, including credentials and API keys, embedded within public extensions. This exposure poses a critical threat to developers and organizations utilizing these extensions, potentially allowing unauthorized access to internal systems and cloud resources. Microsoft collaborated with Wiz to remediate the findings and remove the compromised extensions. This incident highlights the pervasive risk of secret leakage in third-party software supply chains. Organizations should audit installed extensions for hardcoded secrets and implement robust secret management practices. Vendors must enforce stricter scanning policies for marketplace submissions to prevent future exposures. While no specific threat actor was attributed, the availability of these secrets significantly lowers the barrier for opportunistic attackers to compromise development environments and downstream infrastructure.

Wiz Research has uncovered 550+ secrets hiding in plain sight. We worked with Microsoft to shut the door.

Wiz Research identified a significant supply chain security risk within Visual Studio Code extension marketplaces. The investigation revealed over 550 exposed secrets, including credentials and API keys, embedded within public extensions. This exposure poses a critical threat to developers and organizations utilizing these extensions, potentially allowing unauthorized access to internal systems and cloud resources. Microsoft collaborated with Wiz to remediate the findings and remove the compromised extensions. This incident highlights the pervasive risk of secret leakage in third-party software supply chains. Organizations should audit installed extensions for hardcoded secrets and implement robust secret management practices. Vendors must enforce stricter scanning policies for marketplace submissions to prevent future exposures. While no specific threat actor was attributed, the availability of these secrets significantly lowers the barrier for opportunistic attackers to compromise development environments and downstream infrastructure. Wiz Research has uncovered 550+ secrets hiding in plain sight. We worked with Microsoft to shut the door. Wiz Research has uncovered 550+ secrets hiding in plain sight. We worked with Microsoft to shut the door.