Critical Flaws Found in Four VS Code Extensions with Over 125 Million Installs
Summary
Security researchers have identified critical vulnerabilities in four widely used VS Code extensions: Live Server, Code Runner, Markdown Preview Enhanced. These flaws could enable attackers to steal local files and achieve remote code execution on affected systems. The extensions collectively boast over 125 million installations.
IFF Assessment
The vulnerabilities in popular VS Code extensions create significant attack surface and risk for developers.
Severity
Defender Context
The discovery of critical vulnerabilities in VS Code extensions underscores the importance of supply chain security for developer tools. Defenders should promptly assess their environments for these extensions, apply updates if available, and implement mitigations if patching is not immediately possible. Monitoring for unusual file access or code execution originating from VS Code processes is essential.