Flaws in four popular VS Code extensions left 128 million installs open to attack
Summary
OX Security discovered critical and high-severity vulnerabilities in four popular VS Code extensions, affecting 128 million installations. These flaws could allow attackers to perform file theft, remote code execution, and local network reconnaissance. The vulnerabilities reside in legitimate extensions, making them difficult to detect, and also affect AI-powered IDEs built on VS Code's extension infrastructure.
IFF Assessment
The vulnerabilities in popular VS Code extensions expose developers to significant risks like file theft and remote code execution.
Severity
Defender Context
Developers and security teams need to be aware of the risks associated with VS Code extensions, even those that are popular and seemingly legitimate. Regularly review installed extensions, keep them updated, and monitor for suspicious activity. The trend of vulnerabilities in widely-used developer tools highlights the importance of supply chain security.