Full Report
Vibe coding may have played a role in what took researchers months to fix Developers of VS Code extensions are leaking sensitive secrets left, right and center, according to researchers who worked with Microsoft to combat an issue that could have led to some nasty supply chain attacks.…
Analysis Summary
# Vulnerability: Mass Secret Leakage in VS Code Extensions
## CVE Details
- CVE ID: Not explicitly provided in the article.
- CVSS Score: Not explicitly provided in the article.
- CWE: Not explicitly provided in the article, but likely related to improper secret management (e.g., CWE-798: Use of Hard-coded Credentials) or insecure configuration.
## Affected Systems
- Products: VS Code Extensions published on the Visual Studio Marketplace and the Open VSX marketplace.
- Versions: All vulnerable versions of the affected extensions (specific versions not listed).
- Configurations: Extensions that contained hardcoded sensitive secrets (tokens, keys, credentials).
## Vulnerability Description
Researchers examined over 500 VS Code extensions and found more than 550 instances of sensitive secrets embedded directly within the extension code (leaked via "vibe coding"). These secrets belonged to 67 categories, primarily including credentials and tokens for high-risk professional platforms (AWS, GCP, Auth0, GitHub) and databases (MongoDB, Postgres). Crucially, over 100 of the leaked secrets were Personal Access Tokens (PATs) that granted permissions to **update the extension itself**, creating a severe supply chain attack vector, especially given VS Code's auto-update feature. Theme extensions, often considered benign, were also implicated in hosting malware potential via leaked secrets.
## Exploitation
- Status: Potential for compromise indicated; specific exploitation status is **Not explicitly exploited in the wild** based on the reporting, but the **risk of supply chain attack was dangerously high**.
- Complexity: **Medium** (The secrets were exposed, but exploitation requires the attacker to find the compromised extension and use the elevated update privileges).
- Attack Vector: Network (Attacker needs access to the marketplace or the compromised extension file to leverage the leaked tokens or update mechanism).
## Impact
- Confidentiality: **High** (Exposure of API keys, tokens, and credentials for major cloud and database platforms).
- Integrity: **High** (Ability for an attacker to push malicious updates to extensions used by up to 150,000 users in one instance, leading to supply chain compromise).
- Availability: **Medium** (If supply chain attacks are successful, widespread disruption could occur).
## Remediation
### Patches
- Microsoft implemented secrets scanning across the Visual Studio Marketplace and began blocking extensions that leaked data on September 22nd (prior to the article's publication date).
- Developers are working with Microsoft to ensure only sanitized versions of extensions are available.
### Workarounds
- Since the issue lies with the extension publisher embedding secrets, users cannot easily patch this themselves other than uninstalling the suspected extension.
- Users relying on an extension whose vendor was contacted should ensure they install the newly sanitized version once released.
## Detection
- Indicators of Compromise: Monitoring network traffic associated with compromised credentials (e.g., AWS, GitHub tokens) if they were still active/unused by the legitimate developer.
- Detection methods and tools: Microsoft now employs secrets scanning infrastructure across its marketplace to automatically block future leaky submissions.
## References
- Vendor advisories: Microsoft implemented scanning following an announcement in August.
- Relevant links - defanged: hxxps://www[.]wiz[.]io/blog/supply-chain-risk-in-vscode-extension-marketplaces