: Vibe coding may have played a role in what took researchers months to fix
Developers of VS Code extensions are leaking sensitive secrets left, right and center, according to researchers who worked with Microsoft to combat an issue that could have led to some nasty supply chain attacks.
By"secrets," security folk typically mean things such as access and authorization tokens, credentials, API and/or encryption keys, certificates, and the like.More than 100 of the 550-plus secrets they found would have given attackers access to update the extension itself, and given that VS Code auto-updates extensions, the potential for a supply chain attack was dangerously high. Wiz said that after finding the issues, particularly those which leaked personal access tokens for updating the extension, its researchers could haveWhile many might think these would be more benign than other extensions, as they don't introduce any code into projects, there's nothing to prevent themes from introducing malware. More notable cases that could have allowed attackers to push extension updates included what Wiz referred to as a"$30 billion market cap Chinese megacorp," which published an internal extension only meant for company employees.Before publishing the research on Wednesday, Microsoft implemented secrets-scanning across Visual Studio Marketplace and now blocks extensions that leak this sensitive data.Salesforce pickin' up good vibrations Given that VS Code is by far the world's most popular integrated developer environment, and considering the rise of AI-focused forks likeDevelopers of the affected extensions have all been contacted by Wiz and Microsoft – the former dealt with those at the highest risk while the latter cleaned up the rest. Microsoft will also be working with extension devs to ensure sanitized versions are the only ones available to users after scanning all existing extensions for exposed secrets. "The issue highlights the continued risks of extensions and plugins, and supply chain security in general," said McCarthy."It continues to validate the impression that any package repository carries a high risk of mass secrets leakage. "It also reflects our findings that AI secrets are a large part of the modern secrets leakage landscape, and indicates the role "Finally, our work with Microsoft highlights the role that responsible platforms can play in protecting the ecosystem. We are grateful to Microsoft for the partnership and working to protect customers together. Without their willingness to lean in here, it would have been impossible to scale disclosure and remediation." ®Pro-Russia hacktivist group dies of cringe after falling into researchers' trapDiscord says 70,000 photo IDs compromised in customer service breach
Australia Latest News, Australia Headlines
Similar News:You can also read news stories similar to this one that we have collected from other news sources.
Martin Lewis urges everyone with a phone to text 5-digit code to slash billsThe money expert’s four-step mobile plan starts with a free text and can knock serious money off your monthly bill if you’re out of contract.
Read more »
Martin Lewis urges everyone to send 5-digit code in text to slash billsThe Money Saving Expert founder has shared a simple trick to help people save money on their mobile phone bills
Read more »
Martin Lewis issues warning to people sharing bank Pin code with family members or carersMartin Lewis is urging banks to make changes to help older people and those with mental health issues provide safe access to their accounts.
Read more »
Clair Obscur Expedition 33 is GOTY favorite but the devs are rooting for another indie masterpieceClair Obscur Expedition 33 is the Game of the Year favorite for many, but the game’s director is rooting for another indie gem instead.
Read more »
Labour told to introduce 'new tax code' for DWP state pensionersA new tax code would be introduced for state pensioners and the petition has also been sent to HM Revenue and Customs (HMRC)
Read more »
'Specific vibe' at Wolverhampton Robbie Williams venueUniversity of Wolverhampton at the Halls attracts artists that can fill arenas, the council says.
Read more »