We have been witnessing an ever growing amount of supply chain security incidents in the wild. Everything from open source package managers security f

Snyk uncovers supply chain security vulnerabilities in Visual Studio Code extensions

submited by
Style Pass
2021-06-07 17:30:04

We have been witnessing an ever growing amount of supply chain security incidents in the wild. Everything from open source package managers security flaws being exploited to continuous integration systems being compromised to software artifacts being backdoored. And now, those incidents are starting to extend to the place where developers spend most of their time: their integrated development environment, and specifically the Visual Studio Code IDE.

Until recently, no security vulnerabilities had been discovered in VS Code extensions, creating a sense of security for millions of developers. But now, Snyk has discovered and disclosed vulnerabilities that pose a real and imminent threat to developers who use these extensions and then interact with a malicious actor. The potential compromise is so significantly severe that a remote code execution on a developer’s machine is possible by simply tricking the developer to click a link.

This new VS Code extensions supply chain security threat has the potential to become a new attack playground, potentially impacting over 2,000,000 developers. Let’s take a deeper look.

Leave a Comment