Threat actors are spreading malicious extensions via VS marketplaces

Careless developers publishing Visual Studio extensions to two open marketplaces have been including access tokens and other secrets that can be exploited by threat actors, a security vendor has found.

The discovery was made earlier this year by researchers at Wiz, who quietly worked with Microsoft and its VSCode Marketplace as well as those behind the OpenVSX marketplace to improve guardrails in their platforms. It released a report on its investigation this week.

Wiz found over 550 validated secrets, distributed across more than 500 extensions from hundreds of VS extension publishers. They included AI provider secrets for platforms such as OpenAI, Gemini, Anthropic, xAI, DeepSeek, HuggingFace, and Perplexity; high risk profession platform secrets for AWS, Github, Stripe, Auth0, and Google Cloud Platform; and database secrets for MongoDB, Postgres, and Supabase.

Over 100 valid leaked Azure DevOps Personal Access Tokens were identified within VSCode Marketplace extensions. Together, they represented an install base of over 85,000 extension installs. 

Over thirty leaked OVSX access tokens were identified, within either VSCode Marketplace or OVSX extensions. Together they represented over 100,000 extension installs.

The largest contributor to secrets leakage was the bundling by developers of hidden files, also known as dotfiles, says the report. The quantity of .env files was especially prominent, although hardcoded credentials in extension source code were also prevalent. 

Over the course of the Wiz investigation, researchers saw an increase in secrets leaking via AI-related configuration files, including config.json, mcp.json; and.cursorrules. Other common sources included build configurations (for example, package.json) and documentation such as README.md. 

Microsoft and Wiz launched a notification campaign to alert impacted publishers and help them address these vulnerabilities. Microsoft also integrated secrets scanning capabilities prior to publication of extensions into its marketplace, and now blocks extensions with verified secrets, notifying extension owners when secrets are detected. Details are in a June announcement.

OpenVSX is also adding a prefix (ovsxp_) to its tokens. 

“We found that publishers often failed to consider that everything in the package was publicly available, or failed to successfully sanitize their extensions of hardcoded secrets,” Wiz said in its report. 

Worse, some threat actors realized there was an opportunity to take advantage of these marketplaces to poison the extension supply chain, just as they have in recent years been trying, in many cases successfully, to plant malicious code in the NPM, GitHub, and other open code repositories. The Wiz investigation was triggered by the discovery in February that threat actors had tried to introduce malware into the VSCode Marketplace in a classic supply chain attack which could have spread it widely.

An attacker who discovered this weakness in the platform’s security would have been able to directly distribute malware to the cumulative 150,000 install base, says the Wiz report.

The discovery, only now being revealed by Wiz after remediation work by Microsoft and OpenVSX, is another example of why developers need to take more care in sanitizing their code before dropping it into open marketplaces, and why CSOs need to ensure extensions used by their developers are scrutinized closely.

Developers are prime targets

Developers are a prime target for attacks, commented Johannes Ullrich, dean of research at the SANS Institute. “What they often do not realize is that any extensions they install, even if they appear benign, like, for example, extensions to change the color of the code, have full access to their code and may make modifications without explicitly informing the developer. Extension marketplaces are just another repository of third-party code. They suffer from the same lack of oversight and review as other code repositories (for example, pip, npm, NuGet, and others). Upon installation of the extension, the developer will execute the code and provide the extension with far-reaching persistent access to their code base.”

Cyber criminals and nation states have found the new weak link in the security chain: the software supplier ecosystem, said David Shipley, head of Canadian-based security awareness firm Beauceron Security. “There’s been so many cases of this that it’s a clear, systemic issue,” he said. 

“And it’s not one we’re just going to fix with ‘AI,’ as this will continue to be a cat and mouse game. This is one of those wicked problems requiring changes in the legal liability landscape, culture change in enshrining security by design and continuing to teach developers about security principles. We’ve been extraordinarily lucky this year, with attacks like the Shai-Hulud Worm not burning us at a WannaCry scale. That luck will run out,” Shipley said.

What are VS extensions

Extensions and themes can be added to Visual Studio code to make life easier for developers, as well as to enhance functionality. An extension can add features like debuggers, new languages, or other development tools, while a theme is a type of extension that changes the appearance of the editor, controlling things like colors and fonts.

Microsoft created the VSCode Marketplace as an easy place for developers to browse for extensions and themes. But developers who don’t sanitize their work before uploading finished code to VSCode or OpenVSX marketplaces risk revealing access tokens that grant anyone the ability to automatically update the extension. If those tokens are controlled by a threat actor, they can automatically update all instances of the extension to a malicious version.

The Wiz report points out that security pros and developers should realize that not only can poorly written or compromised VS extensions be a problem, so can themes. In fact, the Wiz report notes that much of this massive vulnerable install base actually consists of themes.

Generally, says the report, themes are viewed as safer than other extensions because they don’t carry any code. However, they still increase the attack surface as there is no technical control to prevent malware from being bundled into them. 

Similar report

No organizations were impacted as a result of this issue, Rami McCarthy, principal security researcher at Wiz, told CSO.

However, in a separate discovery, this week CSO reported that researchers at Koi Security had discovered there have been more than 17,000 downloads of 11 malicious extensions from the VSC and Open VSX marketplaces, placed by a threat group called TigerJack. Two of the campaign’s popular extensions, “C++ Payground” and “HTTP Format”, have been removed, but the operation continues through re-uploads of the malware-infested code using fresh accounts.

One of these malicious extensions, Koi Security said, quietly uploads a developer’s source code to external endpoints, another uses local resources for cryptomining, and the most sophisticated variant can execute JavaScript remotely without needing fresh updates to expand or change functionalities.

McCarthy says the issue Wiz Research identified was even more severe, because it could have allowed attackers to weaponize more than a hundred legitimate extensions, automatically installing malware on over 185,000 developer machines. Wiz also found evidence that some attackers inflate download numbers through “download pumping,” which can make reported installation figures unreliable.

There isn’t a consistent threat model for extension marketplaces yet, McCarthy said, making it difficult for any platform to anticipate these risks. However, he added, Microsoft’s marketplace has seen deeper security investment than Open VSX, and the research highlights why that matters.

He agreed that the report is another example of why developers need to take more care in sanitizing their code before dropping it into open marketplaces. But, he added, it’s also an example of how platforms can build in guardrails to minimize risk from individual developer errors.

“Developer security is a shared responsibility between publishers and the ecosystems that host their work,” he said.

Advice to CSOs, developers

Wiz says VSCode users should:

limit the number of installed extensions in their work. Each extension introduces an extended threat surface, which should be measured against the benefit of its usage;

review extension trust criteria. Consider installation prevalence, reviews, extension history, and publisher reputation, among other metadata, prior to adoption;

consider auto-update tradeoffs. Auto-updating extensions ensures you receive security updates, but introduces the risk of a compromised extension pushing malware to your machine. 

Corporate security teams should:

develop an IDE extension inventory, in order to respond to reports of malicious extensions;

consider creating a centralized allowlist for VSCode extensions;

consider sourcing extensions from the VSCode Marketplace, which currently has higher review rigor and controls, over the OpenVSX Marketplace.

Leaders should use device management and endpoint security tooling to inventory and enforce allowlists for extensions, said Wiz’s McCarthy. Centrally approving extensions helps reduce risk, but it’s also important to preserve flexibility for developers, to let them use tools that drive innovation. Extensions bring real value, but their long tail can introduce a significant attack surface if unmanaged.

There is no good way to verify that an application has not been compromised, warned the SANS Institute’s Ullrich. Standard endpoint and network security solutions can assist in protecting developers, but they need to be tuned to be effective and it is difficult to identify malicious extensions. In particular, developer workstations often have specific benign usage patterns that cause excessive false positives if the solution is not carefully tuned. Thus, developers should attempt to minimize the number of extensions they install.