Researchers with cybersecurity firm Wiz earlier this year discovered, almost by chance, a significant supply chain risk and massive secrets leak in the Visual Studio Code and OpenVSX marketplaces that they said put a focus on the ongoing security issues presented by extensions and plugins.
In their months-long investigation with Microsoft, the researchers found that the publishers of more than 100 VS Code extensions leaked access tokens that would have enabled a bad actor to distribute malware to more than 150,000 users.
At the same time, more than 550 secrets were exposed via more than 500 VS Code extensions, with the secrets ranging from API keys and passwords to access tokens. The secrets were from hundreds of publishers, with some of the exposed secrets granting access to their own accounts on a range of services, including OpenAI, Anthropic, Amazon Web Services (AWS), GitHub, and MongoDB.
“Each leaked secret is a result of publisher error,” Rami McCarthy, principal security researcher at Wiz, wrote in a report this week, noting the ongoing security concerns with extensions, plugins, and supply chains in general. “It continues to validate the impression that any package repository carries a high risk of mass secrets leakage. It also reflects our findings that AI secrets are a large part of the modern secrets leakage landscape, and indicates the role vibe coding might play in that problem.”
VS Code is a Microsoft code editing tool for Windows, macOS, and Linux systems, with the VS Code Marketplace being a place where developers can find extensions for not only Visual Studio Code but also Visual Studio, Azure DevOps Services, and Azure DevOps Server. The Open VSX Marketplace is used by “AI-powered VS Code forks like Cursor and Windsurf,” McCarthy wrote.
Unrelated Investigation Leads to Leaks
Attackers in February were found trying to plant malware in the VS Code Marketplace, and Wiz researchers wanted to identify other malicious extensions and report them so they’d be removed.
“While we did end up identifying several interesting malicious extensions, we stumbled on something much more impactful: a scourge of secrets leaking in extension packages,” he wrote. “VS Code extensions are distributed as .vsix files, which can be unzipped and inspected. However, we found that publishers often failed to consider that everything in the package was publicly available, or failed to successfully sanitize their extensions of hardcoded secrets.”
The result was the 550-plus validated secrets distributed over more than 500 extensions from hundreds of publishers. There were 67 types of secrets found, including AI providers secrets for OpenAI, Google Gemini, Anthropic, xAI, DeepSeek, Hugging Face, and Perplexity, platform secrets to AWS, GitHub, Stripe, Auth0, and Google Cloud Platform, and database secrets from MongoDB, Postgres, and Supabase.
Public Access Tokens at Risk
The most impactful of the secrets are access tokens that can be used to update the extension. They’re called Azure DevOps Personal Access Tokens (PATs) in the VS Code Marketplace – more than 100 such valid tokens were leaked, representing an install base of more than 85,000 extensions – while the Open VSX Marketplace uses open-vsx.org access tokens. More than 30 of those were leaked, with an install base of more than 100,000 installs.
“Much of this massive vulnerable install base is actually contributed by themes,” McCarthy wrote. “This is interesting, because themes are generally viewed as safer than other extensions, given they don’t carry any code. However, they still increase your attack surface, as there is no technical control preventing themes from bundling malware.”
Risks to Corporations
Many of the leaked tokens were publicly distributing company internal or vendor-specific extensions. There aren’t that many extensions on the marketplace, but while internal extensions distributed publicly, though they often are for convenience, McCarthy wrote.
“In one case, we found a VS Code Marketplace PAT that would allow us to push targeted malware to the workforce of a $30 billion market cap Chinese megacorp,” he wrote. “Vendor specific extensions are common, and allow for interesting targeting opportunities if compromised. For example, one at risk extension belonged to a Russian construction technology company.”
Contributing most to the secrets leaks was publishers bundling hidden files – dotfiles – while secrets leaked through AI-related configurations files increased during the course of the investigation.
A Six-Month Process to Fix Problems
Wiz – which is in the process of being bought by Google for $32 billion – notified Microsoft about the issue, with the two companies working together for six months sending out notification and addressing the problems. Microsoft integrated technology to scan secrets before publishing, blocking extensions with verified secrets and notifying owners when they’re detected. McCarthy said VS Code extension publishers also need to scan for secrets before publishing.
In addition, VS Code users need to limit the number of installed extensions, review extension trust criteria, and look at the tradeoffs for auto-updating extensions, which can ensure security updates are applied but could lead to a compromised extension pushing malware to the user’s system.
Corporate security teams need to develop an inventory of IDE extensions and consider both a centralized allow list of VS Code extensions and sourcing extensions from the VS Code Marketplace, which has better controls and review processes than the one for OpenVSX.
AI and Vibe Coding
Wiz researchers earlier this year warned about the role AI-assisted development has played in leaking secrets in code, writing that “in a rush to adopt and experiment with AI, developers and other technology practitioners are willing to cut corners. … Yet another side-effect of these hasty practices is the leakage of AI-related secrets in public code repositories.”
In another report, they looked at vibe coding, which is the result of the rise of AI-based coding tools.
“Not all AI-assisted coding is vibe coding,” they wrote. “Regardless, security risk emerges the more developers are removed from the details of generated code, and the more non-developers gain access to vibe code risky software.”
