![visual studio marketplace visual studio marketplace](https://blog.reciperfects.com/recette-https-raw.githubusercontent.com/arcticicestudio/nord-docs/develop/assets/images/ports/visual-studio-code/ui-extension-marketplace.png)
A compromised extension on a developer’s laptop means that, at the very least, the attacker had punched a hole through the firewall, and gained access to internal corporate networks.
VISUAL STUDIO MARKETPLACE CODE
Looking at those popular extensions, how many times have any of us installed an extension in our editor, completely unconscious to the fact that we’re letting in code that a stranger wrote? Code that may now have access, or even control of a development environment? How many times have developers potentially been put at risk by just using an extension? The impact of vulnerable VS Code extensions on developersĪt first, it may seem that an extension is merely an extended IDE capability, but their blast radius is significantly more severe than that. Similar to how a markdown file such as a README.md would be represented as a GitHub repository homepage. Enables developers to parse the markdown syntax of a file and then renders it as an HTML representation to open in a web browser. Instant Markdown – Over 120,000 downloads.Allows developers to open files in a browser, so they can easily and quickly inspect them (common with HTML files). Open in Default Browser – Over 520,000 downloads.A few of these vulnerable extensions that Snyk uncovered are: Once uploaded and confirmed, these extensions are available to developers from the VS Code IDE.įor some of these exploitations to work, they need to be actively used by a developer. Similar to the npm registry, the VS Code Extensions Marketplace is an open ecosystem, allowing any developer to sign up and submit their extensions.
![visual studio marketplace visual studio marketplace](https://blog.elmah.io/content/images/old/vscoloroutput.png)
These are essentially compressed archives of JavaScript code that resemble npm packages, and in fact, even rely on the npm ecosystem as a source of third-party dependencies to help build the extensions. The VS Code Extension Marketplace features about 25,000 extensions. A vulnerable VS Code Extensions Marketplace This new VS Code extensions supply chain security threat has the potential to become a new attack playground, potentially impacting over 2,000,000 developers. The potential compromise is so significantly severe that a remote code execution on a developer’s machine is possible by simply tricking the developer to click a link. But now, Snyk has discovered and disclosed vulnerabilities that pose a real and imminent threat to developers who use these extensions and then interact with a malicious actor. Until recently, no security vulnerabilities had been discovered in VS Code extensions, creating a sense of security for millions of developers. What can we do about it? Mitigating VS Code extensions security concerns.Security research disclosure: Snyk releases Visual Studio Code supply chain security research findings.Proof of concept exploitation: Attacking Visual Studio Code extensions.Setting the stage: The impact of vulnerable Visual Studio Code extensions on developers.Intro: A vulnerable Visual Studio Code Extensions Marketplace.And now, those incidents are starting to extend to the place where developers spend most of their time: their integrated development environment, and specifically the Visual Studio Code IDE.
![visual studio marketplace visual studio marketplace](https://emreaydemir.gallerycdn.vsassets.io/extensions/emreaydemir/versionsync/1.0.0.1/1482137930431/81346/1/VersionSync_pic1.jpg)
VISUAL STUDIO MARKETPLACE SOFTWARE
Everything from open source package managers security flaws being exploited to continuous integration systems being compromised to software artifacts being backdoored. We have been witnessing an ever growing amount of supply chain security incidents in the wild.