Security News > 2021 > May > Newly Discovered Bugs in VSCode Extensions Could Lead to Supply Chain Attacks

Severe security flaws uncovered in popular Visual Studio Code extensions could enable attackers to compromise local machines as well as build and deployment systems through a developer's integrated development environment.

The vulnerable extensions could be exploited to run arbitrary code on a developer's system remotely, in what could ultimately pave the way for supply chain attacks.

VS Code extensions, like browser add-ons, allow developers to augment Microsoft's Visual Studio Code source-code editor with additional features like programming languages and debuggers relevant to their development workflows.

The attack scenarios devised by Snyk bank on the possibility that the installed extensions could be abused as a vector for supply chain attacks by exploiting weaknesses in the plugins to break into a developer system effectively.

Although the flaws in the extensions have since been addressed, the findings are important in light of a series of security incidents that show how developers have emerged as a lucrative attack target, what with threat actors unleashing a variety of malware to compromise development tools and environments for other campaigns.

"They're potentially dangerous both because of their custom written code pieces and the dependencies they are built upon. What has been shown here for VS Code might be applicable to other IDEs as well, meaning that blindly installing extensions or plugins is not safe."

News URL

http://feedproxy.google.com/~r/TheHackersNews/~3/QtUYnshsHuU/newly-discovered-bugs-in-vscode.html