The discovery, only now being revealed by Wiz after remediation work by Microsoft and OpenVSX, is another example of why developers need to take more care in sanitizing their code before dropping it into open marketplaces, and why CSOs need to ensure extensions used by their developers are scrutinized closely.
Developers are prime targets
Developers are a prime target for attacks, commented Johannes Ullrich, dean of research at the SANS Institute. “What they often do not realize is that any extensions they install, even if they appear benign, like, for example, extensions to change the color of the code, have full access to their code and may make modifications without explicitly informing the developer. Extension marketplaces are just another repository of third-party code. They suffer from the same lack of oversight and review as other code repositories (for example, pip, npm, NuGet, and others). Upon installation of the extension, the developer will execute the code and provide the extension with far-reaching persistent access to their code base.”
Cyber criminals and nation states have found the new weak link in the security chain: the software supplier ecosystem, said David Shipley, head of Canadian-based security awareness firm Beauceron Security. “There’s been so many cases of this that it’s a clear, systemic issue,” he said.
