Instant Markdown – Over 120,000 downloads.Allows developers to open files in a browser, so they can easily and quickly inspect them (common with HTML files). Open in Default Browser – Over 520,000 downloads.A few of these vulnerable extensions that Snyk uncovered are:
#Visual studio code extensions gallery code
Once uploaded and confirmed, these extensions are available to developers from the VS Code IDE.įor some of these exploitations to work, they need to be actively used by a developer. Similar to the npm registry, the VS Code Extensions Marketplace is an open ecosystem, allowing any developer to sign up and submit their extensions. These are essentially compressed archives of JavaScript code that resemble npm packages, and in fact, even rely on the npm ecosystem as a source of third-party dependencies to help build the extensions. The VS Code Extension Marketplace features about 25,000 extensions. A vulnerable VS Code Extensions Marketplace This new VS Code extensions supply chain security threat has the potential to become a new attack playground, potentially impacting over 2,000,000 developers. The potential compromise is so significantly severe that a remote code execution on a developer’s machine is possible by simply tricking the developer to click a link. But now, Snyk has discovered and disclosed vulnerabilities that pose a real and imminent threat to developers who use these extensions and then interact with a malicious actor. Until recently, no security vulnerabilities had been discovered in VS Code extensions, creating a sense of security for millions of developers.
#Visual studio code extensions gallery software
Everything from open source package managers security flaws being exploited to continuous integration systems being compromised to software artifacts being backdoored. We have been witnessing an ever growing amount of supply chain security incidents in the wild.