Vibe coding may have played a role in what took researchers months to fix

Developers of VS Code extensions are leaking sensitive secrets left, right and center, according to researchers who worked with Microsoft to combat an issue that could have led to some nasty supply chain attacks.

Wiz Security examined more than 500 extensions across the VS Code and Open VSX marketplaces, provided by hundreds of publishers, and found more than 550 validated secrets.

By "secrets," security folk typically mean things such as access and authorization tokens, credentials, API and/or encryption keys, certificates, and the like.

It identified 67 categories of secrets, but the majority could be placed into three groups: generative AI platforms, high-risk professional platforms such as AWS, GCP, Auth0, and GitHub, and databases such as MongoDB and Postgres.

More than 100 of the 550-plus secrets they found would have given attackers access to update the extension itself, and given that VS Code auto-updates extensions, the potential for a supply ...