Dismantling a Critical Supply Chain Risk in VSCode Extension Marketplaces

Wiz Research discovered over 550 validated leaked secrets across more than 500 VSCode/Open VSX extensions — including 100+ valid VSCode Marketplace Personal Access Tokens and 30+ Open VSX tokens — creating a supply-chain risk where attackers could push malicious updates to a combined install base on the order of 150,000+ installs; Wiz worked with Microsoft to notify publishers, revoke exposed tokens, scan and remediate extensions, and develop platform-level mitigations and detection improvements.