Critical VSCode Supply Chain Flaw: 550+ Secrets Leaked Via Extensions, Exposing 100K+ Users to Malware

Cybersecurity researchers at Wiz Research have uncovered what they describe as a “pattern of secret leakage” affecting hundreds of Visual Studio Code (VSCode) and Open VSX marketplace extensions, exposing critical access tokens and other sensitive credentials that could enable supply chain compromise at scale.

The investigation began in February 2025, when Wiz was tracking malicious extensions uploaded to the VSCode Marketplace. But instead of just spotting malware, they stumbled upon something far larger — hundreds of legitimate extensions leaking internal credentials.

“Our initial goal was to identify additional malicious extensions… While we did end up identifying several interesting malicious extensions, we stumbled on something much more impactful: a scourge of secrets leaking in extension packages,” Wiz explained.

These extensions, distributed as .vsix files, can be unzipped and inspected. Researchers found that many publishers failed to sanitize sensitive files before uploading them, effectively exposing their internal systems to anyone willing to look.

In total, Wiz validated over 550 leaked secrets across more than 500 extensions from hundreds of publishers, including AI API keys, database credentials, and cloud access tokens.

“Across the 67 distinct types of secrets we found, there were a few notable categories: AI provider secrets (OpenAI, Gemini, Anthropic, XAI, DeepSeek, HuggingFace, Perplexity), high-risk platform secrets (AWS, GitHub, Stripe, Auth0, GCP), and database secrets (MongoDB, Postgres, Supabase),” the report stated.

The most critical findings involve leaked Personal Access Tokens (PATs) — credentials that grant the ability to publish or update VSCode extensions directly.

“In over a hundred cases this included leakage of access tokens granting the ability to update the extension itself,” Wiz warned.

Because VSCode automatically updates extensions by default, any attacker who obtained these tokens could push a malicious update to tens of thousands of users instantly.

“A leaked VSCode Marketplace or OpenVSX PAT allows an attacker to directly distribute a malicious extension update across the entire install base,” the researchers noted. “An attacker who discovered this issue would have been able to directly distribute malware to the cumulative 150,000 install base.”

In total, Wiz found:

• Over 100 valid VSCode Marketplace PATs representing 85,000 installs, and
• Over 30 Open VSX access tokens covering an additional 100,000 installs

Surprisingly, many of the affected extensions were VSCode themes, which are often assumed to be safe since they contain no executable code. Wiz warns that this assumption is dangerously misleading.

“Much of this massive vulnerable install base is actually contributed by themes… there is no technical control preventing themes from bundling malware,” the report emphasized.

Even decorative or corporate-branded themes can become Trojan horses if an attacker gains publishing access.

Wiz also found tokens belonging to internal or vendor-specific extensions that were mistakenly published publicly — sometimes exposing credentials linked to large enterprises.

“Internal extensions should not be distributed publicly, but often are for convenience,” the researchers said. “In one case, we found a VSCode Marketplace PAT that would allow us to push targeted malware to the workforce of a $30 billion market cap Chinese megacorp.”

Another exposed extension belonged to a Russian construction technology firm, showing how industry-specific VSCode plugins could become entry points for targeted attacks

After analyzing the exposed extensions, Wiz concluded that the primary culprit was the inclusion of hidden configuration files (dotfiles) — particularly .env — which often contain hardcoded secrets.

“The largest contributor to secrets leakage was the bundling of hidden files, also known as dotfiles. The quantity of .env files was especially prominent,” the researchers explained.

Other common sources included:

• AI-related configuration files such as config.json, mcp.json, and .cursorrules
• Build and documentation files like package.json and README.md

Wiz also observed a rise in AI-related secret leaks, as developers increasingly embed API keys for tools like OpenAI or Anthropic directly into configuration files.

“Over the course of the year, we saw an increase in secrets leaking via AI related configuration files,” the report said.

After responsibly disclosing the findings to Microsoft’s Security Response Center (MSRC), Wiz collaborated with both Microsoft and Open VSX maintainers to roll out platform-level safeguards.