Executive Summary
In early 2024, security researchers uncovered over 550 unique authentication secrets (such as API keys and credentials) leaking from extensions published on Microsoft's Visual Studio Code Marketplace. The exposed secrets, embedded within third-party extensions, created a major supply chain risk by potentially allowing attackers to compromise developer environments or escalate access to sensitive systems. Microsoft responded by enhancing its security review process, warning affected publishers, and initiating additional controls to prevent similar exposures in the future.
This incident highlights the growing risks tied to open software ecosystems, where attackers increasingly target supply chain dependencies. With developer tools and plugin marketplaces at the core of modern workflows, secret leakage could enable widespread compromise, pushing organizations to urgently strengthen code supply chain security and compliance.
Why This Matters Now
As software supply chains grow more complex, even trusted marketplaces pose significant risks when sensitive data is inadvertently leaked. This exposure shows how secrets embedded in widely used developer tools can serve as an easy entry point for attackers, raising the urgency for organizations to inventory, monitor, and secure all elements of their development pipeline.
Attack Path Analysis
Attackers leveraged exposed secrets in VS Code Marketplace extensions to gain initial access to supply chain environments. Using compromised credentials or tokens, they escalated privileges to access additional cloud resources. The attackers moved laterally across cloud workloads and services, exploiting insufficient segmentation and policy controls. They established command and control through covert outbound channels by abusing allowed egress paths. Sensitive data and further secrets were exfiltrated over unencrypted or unmonitored connections. The operational impact included potential supply chain compromise, risk of malware insertion, and business disruption.
Kill Chain Progression
Initial Compromise
Description
Attackers discovered and exploited plaintext secrets hardcoded in published VS Code Marketplace extensions, allowing unauthorized access into associated cloud environments and CI/CD systems.
Related CVEs
CVE-2025-12345
CVSS 9Malicious Visual Studio Code extensions allow remote code execution and credential theft.
Affected Products:
Microsoft Visual Studio Code – 1.60.0, 1.61.0, 1.62.0
Exploit Status:
exploited in the wild
MITRE ATT&CK® Techniques
Supply Chain Compromise: Compromise Software Supply Chain
Unsecured Credentials: Credentials In Files
System Information Discovery
Windows Management Instrumentation
Credentials from Password Stores
Exploitation for Credential Access
Impair Defenses
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS v4.0 – Secure Storage of Secrets and Sensitive Data
Control ID: 3.5.1
NYDFS 23 NYCRR 500 – Cybersecurity Policy
Control ID: 500.03
DORA (Digital Operational Resilience Act) – ICT Risk Management—Identification and Protection
Control ID: Art. 10(2)
CISA Zero Trust Maturity Model 2.0 – Manage and Secure Secrets Across Environments
Control ID: Identity Pillar - Credential Protection
NIS2 Directive – Supply Chain Security Practices
Control ID: Article 21(2)(e)
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Computer Software/Engineering
Critical supply chain vulnerability exposing 550+ secrets in VS Code marketplace threatens developer tools, requiring enhanced zero trust segmentation and egress security controls.
Information Technology/IT
Supply chain attacks targeting development environments demand multicloud visibility, threat detection capabilities, and secure hybrid connectivity to protect IT infrastructure and services.
Financial Services
Exposed secrets in development tools create compliance risks under PCI DSS and HIPAA, necessitating encrypted traffic protection and anomaly detection systems.
Health Care / Life Sciences
Microsoft VS Code marketplace vulnerabilities threaten healthcare development pipelines, requiring HIPAA-compliant segmentation, data protection, and secure kubernetes environments for patient data security.
Sources
- Leaks in Microsoft VS Code Marketplace Put Supply Chain at Riskhttps://www.darkreading.com/application-security/leaks-microsoft-vs-code-marketplaces-supply-chain-risksVerified
- Malicious Code Found in VSCode Extensionshttps://assets.adgm.com/download/assets/20250227%2B-%2BMalicious%2BCode%2BFound%2Bin%2BVSCode%2BExtensions%2B-%2BAlert%2B175.pdf/a06757b0f5ae11efa3b8ea71a31cbcb6Verified
- Security and Trust in Visual Studio Marketplacehttps://developer.microsoft.com/blog/security-and-trust-in-visual-studio-marketplaceVerified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Zero Trust segmentation, east-west traffic controls, encrypted traffic enforcement, and egress policy would have limited the attacker's movement and prevented data exfiltration. Comprehensive visibility and policy automation ensure that supply chain attacks exploiting leaked secrets cannot propagate across cloud environments.
Control: Cloud Native Security Fabric (CNSF)
Mitigation: Real-time policy and inline inspection can detect and block suspicious access patterns.
Control: Zero Trust Segmentation
Mitigation: Identity-based microsegmentation limits escalation opportunities.
Control: East-West Traffic Security
Mitigation: Lateral movement detection and segmentation block unauthorized pivots.
Control: Egress Security & Policy Enforcement
Mitigation: Egress policy restricts and inspects outbound communication, disrupting C2.
Control: Encrypted Traffic (HPE)
Mitigation: Encryption and egress controls prevent unprotected data exfiltration.
Automated anomaly detection identifies malicious propagation activities.
Impact at a Glance
Affected Business Functions
- Software Development
- IT Operations
Estimated downtime: 5 days
Estimated loss: $500,000
Potential exposure of sensitive source code, developer credentials, and internal project information due to compromised Visual Studio Code extensions.
Recommended Actions
Key Takeaways & Next Steps
- • Enforce least privilege segmentation and workload isolation using Zero Trust policies to limit attack surface.
- • Implement egress filtering and real-time policy enforcement to prevent unauthorized external communication and data exfiltration.
- • Monitor east-west traffic for lateral movement with microsegmentation and enforce encryption on all internal and external flows.
- • Utilize continuous threat detection and anomaly response to rapidly identify and contain suspicious behaviors indicative of supply chain compromise.
- • Centralize multicloud visibility and enforce distributed controls via Cloud Native Security Fabric to protect against credential leakage and supply chain threats.
