Hundreds of extensions within the VS Code ecosystem have been unintentionally exposing sensitive credentials, potentially allowing attackers to seize control of developer environments, security researchers at Wiz have revealed.
Visual Studio Code (VS Code) is at the core of today’s software development world and is powerful, adaptable, and open-source.
On October 15, Wiz security researcher Rami McCarthy said that: “A leaked VSCode Marketplace or Open VSX PAT [Personal Access Token] allows an attacker to directly distribute a malicious extension update across the entire install base.” They go on to say that “An attacker who discovered this issue would have been able to directly distribute malware to the cumulative 150,000 install base.”
How Did The Leaks Occur?
Wiz noted that many extension publishers did not consider that VS Code extensions, distributed as .vsix files, can be unzipped and inspected. This makes it possible for anyone to uncover hard-coded secrets embedded within the packages.
In total, Wiz identified over 550 verified secrets spread across more than 500 extensions from hundreds of distinct publishers. These secrets fell into 67 categories, including:
- AI provider secrets (OpenAI, Gemini, Anthropic, XAI, DeepSeek, HuggingFace, Perplexity)
- High risk profession platform secrets (AWS, Github, Stripe, Auth0, GCP)
- Database secrets (MongoDB, Postgres, Supabase)
The report also highlighted that more than 100 valid PATs were found within VS Code Marketplace extensions, collectively impacting over 85,000 installations. Over 30 exposed Open VSX access tokens were discovered across VS Code Marketplace and Open VSX extensions, affecting a combined install base of over 100,000 users.
Expanding Attack Surfaces
Since Open VSX is integrated into AI-powered VS Code forks, such as Cursor and Windsurf, extensions that expose access tokens can greatly increase the potential attack surface.
Wiz pointed out that in one instance, a Marketplace PAT could have enabled targeted malware deployment to the workforce of a $30 billion market cap Chinese company, showing that the issue extends to internal and vendor-specific extensions as well.
Following disclosure to Microsoft in March and April 2025, the company revoked the exposed PATs and announced plans to add secret scanning functionality to block extensions containing verified secrets and notify developers when leaks are detected, according to The Hacker News.
It is recommended that VS Code users:
- Limit the number of installed extensions
- Carefully review extensions before installation
- Consider the risks of enabling auto-updates
Organizations should maintain an inventory of approved extensions and use a centralized allowlist to respond quickly to reports of malicious packages.
According to Wiz, “The issue highlights the continued risks of extensions and plugins, and supply chain security in general. It continues to validate the impression that any package repository carries a high risk of mass secrets leakage.”
Tigerjack Campaign: A Separate But Related Threat
While the 100 exposed code extensions is an example of an accidental leak of access tokens, the recent TigerJack campaigns is a deliberate, coordinated attack of the same nature. In both, a malicious actor has intentionally published harmful extensions, including ones that steal source code, mine cryptocurrency, or create backdoors.
TigerJack has been exploiting developer marketplaces with at least 11 malicious Visual Studio Code (VS Code) extensions that steal source code, hijack system resources for cryptocurrency mining, and install remote backdoors for full system control. Operating across multiple publisher accounts (ab-498, 498, and 498-00) TigerJack’s extensions infected over 17,000 developers before being removed from Microsoft’s Marketplace, though they remain active on Open VSX.
This campaign is part of a wider trend targeting developers through trusted tools, highlighting the need for stricter supply chain security and careful vetting of development extensions.
While accidental leaks show the inherent risks of VS Code extensions, TigerJack demonstrates how attackers can exploit the same ecosystem to carry out sophisticated, deliberate attacks.
Microsoft’s Response and Marketplace Security
In June 2025, Microsoft introduced a multi-step process to secure the VS Code Marketplace, including sandbox scans of new packages and periodic marketplace-wide rescans. However, these protections do not extend to Open VSX and other registries, allowing threat actors to move malicious extensions to less-secure platforms.
According to the Microsoft Digital Defense Reports 2025, “fragmented solutions make it difficult to understand data security posture since data is isolated and disparate workflows could limit comprehensive visibility into potential risks.” This fragmentation can lead to blind spots that attackers may exploit.
The Bigger Picture
VS Code extensions enhance productivity, but increase security risks. Accidental token leaks and campaigns like TigerJack show how developers can be exposed to code theft, cryptomining, and backdoors, underscoring the need for robust supply chain security and careful extension vetting.
