Raul Onitza-Klugman & Kirill Efimov

Vulnerable VS Code extensions are now at your front door

Could your favorite VS Code extension be stealing your SSH keys? This talk reveals how a single flaw can lead to total system compromise.

Vulnerable VS Code extensions are now at your front door
#1about 5 minutes

The expanding role of developers in security

Digital transformation has shifted infrastructure and security responsibilities to developers, increasing their value as an attack target.

#2about 3 minutes

Integrating security earlier in the development lifecycle

Security testing has shifted left to integrate with agile development, making developers responsible for triaging issues like transitive dependency vulnerabilities.

#3about 6 minutes

Common attacks targeting software developers

Attackers compromise developers through methods like dependency confusion, unpatched vulnerabilities, and malicious packages to initiate supply chain attacks.

#4about 5 minutes

Why VS Code extensions are a major attack surface

VS Code's massive popularity and its extensive, under-researched extension marketplace make it a prime target for compromising developers.

#5about 2 minutes

Building a pipeline to analyze VS Code extensions

A processing pipeline was built to download all marketplace extensions, extract their source, and run static and dynamic analysis to find vulnerabilities.

#6about 5 minutes

Exploiting path traversal in the Instant Markdown extension

The Instant Markdown extension runs a local web server with a path traversal vulnerability, allowing an attacker to access arbitrary files on the user's machine.

#7about 8 minutes

Bypassing browser security to attack local servers

A malicious website can exploit a local server by using an XSS vulnerability to bypass CORS and exfiltrate data from the victim's machine.

#8about 3 minutes

Demo: Stealing SSH keys via a vulnerable extension

This demonstration shows how visiting a malicious link triggers an exploit chain that steals a local SSH key through the vulnerable Instant Markdown extension.

#9about 5 minutes

Remote code execution in the LaTeX Workshop extension

The LaTeX Workshop extension was vulnerable to remote code execution through a WebSocket connection that could trigger a VS Code API to open local applications.

#10about 3 minutes

Impact, disclosure, and mitigation strategies

Vulnerable extensions can lead to full supply chain attacks, but responsible disclosure led to quick fixes, and developers can mitigate risk through extension hygiene.

Related jobs
Jobs that call for the skills explored in this talk.

Matching moments

Why VS Code extensions are a prime target
05:03 MIN

Why VS Code extensions are a prime target

Vue3 practical development

Navigating security risks in modern development tools
02:37 MIN

Navigating security risks in modern development tools

WeAreDevelopers LIVE – From JavaScript to WebAssembly, High-Performance Charting and More

Impact and mitigation of extension vulnerabilities
03:03 MIN

Impact and mitigation of extension vulnerabilities

Vue3 practical development

Why developers are a prime target for attackers
04:54 MIN

Why developers are a prime target for attackers

You click, you lose: a practical look at VSCode's security

When attackers target the developer's own tools
01:20 MIN

When attackers target the developer's own tools

Stranger Danger: Your Java Attack Surface Just Got Bigger

Key takeaways on IDE and developer tool security
02:28 MIN

Key takeaways on IDE and developer tool security

You click, you lose: a practical look at VSCode's security

Exfiltrating local files via a VS Code extension
05:29 MIN

Exfiltrating local files via a VS Code extension

Hack-Proof The Node.js runtime: The Mechanics and Defense of Path Traversal Attacks

Risks of exposed network services in extensions
02:11 MIN

Risks of exposed network services in extensions

You click, you lose: a practical look at VSCode's security

Featured Partners

Related Videos

See all videos
Vue3 practical development
44:11

Vue3 practical development

Mikhail Kuznetcov

101 Typical Security Pitfalls
28:41

101 Typical Security Pitfalls

Alexander Pirker

You click, you lose: a practical look at VSCode's security
29:47

You click, you lose: a practical look at VSCode's security

Thomas Chauchefoin & Paul Gerste

Oops! Stories of supply chain shenanigans
43:57

Oops! Stories of supply chain shenanigans

Zbyszek Tenerowicz

Let's build a VS Code extension for automated refactorings
1:40:08

Let's build a VS Code extension for automated refactorings

Nicolas Carlo

Real-World Security for Busy Developers
29:50

Real-World Security for Busy Developers

Kevin Lewis

Hack-Proof The Node.js runtime: The Mechanics and Defense of Path Traversal Attacks
27:10

Hack-Proof The Node.js runtime: The Mechanics and Defense of Path Traversal Attacks

Sonya Moisset

Cross Site Scripting is yesterday's news, isn't it?
30:54

Cross Site Scripting is yesterday's news, isn't it?

Martina Kraus

Related Articles

View all articles
Daniel Cranney
Dev Digest 198: 30 years of JS, In-Browser AI, How Attackers Abuse GenAI
Inside last week’s Dev Digest 198 . 🎂 30 years of JavaScript ⏰ How long is a JavaScript second 💻 Clean code in Angular 🤦‍♂️ AI makes different mistakes than humans 👨‍💻 In-browser and offline AI 🟠 Undocumented Hacker News features 🐋 DeepSeek censored...
Dev Digest 198: 30 years of JS, In-Browser AI, How Attackers Abuse GenAI
Daniel Cranney
Dev Digest 152: Chrome Extensions Hack, CSS Spy Sheets, Deepseek OSS AI
Inside last week’s Dev Digest 152 . 🐋 DeepSeek - a new rising star open source model 🖐 Using CSS to fingerprint browsers and email clients 🧠 Things you should know about accessibility 🤷‍♂️ What do you when you messed up in Git 📍 Cloudflare security ...
Dev Digest 152: Chrome Extensions Hack, CSS Spy Sheets, Deepseek OSS AI

From learning to earning

Jobs that call for the skills explored in this talk.

DevSecOps

DevSecOps

NEVERHACK
Paris, France

Intermediate
Python
Docker
Ansible
Terraform
Unit Testing