Stop Hard Coding Certs, Tokens And Other Authorization In Your VS Code Extensions!

Bad Coder!  Stop It!

It may be convenient, but if you are designing custom VS Code extensions do not code in anything you don’t want people to get access to!  There are currently over 500 VS Code extensions with hard coded tokens, credentials, encryption keys, certificates, and other ways of automatically authenticating to be found online.  This is not just bad practice, but thanks to the convenient way that VS Code extensions automatically update it can become an ongoing security nightmare.

Wiz Security found that more than 100 of these extensions contained the authentication necessary to be able to update the extension itself which, if they took advantage of it, would have allowed them to automatically infect around 150,000 users.  All they would have needed to do is edit in some nasty code to the extension and upload it.  Any machine running that extension would then automatically update that extension and infect it with whatever was added.

There is a good chance that at least some of this is thanks to vibe coding and not just laziness, as extensions for generative AI platforms were one of the more commonly discovered in their tests.  Thankfully Microsoft implemented a secret scraping process for VS Code extensions yesterday, just before this research was published so the vulnerable parties are safe now, though their extensions probably no  longer function properly.

You should not depend on this; simply don’t ever code in secrets!