Developers of VS Code extensions are leaking sensitive secrets left, right and center, according to researchers who worked with Microsoft to combat an issue that could have led to some nasty supply chain attacks.

Wiz Security examined more than 500 extensions across the VS Code and Open VSX marketplaces, provided by hundreds of publishers, and found more than 550 validated secrets.

By "secrets," security folk typically mean things such as access and authorization tokens, credentials, API and/or encryption keys, certificates, and the like.

It identified 67 categories of secrets, but the majority could be placed into three groups: generative AI platforms , high-risk professional platforms such as AWS, GCP, Auth0, and GitHub, and databases such as MongoDB and Postgres.

More than 100 of th

See Full Page