Raul Onitza-Klugman & Kirill Efimov

Vulnerable VS Code extensions are now at your front door

Could your favorite VS Code extension be stealing your SSH keys? This talk reveals how a single flaw can lead to total system compromise.

Vulnerable VS Code extensions are now at your front door
#1about 5 minutes

The expanding role of developers in security

Digital transformation has shifted infrastructure and security responsibilities to developers, increasing their value as an attack target.

#2about 3 minutes

Integrating security earlier in the development lifecycle

Security testing has shifted left to integrate with agile development, making developers responsible for triaging issues like transitive dependency vulnerabilities.

#3about 6 minutes

Common attacks targeting software developers

Attackers compromise developers through methods like dependency confusion, unpatched vulnerabilities, and malicious packages to initiate supply chain attacks.

#4about 5 minutes

Why VS Code extensions are a major attack surface

VS Code's massive popularity and its extensive, under-researched extension marketplace make it a prime target for compromising developers.

#5about 2 minutes

Building a pipeline to analyze VS Code extensions

A processing pipeline was built to download all marketplace extensions, extract their source, and run static and dynamic analysis to find vulnerabilities.

#6about 5 minutes

Exploiting path traversal in the Instant Markdown extension

The Instant Markdown extension runs a local web server with a path traversal vulnerability, allowing an attacker to access arbitrary files on the user's machine.

#7about 8 minutes

Bypassing browser security to attack local servers

A malicious website can exploit a local server by using an XSS vulnerability to bypass CORS and exfiltrate data from the victim's machine.

#8about 3 minutes

Demo: Stealing SSH keys via a vulnerable extension

This demonstration shows how visiting a malicious link triggers an exploit chain that steals a local SSH key through the vulnerable Instant Markdown extension.

#9about 5 minutes

Remote code execution in the LaTeX Workshop extension

The LaTeX Workshop extension was vulnerable to remote code execution through a WebSocket connection that could trigger a VS Code API to open local applications.

#10about 3 minutes

Impact, disclosure, and mitigation strategies

Vulnerable extensions can lead to full supply chain attacks, but responsible disclosure led to quick fixes, and developers can mitigate risk through extension hygiene.

Related jobs
Jobs that call for the skills explored in this talk.

Matching moments

Scripting presentations and demos in VS Code
14:14 MIN

Scripting presentations and demos in VS Code

Devs vs. Marketers, COBOL and Copilot, Make Live Coding Easy and more - The Best of LIVE 2025 - Part 3

Malware campaigns, cloud latency, and government IT theft
01:06 MIN

Malware campaigns, cloud latency, and government IT theft

Fake or News: Self-Driving Cars on Subscription, Crypto Attacks Rising and Working While You Sleep - Théodore Lefèvre

Comparing the security models of browsers and native apps
05:01 MIN

Comparing the security models of browsers and native apps

Developer Time Is Valuable - Use the Right Tools - Kilian Valkhof

Preventing exposed API keys in AI-assisted development
03:45 MIN

Preventing exposed API keys in AI-assisted development

Slopquatting, API Keys, Fun with Fonts, Recruiters vs AI and more - The Best of LIVE 2025 - Part 2

The security risks of AI-generated code and slopsquatting
05:55 MIN

The security risks of AI-generated code and slopsquatting

Slopquatting, API Keys, Fun with Fonts, Recruiters vs AI and more - The Best of LIVE 2025 - Part 2

The value of progressive enhancement and semantic HTML
03:31 MIN

The value of progressive enhancement and semantic HTML

WeAreDevelopers LIVE – You Don’t Need JavaScript, Modern CSS and More

Why you might not need JavaScript for everything
02:33 MIN

Why you might not need JavaScript for everything

WeAreDevelopers LIVE – You Don’t Need JavaScript, Modern CSS and More

Using AI to overcome challenges in systems programming
02:49 MIN

Using AI to overcome challenges in systems programming

AI in the Open and in Browsers - Tarek Ziadé

Featured Partners

Related Videos

See all videos
You click, you lose: a practical look at VSCode's security29:47

You click, you lose: a practical look at VSCode's security

Thomas Chauchefoin & Paul Gerste

Vue3 practical development44:11

Vue3 practical development

Mikhail Kuznetcov

Hack-Proof The Node.js runtime: The Mechanics and Defense of Path Traversal Attacks27:10

Hack-Proof The Node.js runtime: The Mechanics and Defense of Path Traversal Attacks

Sonya Moisset

Cross Site Scripting is yesterday's news, isn't it?30:54

Cross Site Scripting is yesterday's news, isn't it?

Martina Kraus

Real-World Security for Busy Developers29:50

Real-World Security for Busy Developers

Kevin Lewis

Walking into the era of Supply Chain Risks37:36

Walking into the era of Supply Chain Risks

Vandana Verma

101 Typical Security Pitfalls28:41

101 Typical Security Pitfalls

Alexander Pirker

Stranger Danger: Your Java Attack Surface Just Got Bigger1:58:59

Stranger Danger: Your Java Attack Surface Just Got Bigger

Vandana Verma Sehgal

Related Articles

View all articles
DC
Daniel Cranney
Dev Digest 198: 30 years of JS, In-Browser AI, How Attackers Abuse GenAI
Inside last week’s Dev Digest 198 . 🎂 30 years of JavaScript ⏰ How long is a JavaScript second 💻 Clean code in Angular 🤦‍♂️ AI makes different mistakes than humans 👨‍💻 In-browser and offline AI 🟠 Undocumented Hacker News features 🐋 DeepSeek censored...
Dev Digest 198: 30 years of JS, In-Browser AI, How Attackers Abuse GenAI
DC
Daniel Cranney
Security Basics for Vibe Coders
Vibe coding has become a popular trend in the tech world. With so many tools now available for both developers and non-developers, it’s easier than ever to build projects using natural language, in some cases without touching a line of code along the...
Security Basics for Vibe Coders
CH
Chris Heilmann
Dev Digest 151: SEO in an AI world, security fixes and Doomed PDFs
Inside last week’s Dev Digest 151 . 🔎 How ChatGPT compares to search and what that means for SEO ✂️ Job cuts across the board as companies curb DEI programs 🟨 @Microsoft releases 161 Windows security updates ⚠️ @Google’s OAuth bug endangers million...
Dev Digest 151: SEO in an AI world, security fixes and Doomed PDFs
DC
Daniel Cranney
Dev Digest 196: AI Killed DevOps, LLM Political Bias & AI Security
Inside last week’s Dev Digest 196 . ⚖️ Political bias in LLMs 🫣 AI written code causes 1 in 5 security breaches 🖼️ Is there a limit to alternative text on images? 📝 CodeWiki - understand code better 🟨 Long tasks in JavaScript 👻 Scare yourself into n...
Dev Digest 196: AI Killed DevOps, LLM Political Bias & AI Security

From learning to earning

Jobs that call for the skills explored in this talk.

Software Developers

Software Developers

Code Healers LLC
Hinesville, United States of America

Remote
30-40K
Intermediate
Senior
.NET
React
JavaScript
+2
Software Developer

Software Developer

Code Healers LLC
Hinesville, United States of America

Remote
20-30K
Junior
Intermediate
React
JavaScript
TypeScript
+1