Vue3 practical development

Is your IDE a backdoor for attackers? We found critical vulnerabilities in VS Code extensions with millions of installs.

#1about 4 minutes

The expanding security responsibilities of developers

Digital transformation and cloud adoption have shifted infrastructure and configuration management to developers, significantly expanding their security scope beyond just application code.

#2about 2 minutes

Shifting security testing left in the development lifecycle

Integrating security tools like static analysis and software composition analysis early in the development process reduces costs and keeps pace with agile iterations.

#3about 2 minutes

The hidden risks of transitive dependencies

A significant portion of vulnerabilities are introduced through transitive dependencies, which developers are often unaware of but must now manage.

#4about 6 minutes

How attackers exploit developers and packages

Attackers compromise developers using methods like dependency confusion, unpatched vulnerabilities, and malicious packages to initiate supply chain attacks.

#5about 5 minutes

Why VS Code extensions are a prime target

The popularity of VS Code and its vast, often open-source, extension marketplace create a large and under-researched attack surface for compromising developers.

#6about 2 minutes

Building a pipeline for automated extension analysis

A custom pipeline was built to download, extract, and run static and dynamic analysis on all extensions from the VS Code marketplace.

#7about 5 minutes

Exploiting path traversal in the Instant Markdown extension

The Instant Markdown extension contained a path traversal vulnerability in its local web server, allowing an attacker to read arbitrary files from the user's machine.

#8about 11 minutes

Bypassing browser security to exploit local servers

An attacker can bypass browser CORS policy by tricking a user into downloading a malicious file and then using a path traversal vulnerability to trigger XSS on localhost, enabling file exfiltration.

#9about 5 minutes

Remote code execution in the LaTeX Workshop extension

The LaTeX Workshop extension allowed remote code execution by exploiting an insecure API call through its WebSocket server after brute-forcing the server port.

#10about 3 minutes

Impact and mitigation of extension vulnerabilities

Developers can mitigate risks by using popular, maintained extensions, while maintainers should follow security best practices and promptly fix disclosed vulnerabilities.