Mikhail Kuznetcov

Vue3 practical development

Is your IDE a backdoor for attackers? We found critical vulnerabilities in VS Code extensions with millions of installs.

Vue3 practical development
#1about 4 minutes

The expanding security responsibilities of developers

Digital transformation and cloud adoption have shifted infrastructure and configuration management to developers, significantly expanding their security scope beyond just application code.

#2about 2 minutes

Shifting security testing left in the development lifecycle

Integrating security tools like static analysis and software composition analysis early in the development process reduces costs and keeps pace with agile iterations.

#3about 2 minutes

The hidden risks of transitive dependencies

A significant portion of vulnerabilities are introduced through transitive dependencies, which developers are often unaware of but must now manage.

#4about 6 minutes

How attackers exploit developers and packages

Attackers compromise developers using methods like dependency confusion, unpatched vulnerabilities, and malicious packages to initiate supply chain attacks.

#5about 5 minutes

Why VS Code extensions are a prime target

The popularity of VS Code and its vast, often open-source, extension marketplace create a large and under-researched attack surface for compromising developers.

#6about 2 minutes

Building a pipeline for automated extension analysis

A custom pipeline was built to download, extract, and run static and dynamic analysis on all extensions from the VS Code marketplace.

#7about 5 minutes

Exploiting path traversal in the Instant Markdown extension

The Instant Markdown extension contained a path traversal vulnerability in its local web server, allowing an attacker to read arbitrary files from the user's machine.

#8about 11 minutes

Bypassing browser security to exploit local servers

An attacker can bypass browser CORS policy by tricking a user into downloading a malicious file and then using a path traversal vulnerability to trigger XSS on localhost, enabling file exfiltration.

#9about 5 minutes

Remote code execution in the LaTeX Workshop extension

The LaTeX Workshop extension allowed remote code execution by exploiting an insecure API call through its WebSocket server after brute-forcing the server port.

#10about 3 minutes

Impact and mitigation of extension vulnerabilities

Developers can mitigate risks by using popular, maintained extensions, while maintainers should follow security best practices and promptly fix disclosed vulnerabilities.

Related jobs
Jobs that call for the skills explored in this talk.

Matching moments

Scripting presentations and demos in VS Code
14:14 MIN

Scripting presentations and demos in VS Code

Devs vs. Marketers, COBOL and Copilot, Make Live Coding Easy and more - The Best of LIVE 2025 - Part 3

Exploring modern JavaScript performance and new CSS features
08:07 MIN

Exploring modern JavaScript performance and new CSS features

WeAreDevelopers LIVE – AI, Freelancing, Keeping Up with Tech and More

Why you might not need JavaScript for everything
02:33 MIN

Why you might not need JavaScript for everything

WeAreDevelopers LIVE – You Don’t Need JavaScript, Modern CSS and More

Navigating the growing complexity of modern CSS
09:00 MIN

Navigating the growing complexity of modern CSS

WeAreDevelopers LIVE – You Don’t Need JavaScript, Modern CSS and More

Improving the developer feedback loop with specialized tools
03:16 MIN

Improving the developer feedback loop with specialized tools

Developer Time Is Valuable - Use the Right Tools - Kilian Valkhof

The value of progressive enhancement and semantic HTML
03:31 MIN

The value of progressive enhancement and semantic HTML

WeAreDevelopers LIVE – You Don’t Need JavaScript, Modern CSS and More

The industry's focus on frameworks over web fundamentals
11:32 MIN

The industry's focus on frameworks over web fundamentals

WeAreDevelopers LIVE – Frontend Inspirations, Web Standards and more

Comparing the security models of browsers and native apps
05:01 MIN

Comparing the security models of browsers and native apps

Developer Time Is Valuable - Use the Right Tools - Kilian Valkhof

Featured Partners

Related Videos

See all videos
Vulnerable VS Code extensions are now at your front door44:11

Vulnerable VS Code extensions are now at your front door

Raul Onitza-Klugman & Kirill Efimov

You click, you lose: a practical look at VSCode's security29:47

You click, you lose: a practical look at VSCode's security

Thomas Chauchefoin & Paul Gerste

Under The Hood of Vue 3 Reactivity49:00

Under The Hood of Vue 3 Reactivity

Marc Backes

Modern Web Development with Nuxt341:43

Modern Web Development with Nuxt3

Alexander Lichter

Building Better with Nuxt 341:22

Building Better with Nuxt 3

Daniel Roe

Nuxt.js - Just Vue 3 and a bit of magic?26:32

Nuxt.js - Just Vue 3 and a bit of magic?

Alexander Lichter

Under The Hood Of Vue 3 Reactivity54:44

Under The Hood Of Vue 3 Reactivity

Marc Backes

Hack-Proof The Node.js runtime: The Mechanics and Defense of Path Traversal Attacks27:10

Hack-Proof The Node.js runtime: The Mechanics and Defense of Path Traversal Attacks

Sonya Moisset

Related Articles

View all articles
BR
Benjamin Ruschin
The HTML Elements That You’re Probably Over-Engineering
As frameworks have become more and more commonplace in the world of web development, so too has the over-engineering of features made possible by our humble old friend, HTML. The mental models that come with using state management in React, Vue and o...
The HTML Elements That You’re Probably Over-Engineering
DC
Daniel Cranney
Dev Digest 198: 30 years of JS, In-Browser AI, How Attackers Abuse GenAI
Inside last week’s Dev Digest 198 . 🎂 30 years of JavaScript ⏰ How long is a JavaScript second 💻 Clean code in Angular 🤦‍♂️ AI makes different mistakes than humans 👨‍💻 In-browser and offline AI 🟠 Undocumented Hacker News features 🐋 DeepSeek censored...
Dev Digest 198: 30 years of JS, In-Browser AI, How Attackers Abuse GenAI
DC
Daniel Cranney
Security Basics for Vibe Coders
Vibe coding has become a popular trend in the tech world. With so many tools now available for both developers and non-developers, it’s easier than ever to build projects using natural language, in some cases without touching a line of code along the...
Security Basics for Vibe Coders
CH
Chris Heilmann
Dev Digest 151: SEO in an AI world, security fixes and Doomed PDFs
Inside last week’s Dev Digest 151 . 🔎 How ChatGPT compares to search and what that means for SEO ✂️ Job cuts across the board as companies curb DEI programs 🟨 @Microsoft releases 161 Windows security updates ⚠️ @Google’s OAuth bug endangers million...
Dev Digest 151: SEO in an AI world, security fixes and Doomed PDFs

From learning to earning

Jobs that call for the skills explored in this talk.

Vue.js developer

Vue.js developer

Multiplied
Leiden, Netherlands

Remote
5K
Intermediate
Gitlab
Vue.js
Docker
+3