Researchers discovered over 550 secrets leaked by more than 500 VS Code extensions. Wiz Security found that many of these secrets were related to high-risk platforms like AWS, GCP, and GitHub, and could have been used for supply chain attacks if attackers gained access to update the extension itself. Microsoft has now implemented secret-scanning across its marketplace, blocking leaky extensions. The affected developers have been contacted by Wiz and Microsoft, with the former focusing on those at highest risk and Microsoft cleaning up the rest. A partnership between Wiz and Microsoft aims to protect customers together.
Note: I simplified the text while maintaining key points and facts. Let me know if you’d like any further changes!
Source: https://www.theregister.com/2025/10/15/vc_code_extension_leaks