Supply chain attacks are getting interesting
A self-propagating worm targeting Visual Studio Code extensions has been identified as a sophisticated supply chain attack, prompting immediate security measures. Recommendations include reducing attack surfaces, monitoring employee workstations, applying least privilege for identity and access management, implementing efficient change management, training developers in secure coding, using security scanning tools, following secret management best practices, using only approved repositories, hardening the entire software supply chain, and advocating for government action on the insecure open source ecosystem.
“If the compromised extensions are folded into code, they harvest NPM, GitHub, and Git credentials left by developers in their work, drain funds from 49 cryptocurrency wallets, deploy SOCKS proxy servers on developer computers, install hidden VNX servers for remote access, and use stolen credentials to compromise additional packages and extensions.”
When key vaults and secret scanners are correctly configured, these risks are significantly reduced. Some basic AppSec goes a long way.