Extensive supply chain attack threat posed by critical Open VSX Registry bug

Millions of developers could be compromised in a supply chain attack involving the exploitation of a critical bug in the open-source Visual Studio Code Marketplace alternative Open VSX Registry, according to The Hacker News.

Such a vulnerability which was addressed by the Eclipse Foundation with a final patch on Wednesday stems from arbitrary build script execution across all auto-published extensions and their dependencies, as well as OVSX_PAT environment variable access, a report from Koi Security showed. Intrusions leveraging the flaw could facilitate the total takeover of the VSCode extensions marketplace and the eventual compromise of developers' machines. "Every marketplace item is a potential backdoor. They're unvetted software dependencies with privileged access, and they deserve the same diligence as any package from PyPI, npm, Hugginface, or GitHub. If left unchecked, they create a sprawling, invisible supply chain that attackers are increasingly exploiting," said Koi Security researcher Oren Yomtov.