Attackers took over the publisher token for Nx Console, which has about 2.2 million installs. They pushed a malicious JavaScript file to the VS Code Marketplace. It was up for 18 minutes before it got pulled. Because of auto-updates, that was enough time for it to hit developer machines and exfiltrate .env files and other credentials. Most EDR tools didn't catch it because it was plain JavaScript, not a compiled binary.
Three things made this work:
Auto-updates are on by default. Teams treat them as a convenience and don't review what's being pushed.
People trust the "verified" badge and high install counts. Those don't mean the code is safe.
Developers keep long-lived secrets on their machines. Once the extension ran, it had files to steal.
If you work in banking, fintech, or any environment where a compromised laptop creates real risk, you should change how you handle extensions:
Turn off auto-updates for extensions. Set a policy to wait at least 48 hours before pulling new versions. That gives time for bad updates to be found and revoked.
Only allow extensions from an approved list. Lock this with group policy or MDM so devs can't install outside it.
Stop storing secrets in .env files on disk. Use tools like 1Password CLI, Doppler, or Vault to fetch secrets when you need them and drop them from memory after.
Update your monitoring. Look for behavior, not just malware signatures. Alert on things like a single machine cloning repos it normally doesn't touch, or making a lot of unusual API calls.
Attackers go after developer machines because the network perimeter is already tough. If your build tools are compromised, the code you ship is compromised.
Most teams already scan the code they write. Fewer teams lock down the tools they use to write it.
Top comments (0)