Devs of VS Code extensions are leaking secrets en masse

Security researchers discovered that VS Code extension developers accidentally exposed over 550 sensitive secrets like API keys, access tokens, and credentials across extension marketplaces. More than 100 of these leaked secrets could have allowed attackers to hijack extensions and push malware to around 150,000 users through VS Code's auto-update feature. Microsoft responded by implementing secrets-scanning across Visual Studio Marketplace in September, blocking extensions that contain sensitive data and protecting users from potential supply chain attacks.