Wiz dug up 550+ leaked secrets buried in 500+ public VSCode extensions—including 130+ live access tokens for VSCode Marketplace and OpenVSX. That’s a wide-open door to supply chain attacks through auto-updates.
Microsoft reacted fast: dumped the breached tokens, rolled out pre-publish secret scanning, and teamed up with extension authors to clean house and lock down the pipeline.
