Software supply chain attacks exploit trust in legitimate platforms and extensions, where attackers can compromise thousands of repositories by distributing malicious code through trusted channels like marketplace extensions, demonstrating that even well-established platforms and extensions can be vulnerable if users install software without proper verification.
Install our extension to search inside any video instantly.
GitHub confirms breach of 3,800 repos via malicious VSCode extensionAdded:
Oh, look, another day, another breach.
GitHub just confirmed that nearly 4,000 repositories got compromised through a malicious VS Code [music] extension.
You know, that little text editor you trusted because everyone on Twitter said it was fine.
Here's the beautiful irony.
Developers spend all day lecturing us about security best practices [music] while casually installing random extensions from the marketplace like they're browsing a sketchy app store in 2009.
And apparently, one of those extensions decided to help [music] itself to some valuable source code and credentials.
The extension, naturally, looked legitimate enough to fool thousands [music] of people.
It probably had a nice description, some stars, maybe even a couple of fake reviews.
The attacker basically walked in through the front door while everyone was too busy optimizing their Vim configuration to notice.
>> [music] >> What makes this particularly delicious is that this is the open source community we're talking about.
The people who invented supply chain security in [music] response to previous disasters.
And yet here we are again, watching the exact same movie with slightly different [music] actors.
GitHub has since removed the extension and they're doing the whole responsible disclosure dance, but the damage is already done.
Your private [music] keys, your API tokens, your unpublished code, it's all probably sitting in some attacker's database right now, and there's not much you can do about it except change literally everything.
The lesson [music] here, if you even need one, is that trust is a currency we spend too freely in tech.
We see a few downloads and [music] some decent marketing, and suddenly we're running arbitrary code on our machines without a second thought.
Link in bio for the full overfitted breakdown.
Related Videos
Agentforce NOW AMA: Build with React and Salesforce Multi-Framework
SalesforceDevs
490 viewsβ’2026-05-28
How agent o11y differs from traditional o11y β Phil Hetzel, Braintrust
aiDotEngineer
450 viewsβ’2026-05-28
WEB TECHNOLOGIES UNIT-2 | Degree 4th sem BCOM Computers web technologies unit-2 full explanationπ―β
LearnwithSahera
1K viewsβ’2026-05-29
More tests are always better? How to use AI to identify tests that bring little value
Alliance4Qualification
335 viewsβ’2026-05-29
Search Algorithms Explained in 60 Seconds! π€π¨
samarthtuliofficial
218 viewsβ’2026-06-01
People of Game of Thrones using JavaScript DOM
AltCampus
296 viewsβ’2026-05-30
Introduction to Problem Solving Part - 1 | Lecture 1 | Intermediate DSA
ascensionix
107 viewsβ’2026-05-29
π BCS613C Compiler Design | Module 1 to 5 Schema Evaluation π₯ | VTU 6th Sem π― #VTU #bcs613c #exam
Pranavaa-y4y
104 viewsβ’2026-06-02
