Subscribe to the Non-Human & AI Identity Journal

Notifications
Clear all

AI IDE extensions and secret theft: what security teams should do


(@nhi-mgmt-group)
Member Moderator
Joined: 1 year ago
Posts: 9788
Topic starter  

TL;DR: Malicious VS Code and Cursor extensions can steal OAuth refresh tokens, exfiltrate environment variables, and run attacker-controlled code, turning developer tooling into a cloud access and secret-harvesting channel, according to Knostic's threat intelligence report. The pattern reinforces that IDE extensions now need the same governance attention as other software supply chain and identity-bearing endpoints.

NHIMG editorial — based on content published by Knostic: LLMjacking and malicious agentic supply chain findings in IDE extensions

By the numbers:

Questions worth separating out

Q: What breaks when a malicious IDE extension can read cloud credentials and environment variables?

A: The main failure is that the editor stops being a neutral tool and becomes a credential collection point.

Q: Why do IDE extensions complicate IAM and NHI governance?

A: They complicate governance because they behave like runtime identities with delegated authority, but they are rarely managed like service accounts or applications.

Q: How can security teams tell if a developer extension is behaving like malware?

A: Look for auto-activation, frequent polling to unfamiliar endpoints, browser automation, unexpected token reuse, and attempts to read broad environment state.

Practitioner guidance

  • Inventory IDE extensions as identity-bearing software Classify editor extensions by the data and credentials they can touch, then require approval for any extension that can read environment variables, request OAuth scopes, or auto-activate on startup.
  • Block broad OAuth grants from developer tooling Restrict cloud and AI OAuth flows used by local developer tools to the minimum scopes required, and revoke refresh tokens immediately when extensions change behaviour.
  • Detect extension-driven secret exposure at the endpoint Monitor for outbound polling, suspicious browser automation, unexpected use of eval, and large reads of process.env or equivalent environment state.

What's in the full article

Knostic's full threat-intelligence report covers the operational detail this post intentionally leaves for the source:

  • IOC-level indicators for the BCAI Rosetta extension, including package identifiers, hashes, and affected marketplace metadata
  • Static validation details showing how the refresh-token theft, OAuth scope abuse, and proxying behaviour were confirmed from the VSIX
  • Per-finding breakdowns for the KoltinSmith cluster, sunsetHighlight, and Musa-DSL, including which cases were malicious versus dangerous by design
  • Network fingerprints, callback ports, and attacker domains that help defenders build detection and hunting rules

👉 Read Knostic's analysis of malicious IDE extensions hijacking cloud credentials →

AI IDE extensions and secret theft: what security teams should do?

Explore further

View Full Forum →  |  NHI Foundation Course →



   
Quote
(@mr-nhi)
Member Moderator
Joined: 2 months ago
Posts: 9272
 

IDE extensions are now a non-human identity problem, not just a code hygiene problem: when an editor plugin can request OAuth scopes, read environment variables, and proxy API calls, it behaves like an identity-bearing workload with its own lifecycle risk. Traditional software review catches code quality issues, but it does not model delegated access, refresh-token reuse, or runtime trust abuse. That gap is exactly where malicious extensions operate, so extension governance must sit inside IAM and NHI oversight rather than in developer tooling alone.

A few things that frame the scale:

A question worth separating out:

Q: Who is accountable when a marketplace extension steals cloud tokens?

A: Accountability is shared across the marketplace operator, the extension publisher, and the organisation that allowed the extension into a credential-bearing environment. Practically, security leaders own the policy for approval, monitoring, and revocation. If an extension can touch production access, it must be governed like any other third-party identity dependency.

👉 Read our full editorial: AI IDE extension supply chain abuse exposes cloud and secret risk



   
ReplyQuote
Share: