Researchers have uncovered vulnerabilities in four widely used VS Code extensions, collectively installed more than 125 million times, raising renewed concerns about the security of the modern software development supply chain.

The affected extensions, Live Server, Code Runner, Markdown Preview Enhanced, and Microsoft Live Preview, integrate directly into the Microsoft Visual Studio Code IDE, a development environment relied upon by millions of programmers worldwide. 

The findings were disclosed by OX Security researchers, who warned that the risks extend far beyond individual developer machines. “Our research demonstrates that a hacker needs only one malicious extension, or a single ...