[BREACH] VS Code extensions are now part of the supply chain

A lot of dev-tool incidents still get discussed like “someone installed a bad plugin.”

That misses the real issue. Some IDE extensions sit next to .env files, GitHub sessions, package tokens, cloud CLIs, terminals, and AI coding configs. That is not just productivity. That is inherited access with a marketplace page.

AlphaHunt unpacked the operator angle here: https://blog.alphahunt.io/breach-the-extension-had-the-keys?utm_source=reddit

Where does this usually fail first in real teams: extension approval, endpoint visibility, token rotation, or nobody owning the developer workbench?

Did you learn something new?