Three things made this work:
Auto-updates are on by default. Teams treat them as a convenience and don't review what's being pushed.
People trust the "verified" badge and high install counts. Those don't mean the code is safe.
Developers keep long-lived secrets on their machines. Once the extension ran, it had files to steal.
If you work in banking, fintech, or any environment where a compromised laptop creates real risk, you should change how you handle extensions:
Turn off auto-updates for extensions. Set a policy to wait at least 48 hours before pulling new versions. That gives time for bad updates to be found and revoked.
Only allow extensions from an approved list. Lock this with group policy or MDM so devs can't install outside it.
Stop storing secrets in .env files on disk. Use tools like 1Password CLI, Doppler, or Vault to fetch secrets when you need them and drop them from memory after.
Update your monitoring. Look for behavior, not just malware signatures. Alert on things like a single machine cloning repos it normally doesn't touch, or making a lot of unusual API calls.
Attackers go after developer machines because the network perimeter is already tough. If your build tools are compromised, the code you ship is compromised.
Most teams already scan the code they write. Fewer teams lock down the tools they use to write it.
DevSecOps #SupplyChainSecurity #AppSec #Engineering