A newly flagged VSCode plugin named JuanFranBlanco.solidit-vscode has stirred alarm within the developer community. A report by PANews reveals that this plugin, highlighted by SlowMist Technology’s Chief Information Security Officer 23pds on the X platform (formerly Twitter), appears to have artificially inflated its download numbers using questionable methods. Additionally, the plugin’s details raise red flags with a notable spelling error in the identifier ‘solidit’.
The plugin has only been available for a couple of days but it remains unclear how many developers might have unknowingly downloaded it. This incident highlights the growing danger of supply chain attacks specifically targeting software developers, particularly through unreviewed VSCode plugins and npm packages – hotspots for security vulnerabilities.
Developers are advised to exercise caution when installing any third-party plugins or packages, carefully verifying their source before proceeding to minimize potential security risks.