The OpenVSX Supply Chain Attack: Invisible Malware in VS Code - Bad Dependencies Podcast cover art

The OpenVSX Supply Chain Attack: Invisible Malware in VS Code - Bad Dependencies Podcast

The OpenVSX Supply Chain Attack: Invisible Malware in VS Code - Bad Dependencies Podcast

Listen for free

View show details

About this listen


In this episode of Bad Dependencies, Mackenzie Jackson and Charlie Eriksen dive into one of the most sophisticated malware incidents to target developers — the OpenVSX compromise. They unpack how attackers hid malicious code using Unicode obfuscation, discuss the shift from npm to VS Code extension attacks, and explore how the open-source ecosystem is responding. The episode also covers npm’s new token policies, trusted publishing, and what these changes mean for the future of supply chain security.Chapters:00:00 – Introduction & Discovery02:00 – What is OpenVSX and How It Works03:40 – Anatomy of the Malware Attack05:00 – Unicode Obfuscation and Detection08:20 – Attackers Move from npm to VS Code11:00 – npm’s Security Policy Overhaul17:40 – Trusted Publishing and the Future of Supply Chain Security
No reviews yet
In the spirit of reconciliation, Audible acknowledges the Traditional Custodians of country throughout Australia and their connections to land, sea and community. We pay our respect to their elders past and present and extend that respect to all Aboriginal and Torres Strait Islander peoples today.