According to PANews, a suspicious VSCode plugin named JuanFranBlanco.solidit-vscode has been identified, raising concerns within the developer community. The plugin, highlighted by SlowMist Technology's Chief Information Security Officer 23pds through a repost on X platform user @mrdotparasyte's post, appears to have an inflated download count achieved through questionable means. Additionally, the plugin's details are dubious, with a noticeable spelling error in the identifier 'solidit.'
The plugin has been available for two to three days, but it remains unclear how many developers have inadvertently downloaded it. This incident underscores the growing prevalence of supply chain attacks targeting developers, particularly through unofficially reviewed VSCode plugins and npm packages, which have become hotspots for such threats.
Developers are advised to exercise caution and thoroughly evaluate third-party plugins or packages before installation to mitigate potential security risks.