🍩 Your .md just got a side job 🕵️💻🐴


 🚨 OX Security dropped a report on four popular VS Code extensions - combined 128.5 million installs - and found that all four could be abused to steal files, scan internal networks, or execute arbitrary code on developer machines. Three CVEs remain unpatched months after disclosure.

Let me pick one, which I personally use:

  • Markdown Preview Enhanced (~8.5M installs) - CVE-2025-65716, CVSS 8.8 High - UNPATCHED

Yet another one: built by an enthusiast developer, not a security-hardened enterprise product lab. 8.5 million installs of something someone built lovingly and which suddenly faces a Fortune-100-scale security response expectation.

CVE-2025-65716 (CVSS 8.8) - the bug is a JavaScript injection in the preview pane. A malicious .md file can execute injected JS when you preview it.

Your own notes and README files are fine. The bug bites when you open and preview an external, hostile Markdown file from an untrusted source - not just by having the extension installed and quietly sitting. And zero known real-world attacks. All demonstrations are researcher PoC - security folks showing that yes, they can scan ports and drain data using a malicious Markdown file. The classic lab "look what we could do." Not "this is already happening to thousands of developers."

Of course, now that the PoCs and writeups are public and nicely documented, that gap is closing. Any bug with a working proof-of-concept is basically a free instruction pamphlet for bored attackers.

Who Should Worry

  • Solo devs using these extensions: real but bounded risk - you need to preview specifically hostile external files.
  • Enterprise teams with developers running unaudited extensions: this is your supply-chain blind spot.

Who Should Relax

  • Users who never preview external/untrusted .md files with Markdown Preview Enhanced.

What To Do

  • For Markdown Preview Enhanced: don't use it to preview .md files from untrusted external sources. Use VS Code's built-in Markdown preview for anything you didn't write yourself.
  • For Corporate users - provide whitelist of VSC plugins, block others.


Treat external Markdown like you treat external HTML - with a healthy dose of suspicion and a hard look before you render it. 😎


#FUDThursdays #FUDThu #JackTheHypeRipper #HypeRipper #HypeHush #Hushtag #VSCode #Extensions #SupplyChain #DevSecOps #InfoSec


References:

- OX Security - VS Code Extension Vulnerabilities Report: https://www.ox.security/blog/critical-vulnerabilities-found-in-4-popular-vscode-extensions/

- CVE-2025-65716 - NVD (Markdown Preview Enhanced): https://nvd.nist.gov/vuln/detail/CVE-2025-65716

- Markdown Preview Enhanced - GitHub: https://github.com/shd101wyy/markdown-preview-enhanced

Comments

Post a Comment

Popular posts from this blog

🚨 FUD Thursdays with Jack The HypeRipper 🎩 😎

Image
Hi 👋 🤙 I’m Jacek Fleszar (Jack) , a cybersecurity expert based in Poland, with 20+ years in the field. Most of my career was in international banks, and among other teams, I worked in the fascinating world of Cyber Intelligence. My true passion has always been cybersecurity itself - in every form. I love it from the deeply (socio)technical side to the truly (psycho)logical puzzles. Cyber is simply my sandbox with shiny but a bit dirty toys. Life can be as unpredictable as a zero-day! After some tough personal turns in recent years and a career shift toward development, I stayed quiet for a while - stepping back from public talks, conferences, and social spaces. But now it’s time to re-emerge, reconnect, and share again! 🚀 That’s why I’m launching FUD Thursdays to tackle Fear, Uncertainty, and Doubt. Each week, I’ll dissect the most hyped cybersecurity stories and cut through the noise! The name’s inspired by Poland’s Fat Thursday tradition - when we eat way too many doughnuts b...
Read more

🇵🇱 ☕️ Hyper Ipper Coffee Break in Polish (too) / Siorb kawę bezpiecznie! ☕️ 🦹‍♂️

Image
  🇬🇧 🇺🇸 After the warm welcome for the main blog, I'm launching "Hyper Ipper Coffee Break" – a biweekly mini-series with practical, non-technical cyber safety bits and quick scam-spotting guides.   Full posts will be in Polish with a condensed English summary. For English 🇬🇧 🇺🇸 scroll down! 👇 ----- 🇵🇱 Cześć przyjaciele i znajomi! 👋 SIORB KAWĘ I BROŃ SIĘ PRZED CYBER-ZŁOLAMI! ☕️ 🦹‍♂️ Po ciepłym przyjęciu bloga i FUD Thursdays wielu z Was pisało:   "Ej, może coś prostszego? Po polsku? Tak do kawy?".   I oto jest – ✨"Hyper Ipper do kawusi"✨ – lekka seria, trochę z jajem, do czytania do kawusi. Dla Ciebie i dla babci. Jak babcia poczyta, to pan z mocnym akcentem, co dzwoni z banku, sam jej zrobi Blika na wełniane skarpety. 🧶 😎 "Hyper Ipper do kawusi", czyli co? - Co dwa tygodnie (żebym się nie zasapał) - Dla ziomali po polsku i krótko po angielsku (dla dudes & chaps abroad) - Krótsze niż instrukcja ekspresu, dłuższe od sms-a dzi...
Read more

Hi, Jack! Notepad++ "hi jack" hype?

🚨 @JackTheHyperipper : Notepad++ "hijack" hype? Let's look & Rip it! 😎 Discriminating, selective targeting + only v8.8.1–8.8.8, June-Dec 2025 updates. Worry if: 💀 Logs:  gup.exe/AutoUpdater.exe/update.exe  → non-official OR getDownloadUrl.php redirects 🤔 Having v8.8.9+ now does not guarantee you didn't update in June-Dec so check network logs for the time frame anyway. ✅ Manual DLs? Safe. Hush your chief! Official link: Notepad++ Statement #Hyperipper #HypeHush #ChiefHush #Hushtag TheHyperipper Post on X
Read more