Last month, researchers flagged 73 malicious VS Code extensions delivering GlassWorm v2 malware — backdoors that spread across IDEs and steal credentials from developers who thought they were installing productivity tools. The unsettling part: these extensions had been sitting in the marketplace since December 2025, building reputation before the malicious update dropped.
Then came the Checkmarx news. A supply chain attack through the Trivy ecosystem let attackers tamper with GitHub Actions workflows and VS Code plugins. The ripple effect: Bitwarden’s CLI npm package got briefly compromised. Source code, employee databases, API keys, and database credentials for an Israeli security company ended up on a dark web leak site.
These aren’t freak events. They’re the pattern now. And small businesses are especially exposed.
## The Trust Problem Nobody Talks About
Developers trust their tools. That’s the vulnerability. When you install an extension in your IDE, you’re handing a third party access to every file you open, every secret you type, every credential sitting in your environment variables. Legitimate extensions need these permissions to work. Malicious ones abuse them.
The 73 fake VS Code extensions followed a playbook that’s become standard: real-sounding names, copied descriptions from popular extensions, months of harmless behavior, then a poisoned update. By the time the payload fires, thousands of developers have already granted broad permissions.
For a small dev shop, one compromised machine means production access, client data, and potentially your entire CI/CD pipeline. The blast radius is massive.
## What’s Actually Hitting Small Businesses Right Now
The Checkmarx incident is the headline, but it’s one data point in a larger picture:
– Fake help desk operations are calling employees directly and landing in Slack DMs
– AI prompt injection is being used to booby-trap websites that your team visits
– Wiper malware variants originally built for energy infrastructure are being repurposed
– RMM tools are getting compromised, giving attackers persistent remote access that looks legitimate to antivirus software
– Phishing kits have become cheap enough that amateur operators are running them
Most small companies don’t have a security team. They have one or two IT people who are already stretched across everything else. When a convincing phishing message lands in an employee’s inbox, there’s no second set of eyes to catch it.
## What You Can Actually Do About It
This isn’t theoretical. Audit your developer tools today. Every VS Code extension, Chrome add-on, npm package, GitHub Action — if you can’t verify what it does and who maintains it, remove it. Tools like Socket.dev and Snyk can monitor dependencies automatically and flag behavior that changes after installation, like an extension suddenly trying to read your environment variables.
Lock down your CI/CD pipelines. If anyone with repo write access can modify workflow files, that’s an privilege escalation path. Use CODEOWNERS files, enforce branch protection, and audit who actually has workflow modification permissions. The Checkmarx attackers got in through GitHub Actions — a part of the stack most teams never review.
Treat your RMM software like critical infrastructure. If you use ConnectWise, Datto, or similar tools, enforce MFA everywhere, limit who has access, and watch for anomalies. Attackers target RMM because it gives them remote access that blends in with normal administrative activity.
For your help desk and frontline staff: run real scenario-based exercises, not the annual video training that everyone fast-forwards through. “You get a Teams message from IT asking you to run a command — what do you do?” Make it specific. Make it uncomfortable. The fake help desk operators rely on people not questioning authority.
Before installing any extension, check when it was published, who published it, and whether that publisher has a track record. A one-off extension with a thousand installs and broad permissions is a different risk than something from a known vendor. Better yet, maintain a curated list of approved extensions for your team instead of leaving it to individual judgment.
## The Hard Truth
Small businesses get hit not because attackers are particularly sophisticated, but because defenders don’t have the time. The economics of cybercrime have shifted: access to corporate networks gets sold on forums, phishing kits go for pocket change, and supply chain attacks turn every victim into a distributor.
You can’t out-budget this problem. But you can reduce exposure by focusing on the things attackers keep exploiting: trusted tools that turn malicious, overpermissioned integrations, and employees trained to trust anything that looks official.
Those 73 fake VS Code extensions are still out there. The next Trivy-style compromise is probably already in progress somewhere. The question is whether you’ll find out before it finds you.
