🚨 Security Alert: Malicious Version Detected on Open VSX
Hi @panoply,
My name is Ilyas Makari, and I’m a malware researcher at Aikido Security. I wanted to let you know that we’ve identified a compromised version of your VS Code extension Liquid published on Open VSX.
Specifically:
sissel/shopify-liquid@4.0.1
This version appears to have been injected with malicious code that could trigger a payload when users install the extension.
We’ve already contacted Open VSX directly so they can take action on their side, but I wanted to make sure you’re aware as the maintainer. It would be a good idea to:
- Rotate your tokens and any associated credentials
- Enable MFA wherever possible
- Review recent account activity to ensure no other projects are affected
- Publish a new, clean version of the extension to help protect your users
We are still investigating the source of this attack, but we’ve seen a wave of similar attacks affecting multiple projects today.
If you’d like more technical details from our findings, I’d be happy to share them.
🚨 Security Alert: Malicious Version Detected on Open VSX
Hi @panoply,
My name is Ilyas Makari, and I’m a malware researcher at Aikido Security. I wanted to let you know that we’ve identified a compromised version of your VS Code extension Liquid published on Open VSX.
Specifically:
sissel/shopify-liquid@4.0.1This version appears to have been injected with malicious code that could trigger a payload when users install the extension.
We’ve already contacted Open VSX directly so they can take action on their side, but I wanted to make sure you’re aware as the maintainer. It would be a good idea to:
We are still investigating the source of this attack, but we’ve seen a wave of similar attacks affecting multiple projects today.
If you’d like more technical details from our findings, I’d be happy to share them.