// #extension-security

2 articles

Microsoft has released VS Code 1.101 with a configurable two-hour delay on automatic extension updates. The change is a direct response to supply chain attacks in which malicious updates were pushed to popular extensions, executing on developer machines within minutes of publication. The delay gives security teams a detection window before malicious updates execute across the developer fleet.

Jun 8, 2026 #vscode +7

💻 AppSec

Magento Extension Supply Chain Risk: CVE-2026-45247 and the Third-Party Plugin Attack Surface

CVE-2026-45247 in the Mirasvit Full Page Cache Warmer illustrates a structural security problem in the Magento ecosystem: eCommerce site security is determined not just by the core platform version, but by every third-party extension installed. This guide covers how to assess and reduce the Magento extension attack surface.

Jun 4, 2026 #magento +7

Commentary tagged #extension-security

Opinion

The Third-Party Plugin Is the Perimeter Now — Magento Today, Your Stack Next

CVE-2026-45247 in the Mirasvit Magento extension continues a pattern that security teams have been watching for years: the attack surface of any complex platform is not defined by the core platform's security — it is defined by every third-party component installed on it. This is not a Magento problem. It is an architecture problem that affects every enterprise platform stack.

CipherWatch Editorial

Security Intelligence Platform

Jun 5, 2026

VS Code Adds Two-Hour Extension Auto-Update Delay to Reduce Supply Chain Attack Window

Magento Extension Supply Chain Risk: CVE-2026-45247 and the Third-Party Plugin Attack Surface

Commentary tagged #extension-security

The Third-Party Plugin Is the Perimeter Now — Magento Today, Your Stack Next