Skip to content

Admin and devs are great targets

As we're getting better at protecting systems and accounts, attackers are moving to targeting admins and devs through the tools they use.

Patching, MFA, awareness - we are somewhat better at protecting systems and accounts. Attackers moved. The surface that still sits wide open is the tools admins and developers trust every day.

Infrastructure and dependencies

We have seen attacks on shared infrastructure: Log4Shell, the XZ Utils backdoor, the Polyfill drama. NPM keeps delivering dependency confusion, typosquatting, account takeover. XKCD already drew the dependency stack:

XKCD comic about a project depending on a random person in Nebraska
Modern infra often rests on one unpaid maintainer.

Devs and admins

Same pattern, closer to home. How many VS Code extensions do you run? Most developers I know have a dozen or more - I sit around fifteen on this site alone. Shell frameworks (oh-my-zsh and friends) with git, docker, ssh helpers. Admins use the same class of tools.

Those extensions are worse than a typical NPM dependency. They see your repo, env vars, tokens, sometimes keystrokes and SSH keys. Steal secrets. Inject code. Quietly.

What to do

CI already runs SAST/SCA on application deps. Almost nobody inventories IDE extensions or shell add-ons. Endpoint malware scanners are weak at this. Banning tools outright kills productivity.

Practical bar: awareness plus a lightweight vetting process for what gets installed on privileged machines. Not foolproof. Better than hoping the Marketplace badge means safe.

Do you know who wrote the obscure shell add-on on your path - and would you hand them your tokens?

Olivier Reuland