The Cloud Native Computing Foundation has announced the graduation of in-toto, a software supply chain security framework developed at NYU Tandon, which enhances software integrity by verifying every step in the development lifecycle. With rising supply chain attacks, in-toto's capabilities to ensure trust and compliance are increasingly vital for organizations seeking secure innovation. The project has evolved from academic research to an industry standard, supported by major funding agencies and notable adoption by companies like SolarWinds and Autodesk.

The article analyzes the risks associated with supply chain vulnerabilities in the Visual Studio Code (VSCode) extension marketplaces. It highlights the potential threats to software security and integrity stemming from third-party extensions and provides insights on how developers can mitigate these risks.