Supply Chain Analysis Reveals Security Flaws in Kickbacks.ai VS Code Extension

The Kickbacks.ai VS Code extension was found to have an empty public key, relaxed Content Security Policy (CSP), and a 90-second unsigned self-update mechanism. It also employs a 60-second loop to reassert its presence. The extension is described as adware with a payout page.