Alert in the VSCode Developer Community! Malicious extensions violate platform security
46,600 downloads – it looks like the attackers managed to steal enough information.
Company researchers check point May 4 this year discovered three malicious extensions loaded in Microsoft VSCode Marketplace. The software embedded in the extensions allowed attackers to steal credentials, system information, and install a remote shell on the victim’s computer. 10 days after the discovery, the malicious extensions were removed, but in total they were downloaded 46,600 times.
Software developers who are still using these extensions must manually remove them from their systems and perform a full scan to detect any remnants of the infection.
Microsoft VSCode is a source code editor developed by Microsoft Corporation and used by a significant percentage of professional software developers around the world.
Microsoft also manages a related extension directory for its editor, the VSCode Marketplace, which offers over 50,000 extensions that extend the program’s functionality and provide more customization options.
Check Point researchers have found the following malicious extensions:
- “Theme Darcula dark”, 45,000 downloads. Described as “an attempt to improve the consistency of Dracula colors in VS Code”. This extension was used to steal basic information about the developer’s system, including hostname, operating system, processor platform, total memory, and processor information.
- “python-vscode”, 1384 downloads. An analysis of the extension’s code revealed that it is a C# shell injector that can execute arbitrary code or commands on the victim’s computer.
- “prettiest java”, 278 downloads. Judging by the name and description of the extension, it was created to mimic the popular “prettier-java” code formatting tool. The extension steals saved credentials or authentication tokens from Discord, Discord Canary, Google Chrome, Opera, Brave and Yandex Browser.
Check Point also found many other suspicious extensions that could not be safely characterized as malicious. However, they still exhibited unsafe behavior such as pulling code from private repositories or uploading files.
Regular occurrences like this prove that using developer software repositories and a variety of community-maintained extension catalogs comes with many risks. For example, we previously wrote about compromising package repositories many times. pypi And NPM .
As for the VSCode Marketplace, back in January the company AquaSec demonstrated that you can quite easily load malicious extensions there, which the built-in protection system will not react to. As we can see, not much has changed since then.
Users of the VSCode Marketplace and other public developer repositories are advised to only install extensions from trusted publishers with high download counts and community ratings, read user reviews, and always check the source code of an extension before installing it.