9 January 2023

VSCode marketplace can be abused to target developers with malicious extensions


VSCode marketplace can be abused to target developers with malicious extensions

A new attack method involving the Visual Studio Code extensions Marketplace can be used by hackers to deliver malicious extensions to developers in a supply chain attack, researchers at AquaSec have found.

The technique “could act as an entry point for an attack on many organizations,” Aqua security researcher Ilay Goldman noted in a recent report.

Visual Studio Code is a lightweight source code editor maintained by Microsoft. It comes with built-in support for JavaScript, TypeScript, and Node.js and has a rich ecosystem of extensions for other programming languages (such as C++, C#, Java, Python, PHP, and Go), runtimes (such as .NET and Unity), environments (such as Docker and Kubernetes), and clouds (such as Amazon Web Services, Microsoft Azure, and Google Cloud Platform).

According to Goldman, there are potential risks of using VS code extensions because all extensions run with the privileges of the user that has opened the VSCode without any sandbox, meaning that the extension can install any program on a computer including ransomware, wipers, and other malware.

“In fact, it can access and even alter all the code that you have locally and even use your SSH key to change the code in all your organization’s repositories in GitHub,” Goldman said.

While conducting a research, AquaSec discovered that it is fairly easy to upload a malicious extension disguised as a legitimate one to the Visual Studio Code Marketplace. Moreover, it was found that the marketplace allows a threat actor to use the same name and extension publisher details, including the project repository information.

“Surprisingly, we were able to create a name which is an exact replica of a highly popular extension. This is allowed because when creating a new extension, you create it under a property called ‘displayName’ which is the extension’s name and publisher’s name that is being displayed in the extension’s page. These names do not need to be unique and, thus, anyone can enter almost any value desired under these names. Due to this, anyone can masquerade as almost any extension,” the report said.

Although this technique doesn’t allow to replicate the number of installs and the number of stars of a legitimate extension, a determined attacker could potentially manipulate these numbers by buying services on the dark web which would inflate the number of downloads and stars.

The researchers also found that the verification check mark assigned to authors could be bypassed because it only proves that the extension publisher is the actual owner of a domain.

“That means any domain. In reality, a publisher could buy any domain and register it to get that verified check mark,” Goldman explained.

As an experiment, the researchers created a proof-of-concept (PoC) extension disguised as a popular code formatting extension named “Prettier” with over 27 million downloads, and uploaded it on the Visual Studio Code Marketplace. In just under 48 hours, the rogue extension has amassed more than a thousand installs by active developers worldwide.

“Ultimately, the threat of malicious VSCode extensions is real. Arguably, in the past, this hasn’t received the highest amount of attention perhaps because we haven’t yet seen a campaign in which it has left a huge impact. However, attackers are constantly working to expand their arsenal of techniques allowing them to run malicious code inside the network of organizations,” the researchers warned.


Back to the list

Latest Posts

Free VPN apps on Google Play turned Android devices into residential proxies

Free VPN apps on Google Play turned Android devices into residential proxies

The threat actor behind this scheme profits by selling access to the residential proxy network to third parties.
28 March 2024
Cyber spies strike Indian government and energy sectors

Cyber spies strike Indian government and energy sectors

The operation involved phishing emails delivering the HackBrowserData info-stealer.
28 March 2024
Spyware makers and state-backed hackers are primary culprits behind rise in zero-day exploits, Google says

Spyware makers and state-backed hackers are primary culprits behind rise in zero-day exploits, Google says

97 zero-day flaws were exploited in-the-wild in 2023, marking an increase of over 50% compared to 2022.
27 March 2024