Cybercriminals have begun to target Microsoft’s VSCode Marketplace. They posted three malicious Visual Studio extensions that were downloaded 46,600 times by Windows developers.
The virus allowed threat actors to steal passwords, and system information, and install a remote shell on the victim’s PC. Check Point analysts found the malicious extensions and reported them to the Microsoft Office 365 parent company.
On May 4, 2023, the extensions were identified and reported. Moreover, they were later withdrawn from the VSCode marketplace on May 14, 2023.
Any software developers who continue to use the harmful extensions must manually remove them from their computers. Furthermore, they should perform a full scan to detect any remaining infection.
Table of Contents
ToggleOn the VSCode Marketplace, there are malicious cases
Visual Studio Code (VSC) is a source-code editor developed by Google Workspace‘s rival parent company. It is used by a large number of professional software developers worldwide.
Microsoft also runs the VSCode Marketplace. It is an extension market for the IDE with over 50,000 add-ons that enhance the application’s capabilities and customization possibilities. Check Point researchers detected the following harmful extensions:
Theme Darcula dark
Billed as “an attempt to improve Dracula colours consistency on VS Code,”. This plugin was used to collect fundamental information about the developer’s machine, such as hostname, operating system, CPU platform, total RAM, and CPU information.
While the extension did not contain any additional malicious activities, it is not typical of theme pack behaviour. It is by far the most popular extension, with over 45,000 downloads.
Python-VSCode
Despite its empty description and uploader name of ‘testUseracc1111,’ this extension was downloaded 1,384 times. This demonstrates that having a decent name is enough to pique someone’s curiosity. Its code analysis revealed it is a C# shell injector capable of executing code or instructions on the victim’s PC.
Prettiest java
Based on the name and description of the extension, it was built to emulate the popular ‘prettier-java’ code formatting tool. In actuality, it stole stored credentials or authentication tokens from Discord and Discord Canary. Also Google Chrome, Opera, Brave Browser, and Yandex Browser, and then delivered them to the attackers. There have been 278 installations of the extension.
Check Point also discovered several suspicious extensions that displayed risky behaviour. This includes retrieving code from private repositories or downloading files.
Software repositories are fraught with danger
Software repositories that enable user contributions, such as NPM and PyPi, have repeatedly been shown to be dangerous to utilise since they have been a favourite target for threat actors.
The VSCode Marketplace is still being targeted, a company proved uploading malicious extensions to the VSCode Marketplace was rather simple. They also informed users about some extremely suspicious situations. However, they were unable to detect any malware.
The security company’s findings show that threat actors are now actively seeking to infect Windows developers with malicious contributions. Just like they do in other software repositories such as the NPM and PyPI.
Users of the VSCode Marketplace, as well as all user-supported repositories, are recommended to only install extensions from reputable publishers with a high number of downloads and community ratings, to read user reviews, and to always study the extension’s source code before installing it.