Cybercriminals have begun to target Microsoft’s VSCode Marketplace, posting three malicious Visual Studio extensions that were downloaded 46,600 times by Windows developers.
The virus allowed threat actors to steal passwords, system information, and install a remote shell on the victim’s PC, according to Check Point, whose analysts found the malicious extensions and reported them to Microsoft. On May 4, 2023, the extensions were identified and reported, and they were later withdrawn from the VSCode marketplace on May 14, 2023.
Any software developers who continue to use the harmful extensions must manually remove them from their computers and perform a full scan to detect any remaining infection.
Malicious cases on the VSCode Marketplace
Microsoft’s Visual Studio Code (VSC) is a source-code editor that a sizable portion of the world’s expert software engineers utilise.
The VSCode Marketplace, run by Microsoft, is an additional marketplace for add-ons for the IDE. These add-ons increase the functionality of the programme and provide users more customisation possibilities.
The following are the harmful extensions that Check Point researchers have found:
“Theme Darcula dark” – Described as “an attempt to improve Dracula colours consistency on VS Code,” this plugin was used to steal essential details about the developer’s machine, including hostname, operating system, CPU platform, total RAM, and CPU information.
Although there was no further malicious activity in the extension, this is not the behaviour one would expect from a theme pack.
With over 45,000 downloads, this extension by far has the greatest usage.
‘python-vscode‘ – This extension was downloaded 1,384 times despite having no description and the uploader name ‘testUseracc1111,’ proving that having a catchy name can be enough to spark interest.
A review of its source code revealed that it is a C# shell injector that has the ability to run programmes or instructions on the victim’s computer.
Additionally, Check Point discovered a number of dubious extensions that, although not necessarily malicious, showed risky behaviour by downloading files or requesting code from untrusted sources.
Software Repositories Come Loaded with Risk
Software repositories that enable user contributions, such as NPM and PyPi, have repeatedly shown to be risky to utilise since they have been a favourite target for threat actors.
While the VSCode Marketplace is still being targeted, AquaSec proved in January that uploading malicious extensions to the VSCode Marketplace was rather simple, and provided some extremely suspicious situations. However, they were unable to detect any malware.
Check Point’s findings show that threat actors are now actively seeking to infect Windows developers with malicious contributions, much as they do in other software repositories such as the NPM and PyPI.
Users are urged to only install extensions from reputable publishers with a large number of downloads and community ratings, read user reviews, and always study the extension’s source code before downloading it. This advice applies to all user-supported repositories.