Wednesday, 17 May 2023 14:30

Microsoft Visual Studio Marketplace Found to Have Malicious Extensions Targeting Developers

Written by

Reading time is around minutes.

Attackers are always looking to get targets coming and going. As such you have a very rich ecosystem of attack types to cover as much ground as possible. A concerning one has always been direct supply chain attacks. These attacks seek to compromise software during the development stage, so the malicious pieces get bundled into the released code and signed with a trusted certificate. The highly publicized attack on SolarWinds is one of those types of attacks and shows just how effective and dangerous they can be. Supply chain attacks some in multiple flavors including (but certainly not limited to) compromising code repositories, poisoned plugins or open-source packages, and targeting of developer systems.

The latter is the topic of the news today as Check Point security has released an analysis showing that three malicious extensions were found to be available in the VSCode Marketplace. These three extensions were found to have been downloaded a total of 46,600 times. The extensions could steal credentials, gather system information and open remote shells on systems where they were downloaded. Check Point identified them on May 4th with Microsoft removing them from the Marketplace on May 14th, 2023. Still there are potentially 46,000+ development systems that are now compromised.

VSCode Marketplace is the latest in a string of software repositories that have been leveraged by threat actors. NMP and PyPI have been hit hard and now that Microsoft specific repositories are getting hit you can expect this to become more common. Right now, there are also only three known malicious extensions (Theme Dracula Dark, python-vscode, and prettiest-java), but other extensions have been identified that were highly suspicious even if it could not be proven that they contained any malware.

Development systems are often prized targets as they can (in some environments) be left unprotected as many cybersecurity tools wreak havoc on tools favored by developers. IIT operations and security teams will sometimes relax protections or put things in alert only modes to prevent loss of productivity and to avoid the hassle of continuous complaints. Creating a balance between security and developer freedom is not an easy task, but considering the number of repositories with malicious code in them, it is something that needs to be done.

Read 258 times

Leave a comment

Make sure you enter all the required information, indicated by an asterisk (*). HTML code is not allowed.