The latter is the topic of the news today as Check Point security has released an analysis showing that three malicious extensions were found to be available in the VSCode Marketplace. These three extensions were found to have been downloaded a total of 46,600 times. The extensions could steal credentials, gather system information and open remote shells on systems where they were downloaded. Check Point identified them on May 4th with Microsoft removing them from the Marketplace on May 14th, 2023. Still there are potentially 46,000+ development systems that are now compromised.

VSCode Marketplace is the latest in a string of software repositories that have been leveraged by threat actors. NMP and PyPI have been hit hard and now that Microsoft specific repositories are getting hit you can expect this to become more common. Right now, there are also only three known malicious extensions (Theme Dracula Dark, python-vscode, and prettiest-java), but other extensions have been identified that were highly suspicious even if it could not be proven that they contained any malware.

Development systems are often prized targets as they can (in some environments) be left unprotected as many cybersecurity tools wreak havoc on tools favored by developers. IIT operations and security teams will sometimes relax protections or put things in alert only modes to prevent loss of productivity and to avoid the hassle of continuous complaints. Creating a balance between security and developer freedom is not an easy task, but considering the number of repositories with malicious code in them, it is something that needs to be done.