3 min Security

VSCode Marketplace contains thousands of malicious extensions

VSCode Marketplace contains thousands of malicious extensions

Microsoft’s Visual Code (VSCode) Marketplace contains thousands of malicious extensions that can easily spread due to the company’s lack of control. This was observed by Israeli security researchers after their own experiment with distributing a malicious VSCode extension through the marketplace.

As part of their research, the security specialists initially uploaded their own malicious extension to the VSCode Marketplace, “infecting” more than a hundred companies or users. The victims included a large publicly traded company, many security vendors, and a government court system.

The malicious extension involved a ‘typosquat’ version of the popular Dracula Official theme. This color scheme extension allows developers to add a very sharp dark mode to applications.

Downloading system information

The developers added a script to their own ‘Dracula’ extension, which was also linked to a fake website. This script collected system information, including the hostname, the number of extensions installed with a user, the device’s domain name, and the OS used. The data was then sent via an HTTPS POST request to a remote server.

This malicious extension could easily spread because Microsoft marked the extension as ‘legitimate’ by linking to the website.

In addition, Endpoint Detection & Response (EDR) tools did not detect the malicious nature of the extension because they often easily allow these types of extensions from the VSCode Marketplace. This is because VSCode is considered a development and testing environment.

Thousands of malicious VSCode extensions

Further investigation by the security experts revealed that the VSCode Marketplace is full of thousands of public extensions that contain malicious code. Of these extensions, 1,283 contain known malicious code, and 229 million have already been installed.

Another 8,161 extensions communicate with hardcoded IP addresses, 1,452 run unknown .exe files, and 2,304 use other publishers’ GitHub repositories. This makes the latter copycats, according to the researchers.

Concerns about lack of control

The researchers are very concerned about Microsoft’s lack of control over the code and extensions available through the VSCode Marketplace. This is not the only time the tech giant has been criticized over the security of VSCode.

Previously discovered vulnerabilities included the ability for cybercriminals to impersonate a legitimate extension or its publisher. In this way, they could upload extensions that steal authentication tokens from developers. There are also ‘wild’ extensions circulating within the marketplace that have been proven to be malicious.

The security researchers will soon introduce their own free ‘ExtensionTotal’ tool, which will allow developers to scan their environments for malicious VSCode extensions. Microsoft has not yet responded to the researchers’ findings.

Also read: VSCode Marketplace poses security risks, researchers warn