Extensions in integrated development environments (IDEs) are useful tools that give developers more flexibility. However, they pose a threat to supply chain security. Research by OX Security shows that the verification mechanisms of Visual Studio Code, Visual Studio, and IntelliJ IDEA can all be bypassed via extensions.
The researchers experimented with Microsoft’s Visual Studio Marketplace to see if extensions posed a threat to IDE security. They discovered that verified extensions retained their checkmark after modifications. By manipulating server requests, malicious versions retained their trusted status. If a malicious actor modifies a trusted extension (and many of these extensions are open-source projects), this can lead to serious risks.
The researchers say that similar attack techniques worked on other platforms such as Cursor and JetBrains. The findings show that malicious actors can execute arbitrary code without developers noticing. This effectively opens Pandora’s box: it is up to the creativity of malicious actors what they can do on an affected system that is not completely locked down.
Limited overview of risks
Only one in five organizations has secured their software supply chain. We are talking about the entire organization, not just the developer side. However, attacking an organization via its developers is a particularly attractive concept. After all, a compromise makes it possible to steal IP, use other people’s cloud credits, or steal other sensitive internal information.
The lack of overview is playing tricks on organizations, and that was already the case before this vulnerability was exposed by OX Security. Almost half of organizations with vital infrastructure have insufficient insight into cybersecurity vulnerabilities in their supply chain. This problem is exacerbated by the fact that developers often have privileged access to business systems.
“All it takes is one developer to download one of these extensions,” warns researcher Moshe Siman-Tov Bustan. An attacker does not need to perform complex lateral movement; reading confidential code is enough to cause damage.
Vendors see no priority
The responses from Microsoft, JetBrains, and Cursor were not overly enthusiastic, reports Dark Reading. Microsoft stated that the research did not meet the criteria for immediate action. Cursor acknowledged that it does not verify extension signatures at all. JetBrains pointed out that malicious extensions did not come from their official marketplace.
OX Security advises organizations to implement multi-factor authentication for extension signing. Furthermore, only market-signed extensions should be installed. Validating file hashes per extension provides additional security.
Additional recommendations apply to extension builders. Code signing integrity and certificate verification prevent man-in-the-middle attacks. Given the growing geopolitical tensions, these types of precautions are more important than ever.