The online marketplace could easily host malicious VSCode extensions, Aqua Security says.

Researchers from Aqua Security have recently discovered that attackers can easily trick unknowing developers into downloading malicious files disguised as popular Visual Studio Code extensions. “In original vulnerability research, we’ve uncovered a new attack method which could act as an entry point for an attack on many organizations,” the team claims.

The Aqua Nautilus research team detailed their findings this week in a blog post. The researchers describe how easy it was for them to upload malicious code extensions to the VSCode Marketplace. Visual Studio Code (VSC) is a code editor published by Microsoft and used by over 70 percent of professional software developers worldwide.

The dangers of impersonation

VSCode extensions can pose a significant security risk, as all extensions run with the privileges of the user booting VSCode. “This means that extensions can install any program on your computer, including ransomware, wipers, and more”, the researchers warn.

Moreover, they say it’s a challenge to distinguish between malicious and benign extensions because anyone can create a user on the VSCode Marketplace — even with a temporary email. The result is that anyone can publish an extension which could be listed in the marketplace.

The danger arises when a malefactor creates an extension that resembles another popular extension. Threat actors can “lure unsuspecting developers into downloading an extension pretending to be something it is not”.

Proof of Concept (POC)

To prove their point, the Nautilus researchers created a fake account and uploaded a POC extension masquerading as Prettier, one of the top ten most installed extensions in the marketplace. “In just under 48 hours, we got more than a thousand installs by active developers from all around the world”, they claim.

While the concept extension was not malicious, the researchers point out that the threat of malicious VSCode extensions is significant. “Arguably, in the past, this hasn’t received the highest amount of attention, perhaps because we haven’t yet seen a campaign in which it has left a huge impact.”

Response from Microsoft

After publication of this story, Microsoft reached out to us with a response. We include that response below:

“This technique involves the use of social engineering tactics to convince a victim to download a malicious extension. To help keep customers safe and protected, we scan extensions for viruses and malware before they are uploaded to the Marketplace and we check that an extension has a Marketplace certificate and verifiable signature prior to being installed. To help make informed decisions, we recommend consumers review information, such as domain verification, ratings and feedback to prevent unwanted downloads.”

Tip: Study finds 97 percent of container users are clueless about container security