Contents:
Threat actors targeting the Visual Studio Code extensions use a new attack vector. They upload rogue extensions impersonating their legitimate counterparts with the goal of triggering supply chain attacks on the machines of developers.
Curated via a marketplace made available by Microsoft, VSCode extensions allow developers to add debuggers, programming languages, and other tools to the VSCode source-code editor to improve their workflows. Security researchers claim that the technique could act as an entry point to attack many organizations.
Behind the Attacker’s Strategy
VSCode extensions run with the same privileges as of the user that has opened VSCode without any sandbox, implying that the extension can install any program on the machine, including wipers, ransomware, and more.
The marketplace allows publishers to use the same name and extension details multiple times, meaning that with this and some small variations to the URL, a threat actor can impersonate a popular extension.
The fact that there are no limitations on the other identifying qualities means that the method might be used to fool developers, even while it prevents the replication of the number of installs and stars.
In their research, cybersecurity specialists discovered that the verification badge could also be trivially bypassed and used, increasing the attackers’ chances of deceiving the developers installing the extensions.
Such an example is a proof-of-concept (PoC) extension masquerading as the Prettier code formatting utility, which was installed over 1,000 times within 48 hours by developers across the world. Luckily, the fake extension has since been taken down from the platform.
Users should pay close attention when installing extensions on their machines to make sure that the download source is legitimate, and carefully check previous reviews and number of downloads prior to proceeding with the installation.
If you liked this article, follow us on LinkedIn, Twitter, Facebook, Youtube, and Instagram for more cybersecurity news and topics.
Cristian is a Content Editor & Creator at Heimdal®, where he developed a deep understanding of the digital threat landscape. His style resonates with both technical and non-technical readers, proof being in his skill of communicating cybersecurity norms effectively, in an easy-to-understand manner.
