Visual Studio Code (VS Code) is a popular source code editor developed by Microsoft. It contains many useful features, such as debugging support, code completion and refactoring, and built-in Git support. In addition to the included features, a marketplace of extensions allows users to customize their experience further. In late 2023, a few instances of malicious extensions were found in the marketplace.

Recently, researchers attempted to test the security measures of the VS Code marketplace to prevent threat actors from uploading malicious extensions. Their experiment found that they could upload a typo-squatted copy of the Dracula extension, which included code from the original extension. The copycat also incorporated additional code that collected system information, including the hostname, domain name for the device, operating system, and number of installed extensions, then forwarded the collected data to a remote server through an HTTPS POST request.

The discovery led researchers to look deeper into the extensions uploaded to the VS Code marketplace. They found 1,283 extensions with known malicious code installed 229 million times, 8,161 extensions communicating with hardcoded IP addresses, 2,304 that claim another publisher’s Github repository, and 1,452 running unknown executables.

Recommendations

• Users are advised to analyze customer reviews and only download extensions from official sources.
• Users who downloaded the affected extensions are urged to uninstall them promptly.
• Credentials used to log into malicious apps should immediately be changed.

For any further questions, contact us here at Cyber Command.