HomeWinBuzzer NewsSecurity Flaws in Microsoft VSCode Marketplace Impact over 100 Organizations

Security Flaws in Microsoft VSCode Marketplace Impact over 100 Organizations

Researchers have discovered 1,283 known-malicious extensions, many of them communicating with hardcoded IPs, launching unknown executables,, and copycat extensions.


Israeli experts have found concerning vulnerabilities in the Visual Studio Code (VSCode) Marketplace, revealing that over 100 organizations were affected by a trojanized extension. The researchers, Amit Assaraf, Itay Kruk, and Idan Dardikman, showed how dangerous could harvest sensitive system data undetected.

The VSCode Marketplace is an online platform provided by where users can discover, download, and install extensions to enhance the functionality of its popular source code editor, Code.

To demonstrate their findings, they crafted a misleading extension that impersonated the popular Dracula Official‘ theme, totalling over 7 million installations. They named their version ‘Darcula‘, creating a replica domain to boost its credibility. This malicious extension included a script to extract system details such as hostname, installed extensions count, domain name, and operating system, sending the data via HTTPS POST requests to a server.

Evading Detection Mechanisms

Standard endpoint detection and response (EDR) tools did not detect the activity of the ‘Darcula‘ extension. Due to VSCode's design, which allows reading of various files, execution of commands, and generation of child processes, these actions remained unflagged. Notably, the extension was installed by targets like a public company with a $483 billion market cap, key security firms, and a national judicial network. The team ensured non-destructiveness by just collecting identifying information and making disclosures in the documentation.

Using a tool named ‘ExtensionTotal,' the researchers scrutinized the VSCode Marketplace. They discovered 1,283 known-malicious extensions, 8,161 communicating with hardcoded IPs, 1,452 launching unknown executables, and 2,304 copycat extensions. One particularly harmful extension was capable of opening a reverse shell to a cybercriminal's server.

The team published their harmful extension within just 30 minutes. This extension not only changed the IDE's appearance but also leaked source code to a remote server. It soon gained popularity, trending on the VSCode Marketplace, which enjoys 4.5 million monthly views. Within a day, over 100 victims had installed it, including devices at multi-billion dollar companies, top security firms, and a country's justice court network.

Reporting and Prevention

The researchers notified Microsoft of all identified malicious extensions for removal, though many remain accessible. They are set to release ‘ExtensionTotal' as a free tool for developers to check for possible threats within their environments. Microsoft has not yet responded to inquiries about strengthening the security of the VSCode Marketplace.

After identifying numerous similar vulnerabilities, they committed to responsible disclosure, working with more than ten multi-billion dollar companies to reduce this security risk.

Markus Kasanmascheff
Markus Kasanmascheff
Markus is the founder of WinBuzzer and has been playing with Windows and technology for more than 25 years. He is holding a MasterĀ“s degree in International Economics and previously worked as Lead Windows Expert for Softonic.com.

Recent News