logo

Malicious VSCode extensions with millions of installs discovered

VSCode

A group of Israeli researchers explored the security of the Visual Studio Code marketplace and managed to "infect" over 100 organizations by trojanizing a copy of the popular 'Dracula Official theme to include risky code. Further research into the VSCode Marketplace found thousands of extensions with millions of installs.

Visual Studio Code (VSCode) is a source code editor published by Microsoft and used by many professional software developers worldwide.

Microsoft also operates an extensions market for the IDE, called the Visual Studio Code Marketplace, which offers add-ons that extend the application's functionality and provide more customization options.

Previous reports have highlighted gaps in VSCode's security, allowing extension and publisher impersonation and extensions that steal developer authentication tokens. There have also been in-the-wild findings that were confirmed to be malicious.

Typosquatting the Dracula theme

For their recent experiment, researchers Amit Assaraf, Itay Kruk, and Idan Dardikman, created an extension that typosquats the 'Dracula Official' theme, a popular color scheme for various applications that has over 7 million installs on the VSCode Marketplace.

Darcula is used by a large number of developers due to its visually appealing dark mode with a high-contrast color palette, which is easy on the eyes and helps reduce eye strain during long coding sessions.

The fake extension used in the research was named 'Darcula,' and the researchers even registered a matching domain at 'darculatheme.com.' This domain was used to become a verified publisher on the VSCode Marketplace, adding credibility to the fake extension.

The Darcula extension on VSC Marketplace
The Darcula extension on the VSCode Marketplace
Source: Amit Assaraf | Medium

Their extension uses the actual code from the legitimate Darcula theme but also includes an added script that collects system information, including the hostname, number of installed extensions, device's domain name, and the operating system platform, and sends it to a remote server via an HTTPS POST request.

Risky code added to the extension
Risky code added to the Darcula extension
Source: Amit Assaraf | Medium

The researchers note that the malicious code does not get flagged by endpoint detection and response (EDR) tools, as VSCode is treated with leniency due to its nature as a development and testing system.

"Unfortunately, traditional endpoint security tools (EDRs) do not detect this activity (as we’ve demonstrated examples of RCE for select organizations during the responsible disclosure process), VSCode is built to read lots of files and execute many commands and create child processes, thus EDRs cannot understand if the activity from VSCode is legit developer activity or a malicious extension." - Amit Assaraf

The extension quickly gained traction, getting mistakenly installed by multiple high-value targets, including a publicly listed company with a $483 billion market cap, major security companies, and a national justice court network.

The researchers have opted not to disclose the names of the impacted companies.

Since the experiment did not have malicious intent, the analysts only collected identifying information and included a disclosure in the extension's Read Me, license, and the code.

Location of victims after 24 hours
Location of victims 24 hours after Darcula's publication on VSC Marketplace
Source: Amit Assaraf | Medium

VSCode Marketplace status

After the successful experiment, the researchers decided to dive into the threat landscape of the VSCode Marketplace, using a custom tool they developed named 'ExtensionTotal' to find high-risk extensions, unpack them, and scrutinize suspicious code snippets.

Through this process, they have found the following:

  • 1,283 with known malicious code (229 million installs).
  • 8,161 communicating with hardcoded IP addresses.
  • 1,452 running unknown executables.
  • 2,304 that are using another publisher's Github repo, indicating they are a copycat.

Below is an example of code found in a malicious Visual Studio Code Marketplace extension that opens a reverse shell to the cybercriminal's server.

Reverse shell found in a code beautifying extension (CWL Beautifer)
Reverse shell found in a code beautifying extension (CWL Beautifer)
Source: Amit Assaraf | Medium

Microsoft's lack of stringent controls and code reviewing mechanisms on the VSCode Marketplace allows threat actors to perform rampant abuse of the platform, with it getting worse as the platform is increasingly used.

"As you can tell by the numbers, there are plethora of extensions that pose risks to organizations on the Visual Studio Code marketplace," warned the researchers.

"VSCode extensions are an abused and exposed attack vertical, with zero visibility, high impact, and high risk. This issue poses a direct threat to organizations and deserves the security community’s attention."

All malicious extensions detected by the researchers were responsibly reported to Microsoft for removal. However, as of writing this, the vast majority remains available for download via the VSCode Marketplace.

The researchers plan to publish their 'ExtensionTotal' tool along with details about its operational capabilities next week, releasing it as a free tool to help the developers scan their environments for potential threats.

BleepingComputer has contacted Microsoft to ask if they plan to revisit the Visual Studio Marketplace's security and introduce additional measures that would make typosquatting and impersonation harder, but we have not received a response by publication time.


Free security scan for your website