More developer attacks

More developer attacks

A group of Israeli researchers managed to infect over 100 organizations by typosquatting an infected version of a popular theme on Microsoft’s Visual Studio Code marketplace. They reported they were able to infect ‘numerous’ high-value targets (billion dollar publicly listed companies, security companies, court networks, etc) within 24 hours of publishing the extension. It was able to collect system information and send it to a remote server via an HTTPS POST request. It didn’t get flagged by endpoint detection.

By using what they learned, they examining other extensions on the VSCode Marketplace. Researchers found the following:

  • 1,283 with known malicious code (229 million installs).
  • 8,161 communicating with hardcoded IP addresses.
  • 1,452 running unknown executables.
  • 2,304 that are using another publisher’s Github repo, indicating they are a copycat.

They found blatantly obvious issues like this code that opens a reverse shell to the cybercriminal’s server

In summary, the lack of controls on the VSCode marketplace allows threat actors to perform rampant abuse. While the researchers reported the extensions they found to Microsoft, the vast majority remain available for download via VSCode Marketplace after they published their report.

Articles:

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.