{"id":13137,"date":"2025-01-07T14:41:36","date_gmt":"2025-01-07T21:41:36","guid":{"rendered":"https:\/\/mattfife.com\/?p=13137"},"modified":"2025-01-04T15:16:45","modified_gmt":"2025-01-04T22:16:45","slug":"more-developer-attacks","status":"publish","type":"post","link":"https:\/\/mattfife.com\/?p=13137","title":{"rendered":"More developer attacks"},"content":{"rendered":"\n<p>A group of Israeli researchers managed to infect over 100 organizations by <a href=\"https:\/\/en.wikipedia.org\/wiki\/Typosquatting\" data-type=\"link\" data-id=\"https:\/\/en.wikipedia.org\/wiki\/Typosquatting\">typosquatting<\/a> an infected version of a popular theme on Microsoft&#8217;s Visual Studio Code marketplace. They reported they were able to infect &#8216;numerous&#8217; high-value targets (billion dollar publicly listed companies, security companies, court networks, etc) within 24 hours of publishing the extension. It was able to collect system information and send it to a remote server via an HTTPS POST request. It didn&#8217;t get flagged by endpoint detection.<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img data-recalc-dims=\"1\" loading=\"lazy\" decoding=\"async\" width=\"512\" height=\"768\" data-attachment-id=\"13138\" data-permalink=\"https:\/\/mattfife.com\/?attachment_id=13138\" data-orig-file=\"https:\/\/i0.wp.com\/mattfife.com\/wp-content\/themes\/mattTheme\/headerimgs\/2025\/01\/00039-2027904761.png?fit=512%2C768&amp;ssl=1\" data-orig-size=\"512,768\" data-comments-opened=\"1\" data-image-meta=\"{&quot;aperture&quot;:&quot;0&quot;,&quot;credit&quot;:&quot;&quot;,&quot;camera&quot;:&quot;&quot;,&quot;caption&quot;:&quot;&quot;,&quot;created_timestamp&quot;:&quot;0&quot;,&quot;copyright&quot;:&quot;&quot;,&quot;focal_length&quot;:&quot;0&quot;,&quot;iso&quot;:&quot;0&quot;,&quot;shutter_speed&quot;:&quot;0&quot;,&quot;title&quot;:&quot;&quot;,&quot;orientation&quot;:&quot;0&quot;}\" data-image-title=\"00039-2027904761\" data-image-description=\"\" data-image-caption=\"\" data-medium-file=\"https:\/\/i0.wp.com\/mattfife.com\/wp-content\/themes\/mattTheme\/headerimgs\/2025\/01\/00039-2027904761.png?fit=200%2C300&amp;ssl=1\" data-large-file=\"https:\/\/i0.wp.com\/mattfife.com\/wp-content\/themes\/mattTheme\/headerimgs\/2025\/01\/00039-2027904761.png?fit=512%2C768&amp;ssl=1\" src=\"https:\/\/i0.wp.com\/mattfife.com\/wp-content\/themes\/mattTheme\/headerimgs\/2025\/01\/00039-2027904761.png?resize=512%2C768&#038;ssl=1\" alt=\"\" class=\"wp-image-13138\" srcset=\"https:\/\/i0.wp.com\/mattfife.com\/wp-content\/themes\/mattTheme\/headerimgs\/2025\/01\/00039-2027904761.png?w=512&amp;ssl=1 512w, https:\/\/i0.wp.com\/mattfife.com\/wp-content\/themes\/mattTheme\/headerimgs\/2025\/01\/00039-2027904761.png?resize=200%2C300&amp;ssl=1 200w, https:\/\/i0.wp.com\/mattfife.com\/wp-content\/themes\/mattTheme\/headerimgs\/2025\/01\/00039-2027904761.png?resize=180%2C270&amp;ssl=1 180w\" sizes=\"auto, (max-width: 512px) 100vw, 512px\" \/><\/figure>\n<\/div>\n\n\n<p>By using what they learned, they examining other extensions on the VSCode Marketplace. Researchers found the following:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>1,283<\/strong>\u00a0with known malicious code (229 million installs).<\/li>\n\n\n\n<li><strong>8,161<\/strong>\u00a0communicating with hardcoded IP addresses.<\/li>\n\n\n\n<li><strong>1,452<\/strong>\u00a0running unknown executables.<\/li>\n\n\n\n<li><strong>2,304\u00a0<\/strong>that are using another publisher&#8217;s\u00a0Github repo, indicating they are a copycat.<\/li>\n<\/ul>\n\n\n\n<p>They found blatantly obvious issues like this code that opens a reverse shell to the cybercriminal&#8217;s server<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large is-resized\"><img data-recalc-dims=\"1\" loading=\"lazy\" decoding=\"async\" width=\"640\" height=\"477\" data-attachment-id=\"13139\" data-permalink=\"https:\/\/mattfife.com\/?attachment_id=13139\" data-orig-file=\"https:\/\/i0.wp.com\/mattfife.com\/wp-content\/themes\/mattTheme\/headerimgs\/2025\/01\/reverse-shell.webp?fit=1057%2C788&amp;ssl=1\" data-orig-size=\"1057,788\" data-comments-opened=\"1\" data-image-meta=\"{&quot;aperture&quot;:&quot;0&quot;,&quot;credit&quot;:&quot;&quot;,&quot;camera&quot;:&quot;&quot;,&quot;caption&quot;:&quot;&quot;,&quot;created_timestamp&quot;:&quot;0&quot;,&quot;copyright&quot;:&quot;&quot;,&quot;focal_length&quot;:&quot;0&quot;,&quot;iso&quot;:&quot;0&quot;,&quot;shutter_speed&quot;:&quot;0&quot;,&quot;title&quot;:&quot;&quot;,&quot;orientation&quot;:&quot;0&quot;}\" data-image-title=\"reverse-shell\" data-image-description=\"\" data-image-caption=\"\" data-medium-file=\"https:\/\/i0.wp.com\/mattfife.com\/wp-content\/themes\/mattTheme\/headerimgs\/2025\/01\/reverse-shell.webp?fit=300%2C224&amp;ssl=1\" data-large-file=\"https:\/\/i0.wp.com\/mattfife.com\/wp-content\/themes\/mattTheme\/headerimgs\/2025\/01\/reverse-shell.webp?fit=640%2C477&amp;ssl=1\" src=\"https:\/\/i0.wp.com\/mattfife.com\/wp-content\/themes\/mattTheme\/headerimgs\/2025\/01\/reverse-shell.webp?resize=640%2C477&#038;ssl=1\" alt=\"\" class=\"wp-image-13139\" style=\"width:499px;height:auto\" srcset=\"https:\/\/i0.wp.com\/mattfife.com\/wp-content\/themes\/mattTheme\/headerimgs\/2025\/01\/reverse-shell.webp?resize=1024%2C763&amp;ssl=1 1024w, https:\/\/i0.wp.com\/mattfife.com\/wp-content\/themes\/mattTheme\/headerimgs\/2025\/01\/reverse-shell.webp?resize=300%2C224&amp;ssl=1 300w, https:\/\/i0.wp.com\/mattfife.com\/wp-content\/themes\/mattTheme\/headerimgs\/2025\/01\/reverse-shell.webp?resize=768%2C573&amp;ssl=1 768w, https:\/\/i0.wp.com\/mattfife.com\/wp-content\/themes\/mattTheme\/headerimgs\/2025\/01\/reverse-shell.webp?resize=362%2C270&amp;ssl=1 362w, https:\/\/i0.wp.com\/mattfife.com\/wp-content\/themes\/mattTheme\/headerimgs\/2025\/01\/reverse-shell.webp?w=1057&amp;ssl=1 1057w\" sizes=\"auto, (max-width: 640px) 100vw, 640px\" \/><\/figure>\n<\/div>\n\n\n<p>In summary, the lack of controls on the VSCode marketplace allows threat actors to perform rampant abuse. While the researchers reported the extensions they found to Microsoft, the vast majority remain available for download via VSCode Marketplace after they published their report.<\/p>\n\n\n\n<p>Articles:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><a href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/malicious-vscode-extensions-with-millions-of-installs-discovered\/\">https:\/\/www.bleepingcomputer.com\/news\/security\/malicious-vscode-extensions-with-millions-of-installs-discovered\/<\/a><\/li>\n<\/ul>\n\n\n\n<p> <\/p>\n","protected":false},"excerpt":{"rendered":"<p>A group of Israeli researchers managed to infect over 100 organizations by typosquatting an infected version of a popular theme on Microsoft&#8217;s Visual Studio Code marketplace. They reported they were able to infect &#8216;numerous&#8217; high-value targets (billion dollar publicly listed companies, security companies, court networks, etc) within 24 hours of publishing the extension. It was able to collect system information and send it to a remote server via an HTTPS POST request. It didn&#8217;t get flagged by endpoint detection. By&#8230;<\/p>\n<p class=\"read-more\"><a class=\"btn btn-default\" href=\"https:\/\/mattfife.com\/?p=13137\"> Read More<span class=\"screen-reader-text\">  Read More<\/span><\/a><\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"jetpack_post_was_ever_published":false,"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_memberships_contains_paid_content":false,"footnotes":"","jetpack_publicize_message":"","jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":true,"jetpack_social_options":{"image_generator_settings":{"template":"highway","default_image_id":0,"font":"","enabled":false},"version":2}},"categories":[9],"tags":[],"class_list":["post-13137","post","type-post","status-publish","format-standard","hentry","category-cool"],"jetpack_publicize_connections":[],"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"jetpack_shortlink":"https:\/\/wp.me\/p4WECr-3pT","jetpack-related-posts":[],"_links":{"self":[{"href":"https:\/\/mattfife.com\/index.php?rest_route=\/wp\/v2\/posts\/13137","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/mattfife.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/mattfife.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/mattfife.com\/index.php?rest_route=\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/mattfife.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=13137"}],"version-history":[{"count":5,"href":"https:\/\/mattfife.com\/index.php?rest_route=\/wp\/v2\/posts\/13137\/revisions"}],"predecessor-version":[{"id":13144,"href":"https:\/\/mattfife.com\/index.php?rest_route=\/wp\/v2\/posts\/13137\/revisions\/13144"}],"wp:attachment":[{"href":"https:\/\/mattfife.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=13137"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/mattfife.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=13137"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/mattfife.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=13137"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}