A team of Israeli researchers investigated the security of the Visual Studio Code (VSCode) marketplace and managed to "infect" over 100 organizations by embedding risky code into a popular theme, revealing significant vulnerabilities in the system.
VSCode, a source code editor developed by Microsoft, is widely used by professional software developers globally. Microsoft also runs an extensions marketplace for VSCode, offering various add-ons to enhance functionality and customization.
Previous reports have identified security gaps in VSCode, such as the ability to impersonate extensions and publishers, and extensions that steal developer authentication tokens. Some extensions have been confirmed to be malicious.
In their experiment, researchers Amit Assaraf, Itay Kruk, and Idan Dardikman created an extension mimicking the 'Dracula Official' theme, a popular dark mode color scheme with over 7 million installs on the VSCode Marketplace.
The fake extension, named 'Darcula,' used the legitimate Dracula theme’s code but added a script that collected system information such as hostname, installed extensions, device's domain name, and operating system platform, sending this data to a remote server. The researchers registered a matching domain, 'darculatheme.com,' to become a verified publisher, adding credibility to their fake extension.
The malicious code bypassed endpoint detection and response (EDR) tools because VSCode is generally trusted as a development and testing system. "Traditional endpoint security tools (EDRs) do not detect this activity... VSCode is built to read lots of files and execute many commands and create child processes, thus EDRs cannot understand if the activity from VSCode is legit developer activity or a malicious extension," explained Amit Assaraf.
The extension was installed by multiple high-value targets, including a publicly listed company with a $483 billion market cap, major security firms, and a national justice court network. The researchers did not disclose the names of the affected companies and ensured their experiment did not cause harm, only collecting identifying information and including a disclosure in the extension's documentation.
Following their experiment, the researchers examined the broader threat landscape of the VSCode Marketplace using a custom tool named 'ExtensionTotal' to identify high-risk extensions. Their findings included:
- 1,283 extensions with known malicious code (229 million installs).
- 8,161 extensions communicating with hardcoded IP addresses.
- 1,452 extensions running unknown executables.
- 2,304 extensions using another publisher's GitHub repository, indicating they are copycats.
The researchers highlighted a significant lack of stringent controls and code review mechanisms on the VSCode Marketplace, allowing rampant abuse of the platform. "VSCode extensions are an abused and exposed attack vertical, with zero visibility, high impact, and high risk," they warned.
All detected malicious extensions were reported to Microsoft for removal, but most remain available for download. The researchers plan to release 'ExtensionTotal' as a free tool to help developers scan their environments for potential threats.
BleepingComputer has reached out to Microsoft to inquire about potential security improvements to the VSCode Marketplace to combat typosquatting and impersonation, but no response has been received as of publication time.
