74.48% of developers use Microsoft’s Visual Studio Code, according to one survey conducted by StackOverflow. And besides GitHub Copilot, there’s over 40,000 other extensions in the VSCode Marketplace.
Unfortunately, InfoWorld reports, “Researchers at Aqua Nautilus say they have found that attackers could easily impersonate popular extensions and trick unknowing developers into downloading them.”
It can be challenging to distinguish between malicious and benign extensions, and the lack of sandbox capabilities means that extensions could install ransomware, wipers, and other malicious code, Aqua security researcher Ilay Goldman wrote in a January 6 blog post. [“In fact, it can access and even alter all the code that you have locally and even use your SSH key to change the code in all your organization’s repositories.”] VS Code extensions, which provide capabilities ranging from Python language support to JSON file editing, can be downloaded from Microsoft’s Visual Studio Code Marketplace.
Aqua Nautilus uploaded an extension masquerading as the Prettier code formatter and saw more than 1,000 installs in less than 48 hours, from around the world. The spoof extension has been removed.
Goldman noted that the Visual Studio Code Marketplace runs a virus scan for each new extension and subsequent updates, and removes malicious extensions when it finds them. Users can report suspicious-looking extensions via a Report Abuse link.
“While the media is full of stories about malicious packages that have been uploaded to popular package managers such as NPM and PyPI, there is very little information about malicious VSCode extension,” the blog post notes. Yet it points out that a blue checkmark on a VSCode extension “merely means that whoever the publisher is has proven the ownership of a domain. That means any domain.“
And even Microsoft acknowledged to InfoWorld that social engineering techniques have been used to persuade victims to download malicious extensions — though they point out that Microsoft confirms that each extension has a Marketplace certificate and verifiable signature before being installed. “To help make informed decisions, we recommend consumers review information, such as domain verification, ratings and feedback to prevent unwanted downloads.”