Malicious VSCode Extensions With Millions of Installs Discovered (bleepingcomputer.com) 22
A group of Israeli researchers explored the security of the Visual Studio Code marketplace and managed to "infect" over 100 organizations by trojanizing a copy of the popular 'Dracula Official theme to include risky code. Further research into the VSCode Marketplace found thousands of extensions with millions of installs. From a report: Visual Studio Code (VSCode) is a source code editor published by Microsoft and used by many professional software developers worldwide. Microsoft also operates an extensions market for the IDE, called the Visual Studio Code Marketplace, which offers add-ons that extend the application's functionality and provide more customization options. Previous reports have highlighted gaps in VSCode's security, allowing extension and publisher impersonation and extensions that steal developer authentication tokens. There have also been in-the-wild findings that were confirmed to be malicious.
What the hell is (Score:5, Insightful)
"Dracula Official theme" and why would you install that.
Re: (Score:2)
...in a productive organization environment (remember "over 100 organizations" infected) rather than some teenagers dabbling in mobile game app development.
Re: (Score:2)
I'm not clear if the Dracula addon is required for the other exploits the article talked about, or was just a specific example or illustration of bad addons.
TypoSquatting (Score:5, Informative)
I'm not clear if the Dracula addon is required for the other exploits the article talked about, or was just a specific example or illustration of bad addons.
Technically it is neither.
They copied the code from Dracula (a very popular dark theme), added an "exploit" (non-malicious, but could have been) and published it as "Darcula" and watched how many people downloaded it.
The researchers also created a custom tool to check out the extensions available in VSCode Studio.
They included a copy of the code found in one extension that opens a reverse shell.
The problem seems to be that MS doesn't want to do anything about it.
Re: (Score:2)
They copied the code from Dracula (a very popular dark theme), added an "exploit" (non-malicious, but could have been) and published it as "Darcula" and watched how many people downloaded it.
As it's a dark-mode theme, "Darcula" is the cleverer name. A missed opportunity for the original.
Re: TypoSquatting (Score:4, Informative)
Re: (Score:2)
>> The problem seems to be that MS doesn't want to do anything about it.
I am surprised MS does as much for as they to already. VSCode is free (and very useful).
Re: (Score:2)
Okay, I didn't notice the letter switch trick, Modnays.
> [Microsoft] doesn't want to do anything about it.
No, it was "Micorsoft" that didn't do anything about it, they got name wrong :-)
Re:What the hell is (Score:4, Funny)
"Dracula Official theme" and why would you install that.
People are nostalgic for Windows ME that would drain the life from your body.
Re: (Score:1)
VSCode Extnesion and VSCode Theem
Microsoft makes an insecure product (Score:2)
I'm shocked. Shocked to hear that Microsoft would do this.
Re: Don't call VSCode an IDE (Score:1)
I'm sorry but you're simply not right. Raw vscode for Python is simply unusable for a software professional, incomparable with products like Pycharm where everything you need is provided and works smoothly from the start, exactly as it should.
I'm shocked! (Score:5, Funny)
For the love of god, it's called Dracula Official Theme. How could it NOT suck!
So "coders" downloading malware... (Score:2)
No surprise that so much code is so insecure if this is the typical level of insight in these people.
Re: (Score:2)
targeting people mostly working on Javascript-based mobile and web projects
That's just plain wrong. VSCode is used these days for almost anything revolving around programming, including writing code for microcontrollers, working with C, C++, Rust, Python and others, for developing data science tools and applications and so on and so forth. There is absolutely nothing about it that is even remotely targeted at just Javascript projects.