Microsoft VSCode has malicious extensions that have been downloaded nearly 50,000 times

Check Point recently discovered that cyber attackers have uploaded three malicious extensions to Microsoft's VSCode Marketplace that have been downloaded 46,600 times by Windows developers.

Check Point said the attackers were able to use these malicious extensions to steal credentials, system information, and create remote shells on the victim's machine.

The three malicious extensions discovered by Check Point are as follows:

Theme Darcula dark – Described as "an attempt to improve Dracula colors consistency on VS Code," this extension was used to steal basic information about the developer's system, including hostname, operating system, CPU platform, total memory, and information about the CPU. While the extension did not contain other malicious activity, it is not typical behavior associated with a theme pack. This extension had the most circulation by far, downloaded over 45,000 times.

python-vscode – Analysis of its code showed that it is a C# shell injector that can execute code or commands on the victim's machine.

prettiest java – Based on the extension's name and description, it was likely created to mimic the popular 'prettier-java' code formatting tool. In reality, it stole saved credentials or authentication tokens from Discord and Discord Canary, Google Chrome, Opera, Brave Browser, and Yandex Browser, which were then sent to the attackers over a Discord webhook.

In addition to these, Check Point found multiple suspicious extensions that could not be determined to be malicious, but exhibited insecure behavior, such as fetching code from private repositories or downloading files.

Check Point has reported the situation to Microsoft, and on May 14, VSCode removed the three malicious extensions from the marketplace. However, any software developers still using the malicious extensions must manually remove them from their systems and run a full scan to detect any remnants of the infection.

Software Repository Security Risks

Visual Studio Code (VSC) is the source code editor published by Microsoft, and a large percentage of professional software developers worldwide are users. Microsoft also operates an extension marketplace for the IDE called the VSCode Marketplace, which offers more than 50,000 extensions to application functionality and additional add-ons that provide more customization options.

While software repositories that allow user uploads, such as NPM and PyPi, have proven to be a security risk time and time again, there is not much precedent for malware infiltration against the VSCode Marketplace. And AquaSec has proven in January that it is fairly easy to upload malicious extensions to the VSCode Marketplace, and presented some highly suspicious cases, but ultimately failed to find any conclusive malicious programs.

The cases found by Check Point suggest that attackers are actively trying to infect Windows developers by uploading malicious programs, as they have done with software repositories such as NPM and PyPI.

Check Point recommends that users of the VSCode Marketplace and all other repositories that support user uploads choose only trusted, highly downloaded programs with good community ratings when downloading.