Malicious VSCode extensions with millions of installs discovered

[Amphenomenon]

Since last year till now there have been malicious exploit on the VsCode,

• https://www.bleepingcomputer.com/news/microsoft/vscode-marketplace-can-be-abused-to-host-malicious-extensions
• https://www.bleepingcomputer.com/news/security/microsoft-visual-studio-code-flaw-lets-extensions-steal-passwords/
• https://www.bleepingcomputer.com/news/security/malicious-microsoft-vscode-extensions-steal-passwords-open-remote-shells/

Another recent experiment by researchers has proven:

• 1,283 with known malicious code (229 million installs).
• 8,161 communicating with hardcoded IP addresses.
• 1,452 running unknown executables.
• 2,304 that are using another publisher's Github repo, indicating they are a copycat.

Among these:
Reverse shell found in a code beautifying extension (CWL Beautifer)


This was discovered after a group of researchers explored the security of the Visual Studio Code marketplace and managed to "infect" over 100 organizations by trojanizing a copy of the popular 'Dracula Official theme to include risky code.

The fake extension used by the researchers was named 'Darcula,' and the researchers even registered a matching domain at 'darculatheme.com.' This domain was used to become a verified publisher on the VSCode Marketplace, adding credibility to the fake extension

Their extension uses same code from the actual Dracula theme but also includes an added script that collects system information, including the hostname, number of installed extensions, device's domain name, and the operating system platform, and sends it to a remote server via an HTTPS POST request.

The researchers note that the malicious code does not get flagged by endpoint detection and response (EDR) tools, as VSCode is treated with leniency due to its nature as a development and testing system.

The extension quickly gained traction, getting mistakenly installed by multiple high-value targets, including a publicly listed company with a $483 billion market cap, major security companies, and a national justice court network.

The researchers have opted not to disclose the names of the impacted companies.

Since the experiment did not have malicious intent, the analysts only collected identifying information and included a disclosure in the extension's Read Me, license, and the code.

There are many developers here and who also uses Virtual studio and I'm also among this category, we need to be cautious of the extensions we download especially if it's from the official source, also considering how long these sources has been around and what they're all about.

Source:https://www.bleepingcomputer.com/news/security/malicious-vscode-extensions-with-millions-of-installs-discovered/

[SilverCryptoBullet]

My attention is on Official. Official applications do not use Official in their application names.

We can see it on Youtube, Tiktok and some channels but for companies, they will not use that word, official in their brand names as same as their application names.

What is the 164 number?

I guess it is for total download count of Dracula Official application, it is very low and is another cautious thing.

[Amphenomenon]

My attention is on Official. Official applications do not use Official in their application names.

We can see it on Youtube, Tiktok and some channels but for companies, they will not use that word, official in their brand names as same as their application names.

But not everyone is actually aware of this neither will many be able to notice that the spellings were actually different especially when such person is having eye defects or not being cautious of the extensions they installed and from the fact that the malicious extension, work well as the actual one.

What is the 164 number?

I guess it is for total download count of Dracula Official application, it is very low and is another cautious thing.

This is not the official Dracula extensions, it's spelt as darcula which is the malicious extension, the 164 is actually the total download but not many may consider this since they may think it might just be the right one through misconception of the spellings and with time since it's working well like tge actual extension, they will give it positive ratings and with time more users will install it except someone actually checked the code and speak out others will be ignorant of it.

[jrrsparkles]

If I am not sure there are over millions od extensions available on chrome web store and most of them collect user data such thing we call as spyware whether it is from official or copycat so avoid using random extensions.

And the number of downloads is a good indicator to distinguish the bad and new ones that should be proceeded with cation and I would say better avoid it completely.