Quick Links
Extending the functionality of your favorite programs with extensions is great—if the extensions work properly and the extension store isn’t filled with unseen dangers.
That’s exactly what’s happened to Microsoft’s Visual Studio Code extensions store, where, due to a lack of attention, heaps of malicious extensions are waiting for you to click and install.
What Are Malicious VSC Extensions?
Malicious VSC extensions are exactly what they sound like. These extensions often impersonate other, more popular extensions or promise to add new functionality that pushes people to install them. Once installed and activated, they can do anything from messing up your VSC settings to stealing data from your computer.
VSC extensions in themselves aren’t the problem here. The ability to add extensions to further enhance the utility of VSC is what makes it one of the most popular code editors around. However, since installed extensions often get unfettered access to your VSC installation and to some degree, your PC, it also makes them the perfect medium for attackers to slip a piece of malware onto your PC. In a world wherescammers can even use your face to commit fraud, it’s best to stay cautious.
These malicious extensions can be anything from a simple data stealer that can steal Personally Identifiable Information (PII) from your computer to making your machine part of a botnet used to carry out DDoS attacks or propagate malware further. Additionally, with supply chain attacks becoming increasingly popular, they also open the door to much more serious malware inspections, especially considering many VSC installations are on work-related devices that programmers use when working for their respective organizations.
Security researchers Amit Assaraf, Itay Kruk, and Idan Dardikmandeep-dive into malicious extensionson the VSC marketplace revealed some interesting statistics:
While these numbers don’t necessarily indicate malicious activity on the part of every extension included, they raise enough suspicions to make anyone think twice before installing them.
A previous report by security researchers Ilay Goldman and Yakir Kadkoda forAquaSecfound similar patterns, with malicious extensions hiding as duplicates of regular extensions. For example, in the image below, the details on the left belong to the real extension, while the details on the right are from a malicious extension attempting to mimic the original.
The image also perfectly illustrates why malware on the VSC marketplace is an issue. Almost anyone can upload an extension and point its information wherever they want, be that false or malicious.
How Do Malicious Extensions End Up on the VSC Marketplace?
There are several ways a malicious extension can end up on the VSC marketplace. However, the two most common methods are as follows.
Typosquatting
Typosquatting is a technique where an attacker uses misspellings of a popularly used program, or in this case, an extension, to spread a fake. For example, if you’re looking for an extension called “Programmer”, a typosquatter might create a malicious extension with the name “Programmerr” or “Programer” and trick you into downloading it thinking you’re getting the extension you wanted.
These are often either loaded with data stealers or other malware and can cause serious harm to your PC. It’s an honest mistake, one that every one of us can make every once in a while, but it can also cost you dearly.
Fake Extensions
As the name suggests, these extensions either promise fake functionality or impersonate other, more popular extensions to get you to install them. Once installed, they’re either blatantly non-functional or do provide some functionality while primarily focusing on taking control of your PC or stealing data.
This is a rather popular way of spreading malware, and scammers often use the names of big corporations with verified accounts to give their malware more legitimacy. Even theGoogle Bard app was distributed as malwareusing the same approach.
Why Doesn’t Microsoft Do Something About Malicious Extensions?
Microsoft has implemented several security measures on the VSC Extensions Marketplace to ensure malicious extensions stay under check. Every extension and its subsequent updates uploaded to the marketplace undergo a virus scan to ensure that the package is safe to use. The marketplace also has typosquatting countermeasures to prevent malicious extensions from impersonating official publishers like RedHat and Microsoft itself.
Additionally, if a malicious extension is reported and verified, or a vulnerability is found in an extension dependency, it’s either removed from the marketplace or added to a kill list to be automatically uninstalled by VSC.
However, despite these countermeasures, malicious extensions are still rampant in the marketplace. The primary reason behind this is that Microsoft’s traditional endpoint security tools (EDRs) do not detect all malicious activity.
The nature of VSC also plays an important part here. VSC was built to open all sorts of files, execute various commands, and create child processes. Hence EDRs can’t always understand if the scanned activity from VSC is legitimate developer activity or malicious code.
How to Stay Safe
Other than common sense and ensuring you’re downloading an extension published by a verified and official publisher, you can refer to the rating and reviews system on the VSC marketplace. Additionally, you can also use theExtensionTotal toolto analyze extensions before installing and get a report of whether or not it’s safe to install.
There are a lot of misleading and harmful extensions still available for download on the VSC marketplace. However, a little bit of background research before clicking the download button can save you a lot of hassle in the long run.
