A group of Israeli researchers investigated the security of the Visual Studio Code (VSCode) Marketplace and created a fake extension mimicking the popular ‘Dracula Official’ theme to test its vulnerabilities. This trojanized extension, named ‘Darcula,’ was downloaded by over 100 organizations, including a major publicly listed company, security firms, and a national justice court network. The extension collected system information and sent it to a remote server, bypassing endpoint detection and response (EDR) tools due to VSCode’s leniency for development activities.
This experiment exposed significant security gaps in the VSCode Marketplace, where previous reports had already highlighted issues such as extension and publisher impersonation and the presence of extensions stealing developer authentication tokens. The researchers’ further investigation found thousands of extensions with millions of installs that posed various security risks, including those with known malicious code, hardcoded IP addresses, and unauthorized executables.
Using a custom tool named ‘ExtensionTotal,’ the researchers identified 1,283 extensions with malicious code, 8,161 communicating with hardcoded IPs, 1,452 running unknown executables, and 2,304 using another publisher’s GitHub repository. Despite reporting these findings to Microsoft, most of the malicious extensions remain available for download on the VSCode Marketplace, indicating inadequate security controls and review mechanisms on the platform.
The researchers plan to release their ‘ExtensionTotal’ tool to help developers scan for potential threats in their environments. This study underscores the urgent need for the security community’s attention to address the rampant abuse and high-risk nature of VSCode extensions, posing direct threats to organizations relying on this widely-used development platform.
Reference: