1/6 | How We Hacked Multi-Billion Dollar Companies in 30 Minutes Using a Fake VSCode Extension
30 minutes. 30 minutes is how long it took us to develop, publish, and polish a Visual Studio Code (The most popular IDE on the planet with over 15m monthly users) extension that changes your IDE’s colors while leaking all your source code to a remote server. We wrote the code, designed the assets, registered a domain, published the extension, generated fake reviews, got our first victim, and reached trending status on the VSCode Marketplace (A page that gets 4.5 million views a month), and confirmed to be installed inside multiple multi-billion dollar market cap companies, all within 30 minutes of work.
We are at the pinnacle of secured applications and environments, yet 30 minutes is all it takes to bypass the most sophisticated security environments.
This is the untold story of developer extensions.
While exploring ideas in the cybersecurity domain, we stumbled upon a medium article talking about a vulnerability found in a Visual Studio Code extension. The story discussed a known and widely used VSCode extension that was stealing information about the developer’s machine while pretending to be just another theme. After researching the matter we stumbled upon countless articles mentioning vulnerabilities found in VSCode extensions and other IDEs, but we couldn’t find a solution to this obvious problem, So we built one.
There is good reason to why no one has solved this problem until now, it all stems from the fact that it’s too small of a problem for large security companies to pay attention to, while also being too small an opportunity for startups to build their business on. Additionally, for Microsoft itself it’s not a high priority (I would even argue that it’s against their interest as they want as many extensions on their marketplace as possible and adding friction to the upload process is not ideal).
So who will build a solution to this problem? Three guys who love security and love building products.
Hacking the VSCode Marketplace
Let’s back up a little. before we began building we decided to test how hard it would be to create a malicious VSCode extension that steals source code and sends it to a remote server. To begin we had to choose what to build and we remembered stumbling upon an article that mentioned malicious code found in a copycat extension, which stole the assets and name of a popular VSCode extension called “Prettier — Code formatter”. Feeling inspired we decided to take the popular Dracula theme named “Dracula Official” (with over +6,000,000 installs) and create our own copycat “Darcula Official”.
30 minutes later, after downloading the source code, adding our code, and copying all the marketing resources we had this -
We even had a domain name darculatheme.com, similar to the official draculatheme.com. Surprisingly the only thing you need to do to become a verified publisher on the VSCode Marketplace is the verify your domain, so a few minutes later our credibility increased significantly -
Another interesting quirk we found is that adding any Github repo in the package.json is enough for Microsoft to list it as the official repo on the extension page, even without owning the repo. So we went ahead and put the official Dracula theme repo to further increase credibility.
Now that we were credible, we added the interesting part. Here is part of the code that we added to the theme extension -
Simply put, each time a victim opens a document on the editor, we read the code and send it to our Retool server and additionally send a beacon to our sever with information on the host machine, such as the hostname, domain, platform, number of extensions, etc..
Lo and behold, only a few minutes after we published the extension it was live on the VSCode Marketplace and we had our first victim.
Mr, DESKTOP-97KBB6H.
A single day later, we already had 100+ different victims without promoting the extension or doing anything special to get developers to install it (When searching “Darcula Theme”, we were on the first page and the only verified publisher!).
A few days later, something big happened. We noticed we had a victim which was identified as a Windows machine inside a domain and network of a publicly listed company with a $483 billion dollar market cap, and later we confirmed to be inside tens of multi-billion dollar companies all of which are widely known, inside one of the biggest security companies in the world, and in a certain country’s justice court network (Keeping the company names to ourselves for their sake), proving to us the immense danger of this attack vector.
And finally we woke up to see this, we were trending on the marketplace -
Having experienced firsthand just how easy it is to create and publish malicious extensions, we know what to look for when assessing the risk of VSCode extensions.
So what now?
When we began our journey, we never imagined the path it would take us on. In hindsight, the risks and high-impact potential of this attack vector are clear, highlighting its immense value to threat actors.
Realizing the significance of our experiment, we decided to dive deeper into the current state of malicious extensions in the VSCode marketplace.
Our next blog post, “2/6 | Exposing Malicious Extensions: Shocking Statistics from the VS Code Marketplace” reveals our findings and is out now.
Edit: We’ve released our free community tool to help solve this problem, checkout ExtensionTotal
Note: After writing this article we began a process of responsible disclosure with over 10 multi billion dollar companies to help mitigate this security risk in their organizations.
Disclaimer: Actual source code was not leaked in order to not harm anyone. Additionally.
Edit: It was brought to our attention a similar research was done earlier last year regarding VSCode extensions and had similar findings (Sad to see that a year later nothing has changed). In our research we’ve found perhaps worst findings (as per the numbers and the size of organizations we managed to reach, along with RCE demonstrations and the findings of more potentially malicious extensions). Additionally we took it upon ourselves to build a solution for this issue which we will be releasing soon called “ExtensionTotal”.
