How to protect yourself from malicious Microsoft VSCode extensions
Microsoft Visual Studio Code (VSCode) is one of the most popular and widely used source-code editors in the world. It offers a rich set of features and functionalities that make software development easier and faster. However, it also comes with a potential risk: malicious extensions.
Extensions are add-ons that extend the capabilities of VSCode and provide more customization options. There are over 50,000 extensions available on the VSCode Marketplace, which is operated by Microsoft. However, not all extensions are safe and trustworthy. Some of them may contain malicious code that can compromise your system, steal your credentials, or execute remote commands.
In this blog post, we will discuss how malicious VSCode extensions work, what are some recent examples of them, and how you can protect yourself from them.
How do malicious VSCode extensions work?
Malicious VSCode extensions work by exploiting the permissions and capabilities that VSCode grants to extensions. For example, VSCode allows extensions to:
- Access and modify files and folders on your system
- Run commands and scripts on your system
- Access and modify your settings and preferences
- Access and modify your environment variables
- Access and modify your clipboard
- Access and modify your web browser data
- Access and send data over the network
These permissions and capabilities can be used for legitimate purposes, such as formatting code, debugging, testing, linting, etc. However, they can also be abused by malicious actors to perform malicious activities, such as:
- Stealing your passwords, tokens, keys, or other sensitive information
- Injecting malware or backdoors into your system
- Opening remote shells or reverse connections to your system
- Spying on your activities or keystrokes
- Deleting or encrypting your files
- Downloading or uploading files to or from your system
- Modifying or corrupting your code or data
Malicious VSCode extensions can hide their malicious code in various ways, such as:
- Obfuscating or encrypting their code
- Using external libraries or resources that contain malicious code
- Fetching malicious code from remote servers or repositories
- Triggering malicious code only under certain conditions or after a delay
Malicious VSCode extensions can also disguise themselves as legitimate or useful extensions by using similar names, descriptions, icons, or ratings.
What are some recent examples of malicious VSCode extensions?
Recently, cybersecurity researchers from Check Point discovered three malicious VSCode extensions that were uploaded to the VSCode Marketplace by cybercriminals. These extensions were downloaded 46,600 times by unsuspecting developers before they were removed by Microsoft.
The three malicious extensions were:
- Theme Darcula dark — This extension claimed to be an attempt to improve Dracula colors consistency on VS Code. However, it was actually used to steal basic information about the developer’s system, such as hostname, operating system, CPU platform, total memory, and CPU information1.
- python-vscode — This extension had an empty description and an uploader name of ‘testUseracc1111’. However, it was actually a C# shell injector that could execute code or commands on the victim’s machine1.
- prettiest java — This extension was likely created to mimic the popular ‘prettier-java’ code formatting tool. However, it was actually used to steal saved credentials or authentication tokens from Discord and Discord Canary, Google Chrome, Opera, Brave Browser, and Yandex Browser1.
These are not the only examples of malicious VSCode extensions. In fact, Check Point also found several other suspicious extensions that demonstrated unsafe behavior but could not be confirmed as malicious with certainty1. Therefore, it is possible that there are more malicious VSCode extensions lurking in the VSCode Marketplace.
How can you protect yourself from malicious VSCode extensions?
The best way to protect yourself from malicious VSCode extensions is to be careful and vigilant when installing and using extensions. Here are some tips that can help you:
- Only install extensions from trusted sources and developers. Check the ratings, reviews, downloads, and update history of the extensions before installing them.
- Avoid installing extensions that have vague or empty descriptions, suspicious names or icons, low ratings or reviews, or unknown developers.
- Review the permissions and capabilities that the extensions request before installing them. If they seem excessive or unnecessary for the extension’s functionality, do not install them.
- Keep your VSCode and extensions updated to the latest versions. This can help you avoid known vulnerabilities or bugs that may be exploited by malicious actors.
- Use a reputable antivirus or anti-malware software on your system. This can help you detect and remove any malicious code that may be injected by malicious extensions.
- Scan your system regularly for any signs of compromise or infection. If you notice any unusual behavior or activity on your system, such as high CPU usage, slow performance, unauthorized network connections, or unexpected files or folders, you may have been infected by a malicious extension.
- Backup your important files and data regularly. This can help you recover them in case they are deleted or encrypted by a malicious extension.
Malicious VSCode extensions are a serious threat that can compromise your system and data. By following these tips, you can reduce the risk of falling victim to them and protect yourself from their harmful effects.
