It sounds like a potential security vulnerability in the Visual Studio Code extensions marketplace. It could allow attackers to upload rogue extensions that masquerade as legitimate ones. These can be instrumental to launch supply chain attacks against organizations that use them. This is a concern because it could provide attackers with a way to access many systems and potentially compromise them. Organizations must be aware of this potential attack vector and take steps to protect themselves against it.
Visual Studio Code (VS Code) is a popular source-code editor for developers. To enhance and customize their workflows, developers can install extensions from a marketplace provided by Microsoft. These extensions can include programming languages, debuggers, and other tools. However, there is a potential risk relates to using these extensions. They give the same privileges as the user who opens VS Code. The extension can install any program on the user’s computer, including malicious software such as ransomware or wipers. Developers need to be aware of this risk. They should carefully vet any extensions they choose to install.
Aqua, a cybersecurity company report
Aqua, a cybersecurity company, recently researched the potential for threat actors to impersonate popular browser extensions on online marketplaces. The company found that a threat actor can use slight variations of the name of a popular extension. It can trick users into installing malicious code. Developers can feel confusion into believing that a malicious extension is trustworthy. Additionally, Aqua discovered that the verification badge was assigned to extension authors. Authors can easily bypass this as the check mark only verifies that the extension publisher owns a particular domain. These findings highlight the importance of being cautious when downloading and installing extensions. It needs stronger verification processes to ensure the security and authenticity of extensions on online marketplaces.
What is the exact case?
A malicious individual or group could purchase a domain and use it to gain a verified checkmark. With a verified check mark displayed next to their names, the developers could upload a trojanized extension with the same name as a legitimate one. Aqua Security recently conducted a proof-of-concept test. They created a fake extension posing as the Prettier code formatting utility. Over 1,000+ downloads within 48 hours before were taken down. This issue of potential software supply chain threats in the VS Code extensions marketplace. It has been a concern in the past as well.
What Synk revealed in the report?
In May 2021, Snyk, a company specializing in providing security solutions for businesses, discovered several popular Visual Studio Code (VS Code) extensions. These add-ons are instrumental in enhancing the functionality of the code editor, having security vulnerabilities that cybercriminals could potentially exploit. These extensions had been downloaded millions of times. Many developers are potentially at risk of compromising their environments. This highlights the ongoing efforts of attackers to find new ways to execute malicious code within the networks of organizations.
