Security News > 2023 > January > VSCode Marketplace can be abused to host malicious extensions
Researchers have found it surprisingly easy to upload malicious Visual Studio Code extensions to the VSCode Marketplace, and discovered signs of threat actors already exploiting this weakness.
According to a new report by AquaSec, researchers have found its fairly easy to upload malicious extensions to Microsoft's Visual Studio Code Marketplace, and have already found a few existing extensions that are very suspicious.
As an experiment in uploading a malicious extension to the VSCode marketplace, the AquaSec team attempted to "Typosquat" a popular code formatting extension named "Prettier," which has over 27 million downloads.
AquaSec didn't just prove it's possible to mimic popular extensions on VSCode Marketplace but also found suspicious examples already uploaded to the marketplace.
"Ultimately, the threat of malicious VSCode extensions is real. Arguably, in the past, this hasn't received the highest amount of attention perhaps because we haven't yet seen a campaign in which it has left a huge impact," concludes AquaSec's report.
To make matters worse, AquaSec says that Microsoft also offers Visual Studio and Azure DevOps extension marketplaces that appear vulnerable to malicious extensions as well.