Security News > 2023 > January > Hackers Can Abuse Visual Studio Marketplace to Target Developers with Malicious Extensions

A new attack vector targeting the Visual Studio Code extensions marketplace could be leveraged to upload rogue extensions masquerading as their legitimate counterparts with the goal of mounting supply chain attacks.

VS Code extensions, curated via a marketplace made available by Microsoft, allow developers to add programming languages, debuggers, and tools to the VS Code source-code editor to augment their workflows.

"All extensions run with the privileges of the user that has opened the VS Code without any sandbox," Goldman said, explaining the potential risks of using VS Code extensions.

In other words, a malicious actor could buy any domain, register it to get a verified check mark, and ultimately upload a trojanized extension with the same name as that of a legitimate one to the marketplace.

This is not the first time concerns have been raised about software supply chain threats in the VS Code extensions marketplace.

In May 2021, enterprise security firm Snyk uncovered a number of security flaws in popular VS Code extensions with millions of downloads that could have been abused by threat actors to compromise developer environments.

News URL

https://thehackernews.com/2023/01/hackers-distributing-malicious-visual.html