Security News > 2024 > June > Malicious VSCode extensions with millions of installs discovered
Further research into the VSCode Marketplace found thousands of extensions with millions of installs.
Previous reports have highlighted gaps in VSCode's security, allowing extension and publisher impersonation and extensions that steal developer authentication tokens.
For their recent experiment, researchers Amit Assaraf, Itay Kruk, and Idan Dardikman, created an extension that typosquats the 'Dracula Official' theme, a popular color scheme for various applications that has over 7 million installs on the VSCode Marketplace.
"Unfortunately, traditional endpoint security tools do not detect this activity, VSCode is built to read lots of files and execute many commands and create child processes, thus EDRs cannot understand if the activity from VSCode is legit developer activity or a malicious extension." - Amit Assaraf.
Below is an example of code found in a malicious Visual Studio Code Marketplace extension that opens a reverse shell to the cybercriminal's server.
All malicious extensions detected by the researchers were responsibly reported to Microsoft for removal.