Technology NewsHackers Can Abuse Visual Studio Marketplace to Target Developers...

Hackers Can Abuse Visual Studio Marketplace to Target Developers with Malicious Extensions

-


Jan 09, 2023Ravie LakshmananSupply Chain / CodeSec

Hackers Can Abuse Visual Studio Marketplace to Target Developers with Malicious Extensions

A new attack vector targeting the Visual Studio Code extensions marketplace could be leveraged to upload rogue extensions masquerading as their legitimate counterparts with the goal of mounting supply chain attacks.

The technique “could act as an entry point for an attack on many organizations,” Aqua security researcher Ilay Goldman said in a report published last week.

VS Code extensions, curated via a marketplace made available by Microsoft, allow developers to add programming languages, debuggers, and tools to the VS Code source-code editor to augment their workflows.

“All extensions run with the privileges of the user that has opened the VSCode without any sandbox,” Goldman said, explaining the potential risks of using VS code extensions. “This means that the extension can install any program on your computer including ransomwares, wipers, and more.”

To that end, Aqua found that not only is it possible for a threat actor to impersonate a popular extension with small variations to the URL, the marketplace also allows the adversary to use the same name and extension publisher details, including the project repository information.

code

While the method doesn’t allow the number of installs and the number of stars to be replicated, the fact that there are no restrictions on the other identifying characteristics means it could be used to deceive developers.

The research also discovered that the verification badge assigned to authors could be trivially bypassed as the check mark only proves that the extension publisher is the actual owner of a domain.

map

In other words, a malicious actor could buy any domain, register it to get a verified check mark, and ultimately upload a trojanized extension with the same name as that of a legitimate one to the marketplace.

A proof-of-concept (PoC) extension masquerading as the Prettier code formatting utility racked up over 1,000 installations within 48 hours by developers across the world, Aqua said. It has since been taken down.

This is not the first time concerns have been raised about software supply chain threats in the VS Code extensions marketplace.

In May 2021, enterprise security firm Snyk uncovered a number of security flaws in popular VS Code extensions with millions of downloads that could have been abused by threat actors to compromise developer environments.

“Attackers are constantly working to expand their arsenal of techniques allowing them to run malicious code inside the network of organizations,” Goldman said.

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.



LEAVE A REPLY

Please enter your comment!
Please enter your name here

Latest news

New OPPO Reno8 T and Reno8 T 5G, 100 megapixel camera and 120 Hz screen

OPPO has launched a new series within its Reno line: this is the Reno8 T and Reno8 T...

ஒரு செயற்கை இரசாயன கடிகாரம் சர்க்காடியன் தாளங்களின் மர்மமான சொத்தை எவ்வாறு பின்பற்றுகிறது

சர்க்காடியன் தாளங்கள் ஒரு தனித்துவமான பண்புகளைக் கொண்டுள்ளன, இதில் வெப்பநிலை ஏற்ற இறக்கங்கள் இருந்தபோதிலும் சுழற்சி காலம் மாறாமல் இருக்கும், பல உயிர்வேதியியல் எதிர்வினைகளின்...

ChatGPT – OpenAI plans to introduce an optional subscription for users of its tool

ChatGPT is one of the most interesting technological curiosities of recent months. Much has already been written...

New Russian-Backed Gamaredon’s Spyware Variants Targeting Ukrainian Authorities

Feb 02, 2023Ravie LakshmananCyber Risk / Threat Detection The State Cyber Protection Centre (SCPC) of Ukraine has called out...

New OPPO Reno8 T and Reno8 T 5G, 100 megapixel camera and 120 Hz screen

OPPO has launched a new series within its Reno line: this is the Reno8 T and Reno8 T...

ChatGPT – OpenAI plans to introduce an optional subscription for users of its tool

ChatGPT is one of the most interesting technological curiosities of recent months. Much has already been written...

Must read