Hackers Can Abuse Visual Studio Marketplace to Target Developers with Malicious Extensions
09 January 2023 Ravie Lakshmanan Supply Chain / CodeSec
A new attack vector targeting the Visual Studio Code add-on market can be used to upload fraudulent add-ons that masquerade as their legitimate counterparts with the goal of increasing supply chain attacks.
The technique “could act as an entry point for an attack on multiple organizations,” Aqua security researcher Ilay Goldman said in a report published last week.
VS Code extensions, curated through a marketplace made available by Microsoft, allow developers to add programming languages, debuggers, and tools to the VS Code source code editor to augment their workflows.
“All add-ons run with the privileges of the user who opened VS Code without any sandbox,” Goldman said, explaining the potential risks of using VS Code add-ons. “This means the add-on can install any program on your computer including ransomware, wipers and more.”
To this end, Aqua found that not only is it possible for a threat actor to impersonate a popular extension with slight variations in the URL, the market also allows an adversary to use the same extension publisher name and details, including the information of project repositories.
While the method does not allow the number of installs and the number of stars to be repeated, the fact that there are no restrictions on other identifying characteristics means that it can be used to deceive developers.
The research also found that the verification badge assigned to authors could be trivially bypassed since the checkmark only verifies that the extension publisher is the actual owner of a domain.
In other words, a malicious actor can buy any domain, register it to get a verified checkmark, and finally upload to the market a trojanized extension with the same name as a legitimate one.
A proof-of-concept (PoC) plugin disguised as the Prettier code formatter racked up over 1,000 installs within 48 hours from developers around the world, Aqua said. It has since been removed.
This is not the first time concerns have been raised about software supply chain threats in the VS Code extension market.
In May 2021, enterprise security firm Snyk discovered a number of security flaws in popular VS Code extensions with millions of downloads that could have been abused by threat actors to compromise developer environments.
“Attackers are constantly working to expand their arsenal of techniques allowing them to execute malicious code within organizations’ networks,” Goldman said.
Did you find this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.
