Visual Studio Code Prone To Abuse By Malicious Extensions

By   Adeola Adegunwa
Writer , Informationsecuritybuzz | Jan 09, 2023 02:01 am PST

With the intention of building supply chain attacks, malicious extensions could be uploaded using a new attack vector that targets the Visual Studio Code extensions marketplace. According to Ilay Goldman, a security researcher at Aqua, the method “may operate as an entrance point for an assault on multiple organizations,” in a paper released last week.

Developers can enhance their workflows by adding programming languages, debuggers, and tools to the VS Code source-code editor using VS Code extensions, which are curated through a Microsoft-provided marketplace.

When describing the possible dangers of employing VS code extensions, Goldman remarked, “All extensions execute with the privileges of the user that has opened the VSCode without any sandbox.” According to the statement, the extension can install any program on your computer, including malware, wipers, and more. A StackOverflow study revealed that 74.48% of developers use VSCode, making it by far the most popular IDE.

Several Extensions With Lots Of Downloads Discovered

To this end, Aqua discovered that in addition to the marketplace allowing the adversary to utilize the same name and extension publisher details, including the project repository information, a threat actor could spoof a well-known extension by making minor changes to the URL.

The fact that there are no limitations on the other identifying qualities means that the method might be used to fool developers even while it prevents the replication of the number of installs and stars.

The check mark just demonstrates that the extension publisher is the legitimate owner of a domain; therefore, the verification badge given to authors might be easily avoided, according to the research.

To put it another way, a bad actor may purchase any domain, register it to receive the verified checkmark, and then upload a “trojanized” extension with the same name as a genuine one to the marketplace.

Developers from all over the world installed a proof-of-concept (PoC) extension posing as the Prettier code formatting tool in less than 48 hours, according to Aqua. Since then, it has been removed. Threats to the software supply chain have previously been a source of concern in the VS Code extensions industry.

Previous Vulnerabilities In Visual Studio Code Extensions

A number of security holes in popular VS Code extensions with millions of downloads were discovered by the enterprise security company Snyk in May 2021. These flaws might have been used by threat actors to breach developer environments.

When a developer opens “a.tex file” in the editor, one of the susceptible extensions, LaTeX Workshop, which has about 1.2 million installs, establishes an HTTP server and a WebSocket server (on a random port), enabling them to preview a PDF file in the browser.

However, the extension was susceptible to command injection, which could be used by a malicious website that was able to connect to the extension’s local WebSocket server because the input from the WebSocket client to the open external VS Code API method was not sanitized (by checking all possible ports).

A path traversal flaw was discovered in the Open In Default Browser extension, which launches an HTTP server to preview pages in the browser. This bug might be used by a malicious actor to steal data from the system. Cross-site scripting (XSS) payloads might be created to aid in the process, while same-origin policy (SOP) defenses would hinder exploitation.

Additionally, Snyk found a Zip Slip vulnerability in the Rainbow Fart extension, which plays a sound when the user types specific keywords and has 60,000 installs. This vulnerability could be exploited to overwrite arbitrary files on the target computer and potentially lead to arbitrary code execution.

Some of the susceptible VS Code extensions might have avoided creating vulnerabilities if they had used pre-existing NPM packages to implement the needed functionality.

Marketplace In VSCode Now Open For Attacks

The researchers issue a warning, noting that even though security experts haven’t given Visual Studio Code extensions much attention, threat actors are constantly seeking new ways to break into corporate networks.

“In the end, malicious VSCode extensions do pose a concern. Possibly because we haven’t yet witnessed a campaign where it has had a significant influence, this hasn’t historically attracted the most attention “the report from AquaSec is over.

The ability to run malicious malware inside the network of businesses, however, is something that attackers are always seeking to improve. Even worse, according to AquaSec, Microsoft now provides Visual Studio and Azure DevOps extension marketplaces, both of which seem to be open to malicious extensions.

It wouldn’t be strange to see threat actors focus on Microsoft markets in the future, given how frequently they run malicious typosquatting campaigns on other package repositories, such as NPM and PyPi.

Because of this, VSCode extension users are encouraged to be watchful and thoroughly inspect their add-ons before setting them up on production machines.

How To Determine A Safe Visual Studio Extension

An in-built method to determine whether an extension is malicious-free does not exist. There are several extensions based on tested open-source software, though, if this is a concern of yours. To view portions of the extension’s source code, you can also download the extension and then extract the.VSIX file.

Keeping in mind that a hostile or compromised extension developer would be the primary attack vector (as all extensions are signed). The best options are open-source, tried-and-true software from trusted developers. Usually, secure development environments call for this.


Popular Visual Studio Code extensions have been found to contain serious security weaknesses that might allow attackers to infect local PCs as well as build and deploy systems via the developer’s IDE (IDE). The weak extensions might be used to remotely execute any code on a developer’s computer, opening the door for supply chain attacks. According to experts with the open-source software security company Snyk, unscrupulous attackers may use vulnerabilities in Visual Studio Code extensions to corrupt businesses and steal vital information from developers.

Notify of
0 Expert Comments
Inline Feedbacks
View all comments

Recent Posts

Would love your thoughts, please comment.x