Get all your news in one place.
100’s of premium titles.
One app.
Start reading
TechRadar
TechRadar
Sead Fadilpašić

Hackers are using malicious Microsoft VSCode extensions to steal passwords

Illustration of a laptop with a magnifying glass exposing a beetle on-screen

Cybersecurity researchers from Check Point have discovered multiple malicious Visual Studio extensions sitting in Microsoft’s VSCode Marketplace.

These extensions, called “Theme Darcula dark”, python-vscode”, and “prettiest java” were each pretending to be useful for Visual Studio Code developers, but were, in fact, doing all kinds of nasties. Theme Darcula dark was stealing basic system information, python-vscode allowed for remote code execution on the infected endpoint, while prettiest java stole (impersonating the "pretty java" add-on) saved credentials or authentication tokens from Discord and Discord Canary, Google Chrome, Opera, Brave Browser, and Yandex Browser. The malware would later exfiltrate it using a Discord webhook.

Combined, the three malware were downloaded 46,600 times, although, among the three, Theme Darcula dark absolutely dominated with more than 45,000 downloads.

Supply chain attacks

The researchers tipped Microsoft off on May 4 this year, and the company removed them ten days later, on May 14. It’s important to mention while the removal of the malware from the repository does protect developers from future downloads, those that downloaded the malware in the past will remain vulnerable until they remove the tools from their systems and run an antivirus scan to eliminate any remnants. 

Visual Studio Code (VSC) is Microsoft’s source-code editor, used by a “significant percentage” of professional software developers worldwide. VSCode Marketplace is an extensions market run by the Redmond software giant, which allegedly hosts more than 50,000 add-ons that improve VSC’s functionality in various ways. 

While these three were conclusively malicious, Check Point’s researchers found more dubious add-ons which demonstrated some unsafe behavior, but couldn’t outright be classified as malicious. Some of that behavior included grabbing code from private repositories, or downloading files. 

Supply chain attacks are super popular among threat actors these days, and open-source repositories are an attractive target. Other repositories, such as PyPI, for example, are bombarded with malicious packages on a daily basis.

Via: BleepingComputer

Sign up to read this article
Read news from 100’s of titles, curated specifically for you.
Already a member? Sign in here
Related Stories
Top stories on inkl right now
One subscription that gives you access to news from hundreds of sites
Already a member? Sign in here
Our Picks
Fourteen days free
Download the app
One app. One membership.
100+ trusted global sources.