Hackers are using malicious Microsoft VSCode extensions to steal passwords

Illustration of a laptop with a magnifying glass exposing a beetle on-screen
(Image credit: Shutterstock / Kanoktuch)

Cybersecurity researchers from Check Point have discovered multiple malicious Visual Studio extensions sitting in Microsoft’s VSCode Marketplace.

These extensions, called “Theme Darcula dark”, python-vscode”, and “prettiest java” were each pretending to be useful for Visual Studio Code developers, but were, in fact, doing all kinds of nasties. Theme Darcula dark was stealing basic system information, python-vscode allowed for remote code execution on the infected endpoint, while prettiest java stole (impersonating the "pretty java" add-on) saved credentials or authentication tokens from Discord and Discord Canary, Google Chrome, Opera, Brave Browser, and Yandex Browser. The malware would later exfiltrate it using a Discord webhook.

Combined, the three malware were downloaded 46,600 times, although, among the three, Theme Darcula dark absolutely dominated with more than 45,000 downloads.

Supply chain attacks

The researchers tipped Microsoft off on May 4 this year, and the company removed them ten days later, on May 14. It’s important to mention while the removal of the malware from the repository does protect developers from future downloads, those that downloaded the malware in the past will remain vulnerable until they remove the tools from their systems and run an antivirus scan to eliminate any remnants. 

Visual Studio Code (VSC) is Microsoft’s source-code editor, used by a “significant percentage” of professional software developers worldwide. VSCode Marketplace is an extensions market run by the Redmond software giant, which allegedly hosts more than 50,000 add-ons that improve VSC’s functionality in various ways. 

While these three were conclusively malicious, Check Point’s researchers found more dubious add-ons which demonstrated some unsafe behavior, but couldn’t outright be classified as malicious. Some of that behavior included grabbing code from private repositories, or downloading files. 

Supply chain attacks are super popular among threat actors these days, and open-source repositories are an attractive target. Other repositories, such as PyPI, for example, are bombarded with malicious packages on a daily basis.

Via: BleepingComputer

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.