The Visual Studio Code (VSCode), Microsoft’s popular open-source code editor, has been hailed for its versatility and customizable coding environment. Its ability to support a vast array of extensions is testament to the active community engagement VSCode promotes.
Currently, the VSCode Extensions Marketplace boasts around 50,000 extensions. Microsoft ensures the safety of this thriving ecosystem by employing automated scanning technology to weed out potentially harmful add-ons. This approach has kept the number of discovered malicious extensions remarkably low, up until now.
A team of researchers from security firm CheckPoint has recently cast doubt on this safety record, unearthing a number of extensions with sinister intentions. Their investigation has identified three prominent offenders:
The first malicious extension, named “prettiest java”, had seen 278 installations. Masquerading as a Java extension, it aimed to pass itself off as a well-known project called “Prettier-Java”. Once installed, the extension scoured the local system for sensitive information like API keys, which it then dispatched back to its developers.
With an alarming 45,213 installations, the second rogue extension, “Theme Darcula dark”, claimed to enhance the consistency of Dracula colors on VSCode for better visual coding experience. Much like its predecessor, this extension too was found to steal information and send it to its creators.
The third detected malicious extension, “python-vscode”, offered no description but seemed to be a Python extension for VSCode. It had been installed 1,384 times and had a devious purpose: to inject certain content into the work of unsuspecting developers.
Apart from these three outright malicious extensions, CheckPoint’s investigators found several more that contained questionable code but had yet to display any malicious activities. The names of these potential threats remain undisclosed as the researchers continue to monitor them.
CheckPoint submitted these findings to the VSCode team on May 4. Microsoft validated the list of rogue extensions on May 8, and by May 14, all were removed from the marketplace. This incident underscores the critical need for ongoing vigilance in the open-source community, to ensure the safe and productive use of platforms like VSCode.