(Image Credit: iStock)
A new attack vector targeting the Visual Studio Code extensions marketplace might be used to upload rogue extensions masquerading as their official equivalents in order to launch supply chain attacks. According to Aqua security researcher Ilay Goldman, the technique "may operate as an entry point for an attack on many organisations," according to a report published last week.
VS Code extensions, which are curated through a Microsoft marketplace, enable developers to add programming languages, debuggers, and tools to the VS Code source-code editor to enhance their workflows.
"All extensions run with the privileges of the user who has opened the VS Code without any sandbox," Goldman explained when asked about the risks of utilising VS Code extensions. "This means that the extension has the capability to install any programme on your computer, including ransomware, wipers, and other malware."
To that purpose, Aqua discovered that a threat actor can not only imitate a popular extension by changing the URL slightly, but the marketplace also allows the adversary to utilise the same name and extension publisher details, including the project repository information.
While the method prohibits the replication of the number of installations and stars, the fact that there are no restrictions on the other identifying qualities implies it might be used to trick developers. The study also discovered that the verification badge issued to authors may be easily circumvented because the check mark only shows that the extension publisher is the valid owner of a domain.
In other words, a bad actor may purchase any domain, register it to obtain a verified check mark, and then upload to the marketplace a trojanized extension with the same name as a valid one. Aqua claims that a proof-of-concept (PoC) extension posing as the Prettier code formatting utility had over 1,000 installations in 48 hours from developers all around the world. It has since been removed.
This is not the first time that worries regarding software supply chain issues have been highlighted in the VS Code extensions marketplace. Snyk, an enterprise security firm, discovered a number of security holes in popular VS Code extensions with millions of downloads in May 2021 that may have been used by threat actors to breach developer environments.
"Attackers are continuously attempting to improve their arsenal of approaches that allow them to launch harmful code within businesses' networks," Goldman explained.
Please do not enter any spam link in the comment box.