Israeli researchers discovered security flaws in Visual Studio Code(VSCode) Marketplace

Israeli researchers recently uncovered significant security flaws in the Visual Studio Code (VSCode) Marketplace

Identifying thousands of extensions with millions of installs, including malicious ones. Researchers Amit Assaraf, Itay Kruk, and Idan Dardikman specifically targeted the popular ‘Dracula Official theme by creating a trojanized version named ‘Darcula.’ This extension included a script that collected system information, which was then sent to a remote server. The experiment exposed over 100 organizations, including a major company with a $483 billion market cap. Professional software developers widely use VSCode, a source code editor published by Microsoft. Its extensions marketplace enhances the application’s functionality but has notable security gaps. Previous reports have highlighted issues such as extension and publisher impersonation and malicious extensions stealing authentication tokens. The researchers’ malicious extension gained credibility by registering a matching domain, ‘darculatheme.com,’ and becoming a verified publisher on the VSCode Marketplace.
Despite containing legitimate code from the actual ‘Dracula’ theme, it also included a script that collected sensitive system information. Endpoint Detection and Response (EDR) tools failed to flag this activity, as VSCode’s nature as a development tool allows it to execute numerous commands and processes, making it difficult to distinguish between legitimate and malicious activities. The fake ‘Darcula’ extension was mistakenly installed by several high-value targets, including major security firms and a national justice court network. Although the researchers disclosed their findings responsibly and included identifying information in the extension’s documentation, the incident underscores the vulnerabilities within the VSCode Marketplace. Microsoft’s controls and code review mechanisms are insufficient, allowing widespread platform abuse. The researchers warned of the significant risks of malicious extensions and called for greater attention from the security community. They plan to release a tool named ‘ExtensionTotal’ to help developers scan for potential threats in their environments. Despite reporting the malicious extensions to Microsoft, many remain available for download. BleepingComputer has contacted Microsoft for comment but has yet to receive a response.