Can developers trust extensions downloaded for Microsoft’s popular Visual Studio Code editor? Researchers at Aqua Nautilus say they have found that attackers could easily impersonate popular extensions and trick unknowing developers into downloading them.
Some extensions may already have taken advantage of this, Aqua security researcher Ilay Goldman wrote in a January 6 blog post. It can be difficult to distinguish between malicious and benign extensions, and the lack of sandbox capabilities means that extensions could install ransomware, wipers, and other malicious code, Goldman wrote. A user’s code could also be accessed.
VS Code extensions, which provide capabilities ranging from Python language support to JSON file editing, can be downloaded from Microsoft’s Visual Studio Code Marketplace. Aqua Nautilus uploaded an extension masquerading as the Prettier code formatter and saw more than 1,000 installs in less than 48 hours, from around the world. The spoof extension has been removed.
Goldman noted that the Visual Studio Code Marketplace runs a virus scan for each new extension and subsequent updates, and removes malicious extensions when it finds them. Users can report suspicious-looking extensions via a Report Abuse link. Microsoft released a statement on the precautions it takes with the Marketplace:
To help keep customers safe and protected, we scan extensions for viruses and malware before they are uploaded to the Marketplace and we check that an extension has a Marketplace certificate and verifiable signature prior to being installed. To help make informed decisions, we recommend consumers review information, such as domain verification, ratings and feedback to prevent unwanted downloads.
Social engineering techniques have been used to persuade victims to download a malicious extension, Microsoft said. Visual Studio Code also has a Workspace Trust feature to help users decide whether code in a project or folder can be executed by the editor or by extensions without a user’s explicit approval. Folders can be left in Restricted mode to prevent execution if code is not trusted.
Nevertheless, Goldman warned that the threat of malicious Visual Studio Code extensions is real. VS Code extensions can also be downloaded from NPM, which faces security threats as well, Goldman noted.