{"id":2672,"date":"2025-04-08T00:27:29","date_gmt":"2025-04-08T00:27:29","guid":{"rendered":"https:\/\/cybersecurityinfocus.com\/?p=2672"},"modified":"2025-04-08T00:27:29","modified_gmt":"2025-04-08T00:27:29","slug":"warning-to-developers-stay-away-from-these-10-vscode-extensions","status":"publish","type":"post","link":"https:\/\/cybersecurityinfocus.com\/?p=2672","title":{"rendered":"Warning to developers: Stay away from these 10 VSCode extensions"},"content":{"rendered":"<div>\n<div class=\"grid grid--cols-10@md grid--cols-8@lg article-column\">\n<div class=\"col-12 col-10@md col-6@lg col-start-3@lg\">\n<div class=\"article-column__content\">\n<div class=\"container\"><\/div>\n<p>Developers using Microsoft\u2019s Visual Studio Code (VSCode) editor are being warned to delete, or at least stay away from, 10 newly published extensions which will trigger the installation of a cryptominer.<\/p>\n<p>\u00a0The warning\u00a0<a href=\"https:\/\/blog.extensiontotal.com\/mining-in-plain-sight-the-vs-code-extension-cryptojacking-campaign-19ca12904b59\" target=\"_blank\" rel=\"noopener\">comes from researchers at ExtensionTotal<\/a>, who said possibly as many as 1 million of these malicious extensions, which pretend to be popular development tools, may have been installed since April 4, when they were published on Microsoft\u2019s Visual Studio Code Marketplace.\u00a0However, the researchers also suspect the threat actors may have inflated the download numbers.<\/p>\n<p>Regardless, once installed, the extensions download and execute a PowerShell loader that establishes persistence, disables security services and deploys the XMRig cryptominer from a remote command and control (C2) server.<\/p>\n<p>It\u2019s the latest in a long line of attempts to trick application and web developers into downloading malware by planting phony tools on sites like <a href=\"https:\/\/www.infoworld.com\/article\/3847178\/thousands-of-open-source-projects-at-risk-from-hack-of-github-actions-tool.html\">GitHub<\/a>, <a href=\"https:\/\/www.infoworld.com\/article\/3600378\/package-confusion-attack-against-npm-used-to-trick-developers-into-downloading-malware.html\">npm<\/a>, and others.<\/p>\n<p>The head of a Canadian incident response firm said the ExtensionTotal report describes a \u201cclassic\u201d third party supply chain attack that puts a backdoor into an application.<\/p>\n<p>\u201cIt\u2019s not a sophisticated attack,\u201d Robert Beggs, CEO of DigitalDefence, said in an interview.<\/p>\n<p>But, he added, there should be multiple layers of defense on a developer\u2019s computer that should prevent compromise: Microsoft Defender, for example, should issue a popup warning that the Windows Registry is about to be changed, or that security defenses are being disabled.<\/p>\n<p>The problem, he said, is that \u201cdevelopers are famous for disabling security controls\u201d and ignoring such warnings. That\u2019s because their focus is making sure the application they\u2019re working on functions as expected.<\/p>\n<p>That\u2019s why CISOs and CIOs should ensure that app developers work on a separate network from the production network, he said.<\/p>\n<p>A Microsoft spokesperson said,\u00a0<em>\u201c<\/em>We have removed the extensions, and the publisher was blocked from the VS Marketplace. There\u2019s no action needed from users.\u201d<\/p>\n<p>In an analysis of each malicious tool, ExtensionTotal noted that one tip-off should be that the publisher didn\u2019t verify its listed domain ownership. \u201cPublisher verification is a good practice to ensure the publisher is who they say they are,\u201d said the researchers. \u201cYet, VSCode publisher verification process is not rigorous enough.\u201d<\/p>\n<p>\u00a0The 10 malicious extensions and their publishers are:<\/p>\n<p>Prettier \u2013 Code for VSCode (by prettier);<\/p>\n<p>Discord Rich Presence for VS Code (by Mark H);<\/p>\n<p>Rojo \u2013 Roblox Studio Sync (by evaera);<\/p>\n<p>Solidity Compiler (by VSCode Developer);<\/p>\n<p>Claude AI (by Mark H)<\/p>\n<p>Golong Compiler (by Mark H);<\/p>\n<p>ChatGPT Agent for VSCode (by Mark H);<\/p>\n<p>HTML Obfuscator (by Mark H);<\/p>\n<p>Python Obfuscator for VSCode (by Mark H);<\/p>\n<p>Rust Compiler for VSCode (by Mark H).<\/p>\n<p>Although the extensions are published under different author names, they share identical code and communicate with the same C2 server to download and execute the same payload, says the report.<\/p>\n<p>What makes initial detection of these malicious extensions difficult for the user is that, after the so-called utility is downloaded, it attempts to install the legitimate extension. That way the user still gets the tool they expected.<\/p>\n<p>The PowerShell script tries to run the malicious payload with administrator permissions, says the report. If it doesn\u2019t have the appropriate permissions, the script tries to create another System32 directory and copy the\u00a0ComputerDefaults.exe\u00a0file to it. Then, the script creates its own malicious DLL named\u00a0MLANG.dll\u00a0and tries to execute it using the ComputerDefaults executable.<\/p>\n<p><a><\/a>The PowerShell script contains the DLLs and the Trojan executable as basic base64 encoded strings, says the report. It decodes the Trojan and writes it, as\u00a0Launcher.exe, to the directory it created and excluded from monitoring by Windows Defender.<\/p>\n<p>The\u00a0Launcher.exe\u00a0communicates with another C2 server, myaunet[.]su, downloading and executing the XMRig tool, used for mining Monero.<\/p>\n<p>Asked how many malicious extensions get into the VSC Marketplace, ExtensionTotal CTO Idan Dardikman said his firm detects some every month. \u201cThe combination of minimal security controls and high exposure makes it an attractive target for threat actors,\u201d he said.<\/p>\n<p>.End users should stick to reputable code publishers, minimize installed extensions and use tools that can analyze extensions before installing them, he said.<\/p>\n<p><em>Updated with statements from Microsoft and Idan Dardikman.<\/em><\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>","protected":false},"excerpt":{"rendered":"<p>Developers using Microsoft\u2019s Visual Studio Code (VSCode) editor are being warned to delete, or at least stay away from, 10 newly published extensions which will trigger the installation of a cryptominer. \u00a0The warning\u00a0comes from researchers at ExtensionTotal, who said possibly as many as 1 million of these malicious extensions, which pretend to be popular development [&hellip;]<\/p>\n","protected":false},"author":0,"featured_media":2658,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-2672","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-education"],"_links":{"self":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/2672"}],"collection":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=2672"}],"version-history":[{"count":0,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/2672\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/media\/2658"}],"wp:attachment":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=2672"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=2672"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=2672"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}