Have you ever felt like you were getting a great deal on a VSCode extension then clicked on it without giving it much thought? I know someone have. This is what makes the news from BleepingComputer so alarming because some extensions offered for download from the official VSCode Marketplace contained a virus disguised as a regular image file.
This "fake" PNG file contains malware that is executed when the user installs the extension. When the VSCode software starts running, the malware executes itself.
The malware was capable of the following actions:
The malicious extensions were disguised as "innocent" because their names did not indicate they contained any malicious content. The extensions were:
The above example is an example of why it is important to exercise caution even with trusted platforms regarding what applications they support or promote on their sites. Before downloading any extensions, please ensure that you review the developer information along with the reviews left by other users before making a decision to download.
What actually happened?
As revealed by security researchers, there are 19 VSCode extensions that are not safe. Each of these extensions has a file in them called banner.png that appears to be a normal picture file; however, it is not an image file.This "fake" PNG file contains malware that is executed when the user installs the extension. When the VSCode software starts running, the malware executes itself.
How does this malware operate?
The hackers took advantage of an exploit in a popular software package used by many of the VSCode extensions. This malicious code runs automatically in the background without the knowledge of the user.The malware was capable of the following actions:
- Execute malicious applications on the computer
- Gather data related to the operating system and hardware used
- Allow for additional attacks to be made on the computer system
The malicious extensions were disguised as "innocent" because their names did not indicate they contained any malicious content. The extensions were:
- Malkolm Theme
- PandaExpress Theme
- Prada 555 Theme
- Priskinski Theme
What has been done?
Once it became known that these extensions were malicious, all 19 of them were removed from the Visual Studio Code Marketplace by Microsoft. As a result, no new users can download them any longer.You should also do the following
If you had any of the above-mentioned extensions installed, it is important to perform a malware scan on your computer.The above example is an example of why it is important to exercise caution even with trusted platforms regarding what applications they support or promote on their sites. Before downloading any extensions, please ensure that you review the developer information along with the reviews left by other users before making a decision to download.
