Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror
×
Programming Microsoft

Extensions are Easily Impersonated in Microsoft's VSCode Marketplace, Researchers Say (infoworld.com) 28

74.48% of developers use Microsoft's Visual Studio Code, according to one survey conducted by StackOverflow. And besides GitHub Copilot, there's over 40,000 other extensions in the VSCode Marketplace.

Unfortunately, InfoWorld reports, "Researchers at Aqua Nautilus say they have found that attackers could easily impersonate popular extensions and trick unknowing developers into downloading them." It can be challenging to distinguish between malicious and benign extensions, and the lack of sandbox capabilities means that extensions could install ransomware, wipers, and other malicious code, Aqua security researcher Ilay Goldman wrote in a January 6 blog post. ["In fact, it can access and even alter all the code that you have locally and even use your SSH key to change the code in all your organization's repositories."] VS Code extensions, which provide capabilities ranging from Python language support to JSON file editing, can be downloaded from Microsoft's Visual Studio Code Marketplace.

Aqua Nautilus uploaded an extension masquerading as the Prettier code formatter and saw more than 1,000 installs in less than 48 hours, from around the world. The spoof extension has been removed.

Goldman noted that the Visual Studio Code Marketplace runs a virus scan for each new extension and subsequent updates, and removes malicious extensions when it finds them. Users can report suspicious-looking extensions via a Report Abuse link.

"While the media is full of stories about malicious packages that have been uploaded to popular package managers such as NPM and PyPI, there is very little information about malicious VSCode extension," the blog post notes. Yet it points out that a blue checkmark on a VSCode extension "merely means that whoever the publisher is has proven the ownership of a domain. That means any domain."

And even Microsoft acknowledged to InfoWorld that social engineering techniques have been used to persuade victims to download malicious extensions — though they point out that Microsoft confirms that each extension has a Marketplace certificate and verifiable signature before being installed. "To help make informed decisions, we recommend consumers review information, such as domain verification, ratings and feedback to prevent unwanted downloads."
This discussion has been archived. No new comments can be posted.

Extensions are Easily Impersonated in Microsoft's VSCode Marketplace, Researchers Say

Comments Filter:
  • BS (Score:5, Informative)

    by sfcat ( 872532 ) on Sunday January 22, 2023 @07:37PM (#63231148)

    74.48% of developers use Microsoft's Visual Studio Code

    No, no they don't. Not even close. What that survey means is that 74.48% of questions on stack overflow come from people who develop using Visual Studio Code. It says far more about the type of developers who use a IDE written in JS embedded in a web browser than it does about what development environments developers use. I don't use Visual Studio Code but I also don't ask questions on SO. I bet most developers are as well.

    • by gweihir ( 88907 )

      Yep. Still a large number of coders that basically suck.

      • Most places can't afford nor do they strictly need the best.

        • by gweihir ( 88907 )

          I am not talking about "the best", but what about people with solid skills? Maybe then we would not have this disaster we currently have all over mainstream software.

          • most new hires are the equivalent of duct tape patching broken processes. too many businesses fall into the trap of in for a penny, in for a pound. a lot of the software we depend on is crap and should be done over again from scratch. except given that they don't know why it didn't work the first two times they wrote it, the results are going to be terrible on additional rewrites without also replacing all the staff.

  • 74%? (Score:4, Informative)

    by TechyImmigrant ( 175943 ) on Sunday January 22, 2023 @07:40PM (#63231152) Homepage Journal

    >74.48% of developers use Microsoft's Visual Studio Code

    Where the hell did that statistic come from?
    I work with a lot of developers and VSCode is not something I see. Emacs, Vi and Notepad++ seem to be the most common.

    Did they conduct the study at Microsoft or something?

    • What if it's 74% of people in a VScode help forum? That would make it an rather low number.

    • I'd love to know the answer to your question, too. Among professional Python devs pycharm is king. VSCode can't compare, even with a tonne of plugins installed it doesn't get anywhere near what you get out-of-the-box with pycharm.

    • I use KWrite

      I am probably the only one.

    • by art123 ( 309756 )

      The usage statistic comes from a Stack Overflow survey, hence the link to the stack overflow IDE survey.

      • Re:74%? (Score:4, Informative)

        by sfcat ( 872532 ) on Sunday January 22, 2023 @08:33PM (#63231254)

        The usage statistic comes from a Stack Overflow survey, hence the link to the stack overflow IDE survey.

        Ever heard of Sampling bias [wikipedia.org] cause that is what that is. What it isn't is a realistic reflection of developers or the software industry. SO surveys have little to nothing to do with the state of actual software development and never have. Anyone who ever actually made business decisions based upon SO surveys is likely unemployed or doing something that doesn't involve software.

    • by edwdig ( 47888 )

      At this point It's probably been decades since I've seen anyone use Emacs. I'll see the occasional vi for shell script type work, or when tweaking something on a remote server, but not for anything more complex than that. Notepad++ is nice for editing text documents or datafiles, but I've never seen someone write code in it. It seems to be more of a beginner's tool before graduating to a proper code editor.

      VSCode seems to be the editor of choice for people who do strictly web development, or people who work

  • by zenlessyank ( 748553 ) on Sunday January 22, 2023 @09:02PM (#63231304)

    My malicious extension?

  • 74% of developers use VSCode? That doesn't sound right among my friends it seems they 100% use vim. I use an editor called joe along with vim. I have never known anyone who uses VSCode. Maybe it's different in other areas or something but that 74% number sure sounds high.
    • by tlhIngan ( 30335 )

      74% of developers use VSCode? That doesn't sound right among my friends it seems they 100% use vim. I use an editor called joe along with vim. I have never known anyone who uses VSCode. Maybe it's different in other areas or something but that 74% number sure sounds high.

      I used to use vim exclusively - combine that with tools like Samba and such that I can access all my Linux development environment on Windows.

      But hey, I tried VSCode, and it's pretty pleasant. First, there's a vim plugin that basically give

      • by rlwinm ( 6158720 )
        Actually I don't hate Microsoft products. My dislike of VSCode isn't specific to any aspect of it. It's IDEs I don't like. I mostly do embedded work and when I have to deal with some chip that has an IDE rather than a few command-line tools it's always painful. Usually chip companies like to take Eclipse and then add their "special sauce" making it worse. They tend to be really clunky and unproductive. TI, NXP, Lattice, Altera, etc. all do this.. But thankfully there are often command line tools underneath.
  • the target audience for VSC is mostly same crowd that hands off dependency management entierly to NPM which has a track record of also occasionally pulling in things some bad actor (or just disgruntled dev) cooked :p
  • by Opportunist ( 166417 ) on Monday January 23, 2023 @04:13AM (#63231882)

    Allow me to shed some light on this "wtf, 74% use that POS?"

    VSCode is the host for PlatformIO, a tool that replaced the Arduino IDE for embedded development for most "developers". I use that term loosely here, i.e. in the way TFS and TFA use it, because what it really means is that people want to do something with their Arduino or nodeMCUs, have zero clue how to do it but know what they want as the end result. Fortunately, usually someone already did just that. There's almost invariably a project that does what you want to do on Github. People find that Github project and more often than not these days, it's on PlatformIO. Which means they install VSCode without knowing the first thing about it, then PlatformIO, then pull that project in and when (not if) it doesn't compile, they post the error message on StackOverflow and ask for a step by step instruction how to fix it.

    That's not exactly what I'd call a "developer", though. Pulling in code, not understanding the first thing about it and hitting "build and upload to microcontroller" isn't exactly what I'd call a skillset that warrants that label.

    Although it does explain the kind of "developer" that applies for our jobs if that's the new definition. I think we need a new word for people who actually know how to develop a program.

  • Whenever you roll out any type of anything, literally anything, from the ground up in the initial planning stages, ask yourself "What is the worst of the worst actors in the IT space going to do." You have to put yourselves in their shoes and "attack" it before they do, NOT after you roll it out. I don't care if there's an online game or a giant tech services portal or anything in between. If you aren't asking how someone's going to exploit it to do something bad and it gets to release without asking that,
  • not surprised here because when you release an extension, first, if you do vsce login it yells at you that it cannot be a "human readable" id. so then you do vsce login and its like "ok cool". to top it off, if you ever screw up a release, there is no way to delete it, you have to ask support for help on github. they flat out told everyone in the comments begging for a delete that when that happens, they send someone into the datacenter with an sql query in their hand. the entire system seems barely a qua
    • and with slashdot's attempt to html cleanse that, the two commands were vcse login -email- followed by vsce login -human-readable-username-

Our policy is, when in doubt, do the right thing. -- Roy L. Ash, ex-president, Litton Industries

Working...