Extensions are Easily Impersonated in Microsoft's VSCode Marketplace, Researchers Say

74.48% of developers use Microsoft's Visual Studio Code, according to one survey conducted by StackOverflow. And besides GitHub Copilot, there's over 40,000 other extensions in the VSCode Marketplace.

Unfortunately, InfoWorld reports, "Researchers at Aqua Nautilus say they have found that attackers could easily impersonate popular extensions and trick unknowing developers into downloading them." It can be challenging to distinguish between malicious and benign extensions, and the lack of sandbox capabilities means that extensions could install ransomware, wipers, and other malicious code, Aqua security researcher Ilay Goldman wrote in a January 6 blog post. ["In fact, it can access and even alter all the code that you have locally and even use your SSH key to change the code in all your organization's repositories."] VS Code extensions, which provide capabilities ranging from Python language support to JSON file editing, can be downloaded from Microsoft's Visual Studio Code Marketplace.

Aqua Nautilus uploaded an extension masquerading as the Prettier code formatter and saw more than 1,000 installs in less than 48 hours, from around the world. The spoof extension has been removed.

Goldman noted that the Visual Studio Code Marketplace runs a virus scan for each new extension and subsequent updates, and removes malicious extensions when it finds them. Users can report suspicious-looking extensions via a Report Abuse link.
"While the media is full of stories about malicious packages that have been uploaded to popular package managers such as NPM and PyPI, there is very little information about malicious VSCode extension," the blog post notes. Yet it points out that a blue checkmark on a VSCode extension "merely means that whoever the publisher is has proven the ownership of a domain. That means any domain."

And even Microsoft acknowledged to InfoWorld that social engineering techniques have been used to persuade victims to download malicious extensions — though they point out that Microsoft confirms that each extension has a Marketplace certificate and verifiable signature before being installed. "To help make informed decisions, we recommend consumers review information, such as domain verification, ratings and feedback to prevent unwanted downloads."

Always be safe

[Anonymous Coward]

Do like me and don't run anything on your computer

Re:Always be safe

[Nahor]

Do like me and don't run anything on your computer

A computer is an electronic device. With a sufficiently targeted electromagnetic field, one can provide power (ask your smartphone), turn the computer on (ask an EMP bomb) and flip bits in memory (ask the Sun) and thus run any program without your knowledge.

Re:Always be safe

[awwshit]

Pretty sure the EMP bomb fries most of the semiconductors and nothing runs after that.

Re:Always be safe

[Anonymous Coward]

ii ii ïi ii iï ii ii ii jtii ii ïi ii iï ii ii iii [goatse.ru]
ii ii ïi ii iï ii ii ijDMMQtii ii ïi ii iï ii ii i [goatse.ru]
ii ii ïi ii iï ii iicXMMNMMNQjii ii ïi ii iï ii ii [goatse.ru]
ii ii ïi ii iï ii cSMMNMMNMMHJii ii ïi ii iï ii ii [goatse.ru]
ii ii ïi ii iï iiSWMMNMMNMHJii ii ïi ii iï ii ii i [goatse.ru]
ii ii ïi ii iï 6WMMNMMNMNYii ii iiJcii ii ïi ii iï [goatse.ru]
ii ii ii ii i5WMMNMMNMN5ii ii iiJHMMScii ii ii iii [goatse.ru]
ii ii ii ii5NMMNMMNMW5ii ii iiJHMMNMMWSii ii ii ii [goatse.ru]
ii ii ii icXMMNMMNMMNYii ii tKMMNMMNMMNW6ii ii iii [goatse.ru]
ii ii ii ii jDMMNMMNMMHJiitQMMNMMNMMNMMNMW5ii ii i [goatse.ru]
ii iitcii ii ijQMMNMMNMMKDMMNMMNMMQWMMNMMNMN5ii ii [goatse.ru]
ii tKMWSii ii iijQMMNMMNMMNMMNMMQti SWMMNMMNMNYi i [goatse.ru]
itQMMNMMW6ii ii iitKMMNMMNMMNMKtii iicSMMNMMNMMHJi [goatse.ru]
iJHMMNMMNMW6ii ii cSMMNMMNMMNMDjii ii icXMMNMMNN5 [goatse.ru]
ii YNMMNMMNMN5 cASWMMNMMNMMNMMNMDcii ii icDMMW6 ii [goatse.ru]
ii ii5NMMNMMNMNSNMMNMMNMH MMNMMNMMXcii ii ij5 i ii [goatse.ru]
ii ii i5WMMNMMNMMNMMNMN5ii5NMMNMMNMMScii ii ii iii [goatse.ru]
ii ii ii 6WMMNMMNMMNW5ii ii 6WMMNMMNMWSii ii ii ii [goatse.ru]
ii ii ii iiSWMMNMMW6ii ii iitKMMNMMNMMXcii ii ii i [goatse.ru]
ii ii ii ii cSMMWSii ii iitQMMNMMNMMDjii ii ii iii [goatse.ru]
ii ii ïi ii iïc6cii ii ijQMMNMMNMMQjii ii ïi ii iï [goatse.ru]
ii ii ïi ii iï ii ii ijDMMNMMNMMQtii ii ïi ii iï i [goatse.ru]
ii ii ïi ii iï ii iicXMMNMMNMMKtii ii ïi ii iï iii [goatse.ru]
ii ii ïi ii iï ii iijQMMNMMNHJii ii ïi ii iï ii ii [goatse.ru]
ii ii ïi ii iï ii ii itKMMHJii ii ïi ii iï ii ii i [goatse.ru]
ii ii ïi ii iï ii ii ii tYii ii ïi ii iï ii ii iii [goatse.ru]
ii ii ïi ii iï ii ii ii jtii ii ïi ii iï ii ii iii [goatse.ru]
ii ii ïi ii iï ii ii ijDMMQtii ii ïi ii iï ii ii i [goatse.ru]
ii ii ïi ii iï ii iicXMMNMMNQjii ii ïi ii iï ii ii [goatse.ru]
ii ii ïi ii iï ii cSMMNMMNMMHJii ii ïi ii iï ii ii [goatse.ru]
ii ii ïi ii iï iiSWMMNMMNMHJii ii ïi ii iï ii ii i [goatse.ru]
ii ii ïi ii iï 6WMMNMMNMNYii ii iiJcii ii ïi ii iï [goatse.ru]
ii ii ii ii i5WMMNMMNMN5ii ii iiJHMMScii ii ii iii [goatse.ru]
ii ii ii ii5NMMNMMNMW5ii ii iiJHMMNMMWSii ii ii ii [goatse.ru]
ii ii ii icXMMNMMNMMNYii ii tKMMNMMNMMNW6ii ii iii [goatse.ru]
ii ii ii ii jDMMNMMNMMHJiitQMMNMMNMMNMMNMW5ii ii i [goatse.ru]
ii iitcii ii ijQMMNMMNMMKDMMNMMNMMQWMMNMMNMN5ii ii [goatse.ru]
ii tKMWSii ii iijQMMNMMNMMNMMNMMQti SWMMNMMNMNYi i [goatse.ru]
itQMMNMMW6ii ii iitKMMNMMNMMNMKtii iicSMMNMMNMMHJi [goatse.ru]
iJHMMNMMNMW6ii ii cSMMNMMNMMNMDjii ii icXMMNMMNN5 [goatse.ru]
ii YNMMNMMNMN5 cASWMMNMMNMMNMMNMDcii ii icDMMW6 ii [goatse.ru]
ii ii5NMMNMMNMNSNMMNMMNMH MMNMMNMMXcii ii ij5 i ii [goatse.ru]

Re:Always be safe

[Anonymous Coward]

... (ask an EMP bomb)...

Yes, a nuclear device might penetrate the faraday cage, but I suspect there will be more pressing issues under the circumstances.

BS

[sfcat]

74.48% of developers use Microsoft's Visual Studio Code

No, no they don't. Not even close. What that survey means is that 74.48% of questions on stack overflow come from people who develop using Visual Studio Code. It says far more about the type of developers who use a IDE written in JS embedded in a web browser than it does about what development environments developers use. I don't use Visual Studio Code but I also don't ask questions on SO. I bet most developers are as well.

Re:BS

[gweihir]

Yep. Still a large number of coders that basically suck.

Re: BS

[OrangeTide]

Most places can't afford nor do they strictly need the best.

Re: BS

[gweihir]

I am not talking about "the best", but what about people with solid skills? Maybe then we would not have this disaster we currently have all over mainstream software.

Re: BS

[OrangeTide]

most new hires are the equivalent of duct tape patching broken processes. too many businesses fall into the trap of in for a penny, in for a pound. a lot of the software we depend on is crap and should be done over again from scratch. except given that they don't know why it didn't work the first two times they wrote it, the results are going to be terrible on additional rewrites without also replacing all the staff.

Re: BS

[gweihir]

Pretty much so. "Save a penny lose a million" type hiring.

74%?

[TechyImmigrant]

>74.48% of developers use Microsoft's Visual Studio Code

Where the hell did that statistic come from?
I work with a lot of developers and VSCode is not something I see. Emacs, Vi and Notepad++ seem to be the most common.

Did they conduct the study at Microsoft or something?

Re: 74%?

[OrangeTide]

What if it's 74% of people in a VScode help forum? That would make it an rather low number.

Re:74%?

[devslash0]

I'd love to know the answer to your question, too. Among professional Python devs pycharm is king. VSCode can't compare, even with a tonne of plugins installed it doesn't get anywhere near what you get out-of-the-box with pycharm.

Re:74%?

[TheMESMERIC]

I use KWrite

I am probably the only one.

Re:74%?

[art123]

The usage statistic comes from a Stack Overflow survey, hence the link to the stack overflow IDE survey.

Re:74%?

[sfcat]

The usage statistic comes from a Stack Overflow survey, hence the link to the stack overflow IDE survey.

Ever heard of Sampling bias [wikipedia.org] cause that is what that is. What it isn't is a realistic reflection of developers or the software industry. SO surveys have little to nothing to do with the state of actual software development and never have. Anyone who ever actually made business decisions based upon SO surveys is likely unemployed or doing something that doesn't involve software.

Re:74%?

[edwdig]

At this point It's probably been decades since I've seen anyone use Emacs. I'll see the occasional vi for shell script type work, or when tweaking something on a remote server, but not for anything more complex than that. Notepad++ is nice for editing text documents or datafiles, but I've never seen someone write code in it. It seems to be more of a beginner's tool before graduating to a proper code editor.

VSCode seems to be the editor of choice for people who do strictly web development, or people who work on a Mac.

The full Visual Studio seems to be the tool of choice for C++ and .NET developers. The people that do a mix of web and non-web development tend to stick to Visual Studio for everything.

Re:74%?

[Anonymous Coward]

It sounds ridiculously high and it probably is given the source of the stat. BUT, I am seeing VS Code everywhere nowadays, hell an entire dev team I was dealing with last week that develops for Linux and AKS containers use it for everything now. Its cheap, lightweight and does most things.

Would You Like To See

[zenlessyank]

My malicious extension?

That sounds a bit off.

[rlwinm]

74% of developers use VSCode? That doesn't sound right among my friends it seems they 100% use vim. I use an editor called joe along with vim. I have never known anyone who uses VSCode. Maybe it's different in other areas or something but that 74% number sure sounds high.

Re:That sounds a bit off.

[tlhIngan]

74% of developers use VSCode? That doesn't sound right among my friends it seems they 100% use vim. I use an editor called joe along with vim. I have never known anyone who uses VSCode. Maybe it's different in other areas or something but that 74% number sure sounds high.

I used to use vim exclusively - combine that with tools like Samba and such that I can access all my Linux development environment on Windows.

But hey, I tried VSCode, and it's pretty pleasant. First, there's a vim plugin that basically gives it all the functionality of vim in the editor. Then the SSH plugin means it so I can access any host I can reach via SSH as if it was local. I can open remote files and everything.

I get the hate - it is a Microsoft product, after all (though open-source MIT), but it is a nice environment to work in especially if you want to work remote and local. The other thing is well, you need extensions because they add a lot - it's like Firefox - plain is very unusable, but with a few extensions it's really nice. I had SSH, Vim, Git and several others. The Git one is especially nice because it actually tracks the repo so as you modify things it keeps a count and indicates what you changed.

Re:That sounds a bit off.

[rlwinm]

Actually I don't hate Microsoft products. My dislike of VSCode isn't specific to any aspect of it. It's IDEs I don't like. I mostly do embedded work and when I have to deal with some chip that has an IDE rather than a few command-line tools it's always painful. Usually chip companies like to take Eclipse and then add their "special sauce" making it worse. They tend to be really clunky and unproductive. TI, NXP, Lattice, Altera, etc. all do this.. But thankfully there are often command line tools underneath.

If I were to use an IDE I probably would use VSCode. I tried it but I just find myself much more productive being on the command line with an editor that I can start up on a whim quickly. One interesting data point is I tend to use editors in smaller "session" - I'll start one up, open a few files, make some changes, write some code, etc. And then tear it down. I often have multiple editors going in multiple terminal windows.

A friend of mine (also an IDE hater) does something different. He has lots of shell windows but keeps one vim open for everything. I would have thought his way of working is more "IDE like" but the reality is he doesn't like IDEs either - and most complex software systems do need their own build mechanics, etc. and IDEs often get in the way of that.

Also I don't use (or like) Git - it doesn't work well when multiple people have to edit binary files in a repo. Subversion seems to handle my workload far better. For the binary blobs that I have to use special tools for SVN can be told to go to traditional file locking rather than edit-merge-commit. But I don't see the need for VC integration if you are good with your VC tool on the command line.

just remember

[jjaa]

the target audience for VSC is mostly same crowd that hands off dependency management entierly to NPM which has a track record of also occasionally pulling in things some bad actor (or just disgruntled dev) cooked :p

For wildly varying definitions of "developer"

[Opportunist]

Allow me to shed some light on this "wtf, 74% use that POS?"

VSCode is the host for PlatformIO, a tool that replaced the Arduino IDE for embedded development for most "developers". I use that term loosely here, i.e. in the way TFS and TFA use it, because what it really means is that people want to do something with their Arduino or nodeMCUs, have zero clue how to do it but know what they want as the end result. Fortunately, usually someone already did just that. There's almost invariably a project that does what you want to do on Github. People find that Github project and more often than not these days, it's on PlatformIO. Which means they install VSCode without knowing the first thing about it, then PlatformIO, then pull that project in and when (not if) it doesn't compile, they post the error message on StackOverflow and ask for a step by step instruction how to fix it.

That's not exactly what I'd call a "developer", though. Pulling in code, not understanding the first thing about it and hitting "build and upload to microcontroller" isn't exactly what I'd call a skillset that warrants that label.

Although it does explain the kind of "developer" that applies for our jobs if that's the new definition. I think we need a new word for people who actually know how to develop a program.

I can help

[CEC-P]

Whenever you roll out any type of anything, literally anything, from the ground up in the initial planning stages, ask yourself "What is the worst of the worst actors in the IT space going to do." You have to put yourselves in their shoes and "attack" it before they do, NOT after you roll it out. I don't care if there's an online game or a giant tech services portal or anything in between. If you aren't asking how someone's going to exploit it to do something bad and it gets to release without asking that, your project and product leads should all be fired and replaced with someone who has been on the internet before.

not surprised

[bobmagicii]

not surprised here because when you release an extension, first, if you do vsce login it yells at you that it cannot be a "human readable" id. so then you do vsce login and its like "ok cool". to top it off, if you ever screw up a release, there is no way to delete it, you have to ask support for help on github. they flat out told everyone in the comments begging for a delete that when that happens, they send someone into the datacenter with an sql query in their hand. the entire system seems barely a quarter baked.

Re:not surprised

[bobmagicii]

and with slashdot's attempt to html cleanse that, the two commands were vcse login -email- followed by vsce login -human-readable-username-