Extensions are Easily Impersonated in Microsoft's VSCode Marketplace, Researchers Say (infoworld.com) 28
74.48% of developers use Microsoft's Visual Studio Code, according to one survey conducted by StackOverflow. And besides GitHub Copilot, there's over 40,000 other extensions in the VSCode Marketplace.
Unfortunately, InfoWorld reports, "Researchers at Aqua Nautilus say they have found that attackers could easily impersonate popular extensions and trick unknowing developers into downloading them." It can be challenging to distinguish between malicious and benign extensions, and the lack of sandbox capabilities means that extensions could install ransomware, wipers, and other malicious code, Aqua security researcher Ilay Goldman wrote in a January 6 blog post. ["In fact, it can access and even alter all the code that you have locally and even use your SSH key to change the code in all your organization's repositories."] VS Code extensions, which provide capabilities ranging from Python language support to JSON file editing, can be downloaded from Microsoft's Visual Studio Code Marketplace.
Aqua Nautilus uploaded an extension masquerading as the Prettier code formatter and saw more than 1,000 installs in less than 48 hours, from around the world. The spoof extension has been removed.
Goldman noted that the Visual Studio Code Marketplace runs a virus scan for each new extension and subsequent updates, and removes malicious extensions when it finds them. Users can report suspicious-looking extensions via a Report Abuse link.
"While the media is full of stories about malicious packages that have been uploaded to popular package managers such as NPM and PyPI, there is very little information about malicious VSCode extension," the blog post notes. Yet it points out that a blue checkmark on a VSCode extension "merely means that whoever the publisher is has proven the ownership of a domain. That means any domain."
And even Microsoft acknowledged to InfoWorld that social engineering techniques have been used to persuade victims to download malicious extensions — though they point out that Microsoft confirms that each extension has a Marketplace certificate and verifiable signature before being installed. "To help make informed decisions, we recommend consumers review information, such as domain verification, ratings and feedback to prevent unwanted downloads."
Unfortunately, InfoWorld reports, "Researchers at Aqua Nautilus say they have found that attackers could easily impersonate popular extensions and trick unknowing developers into downloading them." It can be challenging to distinguish between malicious and benign extensions, and the lack of sandbox capabilities means that extensions could install ransomware, wipers, and other malicious code, Aqua security researcher Ilay Goldman wrote in a January 6 blog post. ["In fact, it can access and even alter all the code that you have locally and even use your SSH key to change the code in all your organization's repositories."] VS Code extensions, which provide capabilities ranging from Python language support to JSON file editing, can be downloaded from Microsoft's Visual Studio Code Marketplace.
Aqua Nautilus uploaded an extension masquerading as the Prettier code formatter and saw more than 1,000 installs in less than 48 hours, from around the world. The spoof extension has been removed.
Goldman noted that the Visual Studio Code Marketplace runs a virus scan for each new extension and subsequent updates, and removes malicious extensions when it finds them. Users can report suspicious-looking extensions via a Report Abuse link.
"While the media is full of stories about malicious packages that have been uploaded to popular package managers such as NPM and PyPI, there is very little information about malicious VSCode extension," the blog post notes. Yet it points out that a blue checkmark on a VSCode extension "merely means that whoever the publisher is has proven the ownership of a domain. That means any domain."
And even Microsoft acknowledged to InfoWorld that social engineering techniques have been used to persuade victims to download malicious extensions — though they point out that Microsoft confirms that each extension has a Marketplace certificate and verifiable signature before being installed. "To help make informed decisions, we recommend consumers review information, such as domain verification, ratings and feedback to prevent unwanted downloads."
Re: (Score:2)
Do like me and don't run anything on your computer
A computer is an electronic device. With a sufficiently targeted electromagnetic field, one can provide power (ask your smartphone), turn the computer on (ask an EMP bomb) and flip bits in memory (ask the Sun) and thus run any program without your knowledge.
Re: (Score:2)
Pretty sure the EMP bomb fries most of the semiconductors and nothing runs after that.
BS (Score:5, Informative)
74.48% of developers use Microsoft's Visual Studio Code
No, no they don't. Not even close. What that survey means is that 74.48% of questions on stack overflow come from people who develop using Visual Studio Code. It says far more about the type of developers who use a IDE written in JS embedded in a web browser than it does about what development environments developers use. I don't use Visual Studio Code but I also don't ask questions on SO. I bet most developers are as well.
Re: (Score:1)
Yep. Still a large number of coders that basically suck.
Re: BS (Score:2)
Most places can't afford nor do they strictly need the best.
Re: (Score:1)
I am not talking about "the best", but what about people with solid skills? Maybe then we would not have this disaster we currently have all over mainstream software.
Re: (Score:2)
most new hires are the equivalent of duct tape patching broken processes. too many businesses fall into the trap of in for a penny, in for a pound. a lot of the software we depend on is crap and should be done over again from scratch. except given that they don't know why it didn't work the first two times they wrote it, the results are going to be terrible on additional rewrites without also replacing all the staff.
Re: (Score:2)
Pretty much so. "Save a penny lose a million" type hiring.
74%? (Score:4, Informative)
>74.48% of developers use Microsoft's Visual Studio Code
Where the hell did that statistic come from?
I work with a lot of developers and VSCode is not something I see. Emacs, Vi and Notepad++ seem to be the most common.
Did they conduct the study at Microsoft or something?
Re: 74%? (Score:2)
What if it's 74% of people in a VScode help forum? That would make it an rather low number.
Re: (Score:2)
I'd love to know the answer to your question, too. Among professional Python devs pycharm is king. VSCode can't compare, even with a tonne of plugins installed it doesn't get anywhere near what you get out-of-the-box with pycharm.
Re: (Score:2)
I use KWrite
I am probably the only one.
Re: (Score:2)
The usage statistic comes from a Stack Overflow survey, hence the link to the stack overflow IDE survey.
Re:74%? (Score:4, Informative)
The usage statistic comes from a Stack Overflow survey, hence the link to the stack overflow IDE survey.
Ever heard of Sampling bias [wikipedia.org] cause that is what that is. What it isn't is a realistic reflection of developers or the software industry. SO surveys have little to nothing to do with the state of actual software development and never have. Anyone who ever actually made business decisions based upon SO surveys is likely unemployed or doing something that doesn't involve software.
Re: (Score:2)
At this point It's probably been decades since I've seen anyone use Emacs. I'll see the occasional vi for shell script type work, or when tweaking something on a remote server, but not for anything more complex than that. Notepad++ is nice for editing text documents or datafiles, but I've never seen someone write code in it. It seems to be more of a beginner's tool before graduating to a proper code editor.
VSCode seems to be the editor of choice for people who do strictly web development, or people who work
Would You Like To See (Score:3)
My malicious extension?
That sounds a bit off. (Score:2)
Re: (Score:2)
I used to use vim exclusively - combine that with tools like Samba and such that I can access all my Linux development environment on Windows.
But hey, I tried VSCode, and it's pretty pleasant. First, there's a vim plugin that basically give
Re: (Score:2)
just remember (Score:1)
For wildly varying definitions of "developer" (Score:4, Interesting)
Allow me to shed some light on this "wtf, 74% use that POS?"
VSCode is the host for PlatformIO, a tool that replaced the Arduino IDE for embedded development for most "developers". I use that term loosely here, i.e. in the way TFS and TFA use it, because what it really means is that people want to do something with their Arduino or nodeMCUs, have zero clue how to do it but know what they want as the end result. Fortunately, usually someone already did just that. There's almost invariably a project that does what you want to do on Github. People find that Github project and more often than not these days, it's on PlatformIO. Which means they install VSCode without knowing the first thing about it, then PlatformIO, then pull that project in and when (not if) it doesn't compile, they post the error message on StackOverflow and ask for a step by step instruction how to fix it.
That's not exactly what I'd call a "developer", though. Pulling in code, not understanding the first thing about it and hitting "build and upload to microcontroller" isn't exactly what I'd call a skillset that warrants that label.
Although it does explain the kind of "developer" that applies for our jobs if that's the new definition. I think we need a new word for people who actually know how to develop a program.
I can help (Score:1)
not surprised (Score:2)
Re: (Score:2)