Kevin BeaumontJun 12, 2024

Somebody sent me this blog my way today so I had a dig into it for a few hours. https://medium.com/@amitassaraf/the-story-of-extensiontotal-how-we-hacked-the-vscode-marketplace-5c6e66a0e9d7

Yes, Amit is right. Visual Studio Marketplace is a clusterfuck.

✅ anybody can verify themselves using just a domain name
✅ anybody can set any display name
✅ extensions allow RCE, no sandboxing or limits at all
✅ full access to developer + build
✅ anybody can link any GitHub repo, even if it has nothing to do with the extension
✅ I’ve already found malware - backdoors, beacons etc etc

1/6 | How We Hacked Multi-Billion Dollar Companies in 30 Minutes Using a Fake VSCode Extension

30 minutes. 30 minutes is how long it took us to develop, publish, and polish a Visual Studio Code (The most popular IDE on the planet with over 15m monthly users) extension that changes your IDE’s…

Medium
Show threadKevin BeaumontJun 12, 2024

There's a follow on blog post which is also relevant: https://medium.com/@amitassaraf/2-6-exposing-malicious-extensions-shocking-statistics-from-the-vs-code-marketplace-cf88b7a7f38f

I'm still digging through the extensions myself and there's a lot to unpack, there's essentially supply chain attacks there where people have replaced open source projects and nobody has even noticed.

2/6 | Exposing Malicious Extensions: Shocking Statistics from the VS Code Marketplace

In the previous blog post “1/6 | How We Hacked Multi-Billion Dollar Companies in 30 Minutes Using a Fake VSCode Extension”, we told the story of how within 30 minutes of work we created a Visual…

Medium
GnomerOct 25, 2024
Show threadKevin Beaumont

A reminder that Visual Studio Code’s marketplace is still an absolute security clusterfuck that Microsoft have engineered.

There’s active supply chain attacks in there nobody has reported on. (That, yes, will get a cartoon porg blog on one day).

Oct 24, 2024 at 10:56pmWeb
Show threadKevin BeaumontFeb 26, 2025

Expect many more of these. VSCode is an absolute security trash fire, MS Security needs to have a word with MS.

- It installs as non-admin
- There are no security controls *at all* around marketplace access
- addons update automatically and are required
- No vetting
- Blue tick verification just needs any domain name
- Source code link on addons doesn’t need to match the addons
- Allows RCE by design
- The marketplace is absolutely riddled with malware

https://www.bleepingcomputer.com/news/security/vscode-extensions-with-9-million-installs-pulled-over-security-risks/

VSCode extensions with 9 million installs pulled over security risks

Microsoft has removed two popular VSCode extensions, 'Material Theme - Free' and  'Material Theme Icons - Free,' from the Visual Studio Marketplace for allegedly containing malicious code.

BleepingComputer
Show threadKevin BeaumontFeb 26, 2025

Background blogs on VSCode extensions, which the author didn’t link together and basically struggled to communicate the issue widely, but the issues are definitely there.

Part 1 https://medium.com/@amitassaraf/the-story-of-extensiontotal-how-we-hacked-the-vscode-marketplace-5c6e66a0e9d7
Part 2 https://medium.com/extensiontotal/2-6-exposing-malicious-extensions-shocking-statistics-from-the-vs-code-marketplace-cf88b7a7f38f
Part 3 https://medium.com/extensiontotal/3-6-uncovering-design-flaws-in-the-visual-studio-code-marketplace-ea1d8e8b0171
Part 4 https://medium.com/extensiontotal/4-6-introducing-extensiontotal-how-to-assess-risk-in-vs-code-extensions-3ac5bfd83fb1
Part 5 https://medium.com/extensiontotal/5-6-breaking-the-internet-the-aftermath-of-our-research-2dee0a1e2498
Part 6 https://medium.com/extensiontotal/6-6-uncover-hidden-risks-cisos-guide-to-using-extensiontotal-api-for-your-organization-59fee46e6369

Follow up https://medium.com/extensiontotal/vscode-extension-trivia-real-or-cake-f729adc9e03e

1/6 | How We Hacked Multi-Billion Dollar Companies in 30 Minutes Using a Fake VSCode Extension

30 minutes. 30 minutes is how long it took us to develop, publish, and polish a Visual Studio Code (The most popular IDE on the planet with over 15m monthly users) extension that changes your IDE’s…

ExtensionTotal
Show threadvxoFeb 26, 2025
@GossiTheDog I'm both horrified and amused at how bad this is
Show threadDavid Chisnall (*Now with 50% more sarcasm!*)Feb 26, 2025
@GossiTheDog And the remote extension works by sshing into the target machine (e.g. your production machine), grabbing a binary of VS Code from a Microsoft server, extracting it in he home directory (neatly bypassing any auditing of installed binaries and leaving the executables writeable by the user) and then installing copies of your extensions on the target machine, where they then have the ability to run other executables and make network connections from the target machine.
Show threadTiffanyFeb 26, 2025

@GossiTheDog

This whole thing has been on my mind if I want to download a VS Code extension. I'm at a point where if there's a specific need that I think an extension would improve, I ask other devs for recommendations, and use something from someone I trust. This reinforces my fears.

Show threadKevin Boyd (he/him) 🇨🇦Feb 26, 2025

@GossiTheDog oof.

I hope the Obsidian plugin ecosystem is safer than this.

Show threadPaul 夏央 KishimotoFeb 27, 2025

@kboyd @GossiTheDog I can't imagine why it would be.

I filed a bug once against a popular extension, only to discover (a) it had been abandoned by the author, (b) even though the author had gone to work *for* Obsidian, and (c) the shipped code was a compiled JS that had unclear relationship to the TS in the repo.

As well, Obsidian itself is not open source, so unlike VS Code/Codium it's not clear what Electron or other features may be exposed for RCE and other trickery 🙃

Show threadSensibleOtterFeb 27, 2025

@GossiTheDog

It is the Internet Explorer of modern day. Not just for the reasons mentioned, but also because if someone want something they ‘just search and download’ anything.

Show threadBigLinterFeb 28, 2025
@GossiTheDog while im certainly that vscode... is ... special... this problem exists in all "modern" editors and ide's, seriously, whos checking the plugins that one could plug into notepad++? also... vundle had its moment, so did plug...
Show threadludiusvoxFeb 28, 2025
@GossiTheDog i can't wait until Theia IDE can run python fully
Show threadMichael StancliftOct 24, 2024
@GossiTheDog
Show threadSimonoidOct 24, 2024
@GossiTheDog
Show threadck0Oct 24, 2024
@GossiTheDog What a surprise ...... especially since I've learned they also own the NPM repos
Show threadConanOct 25, 2024
@GossiTheDog from the admin side, there's sweet FA you can do to set an allow / block list either
Show threadblabaereOct 25, 2024

@GossiTheDog I know some corporate workplaces where the easiest way, if not the only way, to download some binary is to get the matching VSCode plugin.

But maybe this is exactly what you're referring to ?

Show threadChristoph_vWOct 25, 2024
@GossiTheDog https://github.com/microsoft/DevSkim/issues/648 We need a new song… “you have to sign it, sign it…” 😁
binaries are not digitally signed · Issue #648 · microsoft/DevSkim

Describe the bug exe and dll files in .vscode\extensions\ms-cst-e.vscode-devskim-1.0.33\devskimBinaries are not digitally signed. unsigned code is not allowed to run on our machines.

GitHub
Show threadShadowOct 25, 2024
@GossiTheDog Please lead us to the knowledge, much interested
Show threadAndy WoottonFeb 27, 2025
@GossiTheDog Last night I was looking at 'code' on my Linux box, thinking I never use it. Thanks for the nudge!