Kevin BeaumontJun 12, 2024

Somebody sent me this blog my way today so I had a dig into it for a few hours. https://medium.com/@amitassaraf/the-story-of-extensiontotal-how-we-hacked-the-vscode-marketplace-5c6e66a0e9d7

Yes, Amit is right. Visual Studio Marketplace is a clusterfuck.

✅ anybody can verify themselves using just a domain name
✅ anybody can set any display name
✅ extensions allow RCE, no sandboxing or limits at all
✅ full access to developer + build
✅ anybody can link any GitHub repo, even if it has nothing to do with the extension
✅ I’ve already found malware - backdoors, beacons etc etc

1/6 | How We Hacked Multi-Billion Dollar Companies in 30 Minutes Using a Fake VSCode Extension

30 minutes. 30 minutes is how long it took us to develop, publish, and polish a Visual Studio Code (The most popular IDE on the planet with over 15m monthly users) extension that changes your IDE’s…

Medium
Show threadKevin BeaumontJun 12, 2024

There's a follow on blog post which is also relevant: https://medium.com/@amitassaraf/2-6-exposing-malicious-extensions-shocking-statistics-from-the-vs-code-marketplace-cf88b7a7f38f

I'm still digging through the extensions myself and there's a lot to unpack, there's essentially supply chain attacks there where people have replaced open source projects and nobody has even noticed.

2/6 | Exposing Malicious Extensions: Shocking Statistics from the VS Code Marketplace

In the previous blog post “1/6 | How We Hacked Multi-Billion Dollar Companies in 30 Minutes Using a Fake VSCode Extension”, we told the story of how within 30 minutes of work we created a Visual…

Medium
Show threadKevin BeaumontOct 24, 2024

A reminder that Visual Studio Code’s marketplace is still an absolute security clusterfuck that Microsoft have engineered.

There’s active supply chain attacks in there nobody has reported on. (That, yes, will get a cartoon porg blog on one day).

Show threadShadow
@GossiTheDog Please lead us to the knowledge, much interested
Oct 25, 2024 at 10:55pmWeb