tuckner

@tuckner@infosec.exchange
90 Followers
160 Following
92 Posts
Finding bad software extensions https://secureannex.com
Workhttps://secureannex.com
Bloghttps://johntuckner.me/pages/about
LocationKC
tuckner2d ago

Now available is the Secure Annex MCP server!

Many folks who review extensions just eyeball the marketplace listing and hope for the best. Now it is as easy as asking what threats an extension presents to your organization.

The tool has access to all context from the marketplace, enrichment data, and even files in the extension.

Setup details at https://app.secureannex.com/settings/updates

https://youtu.be/f2nT9FwwbgM

tuckner4d ago
Alesandro Ortiz 🇵🇷🏳️‍🌈4d ago

Great research by @tuckner about Mellowtel, a company that sells bandwidth of extension users: https://secureannex.com/blog/mellow-drama/

It allows a surprising amount of functionality, including many which can be abused by bad actors. Mellowtel is also associated with other entities, such as Olostep and some self-developed extensions.

Mellow Drama: Turning Browsers Into Request Brokers

How the Mellowtel library transforms browser extensions into a distributed web scraping network, making nearly one million devices an unwitting bot army.

Secure Annex
tuckner4d ago

Two more malicious extensions in Open VSX. Signs point to them being published without malware and then an update pushed shortly after.

nomicfdn.hardhat-solidity
juan-blanco.solidity

Show threadtuckner4d ago

Both execute on install and run a 'Modal' function with 'hexColors' values. Decoding the payload shows they retrieve and execute scripts for Mac and Windows from -

p92nd[.]pages[.]dev

which does not resolve anymore

Show threadtuckner5d ago

Miss earlier reporting? Catch up.

https://secureannex.com/blog/these-vibes-are-off/

Malware in Open VSX: These Vibes Are Off

AI code editors use Open VSX for extensions, but at what cost?

Secure Annex
Show threadtuckner5d ago
At this time I would be very prudent on the extensions you install in Cursor/Windsurf/other VS Code forks. Check Secure Annex for an analysis of what your extension is actually doing.
tuckner5d ago
Why the Cursor proxy? Microsoft began enforcing their license on VS Code forks by closing off access to VS Marketplace. Overnight, users of Cursor began to see and install extensions from Open VSX. There are fewer extensions allowing for squatting on popular extensions that haven't migrated yet.
tuckner5d ago

How are these extensions so easily installed in a code editor like Cursor? A couple ways.

  • Install counts boost ranking on the left side bar
  • Verification not easily shown on the install page (this extension is verified)
  • A marketplace listing links to a Cursor proxy which chooses Open VSX
    • Show threadtuckner5d ago
    Looking at the code, the ENTIRE extension is malicious code. It runs a remote powershell script which installs ScreenConnect RMM giving access to your system the moment the extension is installed.
    Show threadtuckner5d ago
    The extension was published on August 10th and had 382,285 installs. I believe this install count is able to be manipulated by attackers (ex: hitting the download link 300k+ times). Many of these extension owners/namespaces are not verified, something you need to look out for!