One of the most popular code editors in the world today is Visual Studio Code (VS Code). Every day, millions of developers depend on it for project management, testing, debugging, and code writing. The Marketplace, where developers can find thousands of free extensions that make coding simpler and more efficient, is a major factor in its popularity.
The catch is this: what if the Marketplace, which millions of people trust, also turns into a simple entry point for hackers? That is precisely what cybersecurity researchers recently found: a vulnerability in the VS Code Marketplace that allows malicious actors to upload malicious versions and reuse the names of deleted extensions.
Given that many developers add familiar-looking tools without giving it much thought, this finding has sparked serious concerns about how developers install and trust extensions.
How the Flaw Was Found
Researchers from the supply chain security firm ReversingLabs (RL) discovered the problem. In June of this year, they discovered a suspicious extension called ahbanC.shiba. It appeared to be a random upload at first, but they quickly discovered that it behaved exactly like two older extensions, ahban.shiba and ahban.cychelloworld, which had both previously been reported and taken down from the Marketplace.
That brought up a crucial query: how could a new extension appear under a slightly altered but recognizable name if extensions are required to have unique names?
What the Malevolent Extensions Did
The ahbanC.shiba extension was simple. It actually functioned similarly to a basic downloader. After installation, shiba.aowoo was the only command added. This command retrieved a PowerShell script from a distant server when it was executed.
The script then performed a ransomware-like action on a small scale. It requested payment in Shiba Inu cryptocurrency and encrypted files within the testShiba folder. It’s interesting that no wallet address was given, indicating that this campaign was more of an experiment or ongoing development than a full-fledged assault.
The fact that attackers were able to restore it after the older ones were deleted, rather than the extension itself, was what truly shocked the researchers.
Why It’s Risky to Reuse Extension Names
RL investigated Microsoft’s handling of Marketplace extensions in greater detail to learn how this flaw operates. They discovered that publishers had two options:
Unpublish: The name remains reserved but an unpublished extension is removed from the Marketplace. All of its statistics are still linked to the original version, and it is not reusable by anybody else.
Remove: In contrast, a removed extension is erased entirely. Anyone can reclaim its name at any time.
The risk is in this second choice. The name of a malicious extension is not locked when it is deleted. In order to fool users who recognize the name but are unaware of the new publisher account, attackers can easily reclaim the name and upload a malicious version.
By uploading innocuous test extensions with names from previously removed packages, ReversingLabs even put this theory to the test. Even names associated with previous malware campaigns could be reused, as demonstrated by their experiment.
Not Just a Problem with VS Code
This problem is not specific to the Microsoft platform. Other open-source ecosystems have previously shown this pattern. For instance, early in 2023, researchers discovered that package name reuse was also permitted by the Python Package Index (PyPI). Years after the original termcolor package was taken down, a malicious version of it resurfaced.
Since then, PyPI has taken action to prevent names linked to malicious packages from being reused. Regretfully, comparable protections are still absent from the VS Code Marketplace. The risk is still present until Microsoft imposes limitations.
Why Developers Care About This
This flaw is more than just a technical detail to regular developers. It draws attention to a larger issue: blindly believing names. Many of us install extensions by looking up well-known names without verifying the publisher’s identity or reading reviews. That’s precisely what attackers use.
Consider this: would you not be tempted to reinstall a popular extension you had previously used if it abruptly disappeared and then reappeared a few weeks later with the same or a very similar name? The majority of users would, which is why this vulnerability is so risky.
How to Keep Developers Safe
Developers should exercise extra caution when working with VS Code extensions until Microsoft resolves the underlying problem. Here are some doable actions:
Verify the publisher’s account; don’t rely just on the name. Check to see if the extension’s publisher matches the original creator.
Examine reviews and the most recent changes. Untrustworthy extensions frequently exhibit abrupt functional changes or little feedback.
If at all possible, check the source code. You can check the repositories of many open-source extensions on GitHub.
Employ security monitoring tools: These tools can assist in the early detection of malicious activity by tracking and analyzing dependencies across various repositories.
Reinstalling deleted extensions should be avoided. If a tool you used frequently vanishes, be wary of any lookalikes that reappear under the same name.
The More Comprehensive View
ReversingLabs’ discovery serves as a reminder that one of the largest attack surfaces in the modern world is still the software supply chain. Attackers have been searching for vulnerabilities in open-source ecosystems since npm, PyPI, and now VS Code Marketplace.
The next step for Microsoft is obvious: extension names associated with packages that have been removed shouldn’t be made publicly available. Many issues could be avoided by imposing restrictions or at the very least, marking names that are used repeatedly.
The lesson is equally obvious for developers. Extensions are convenient, but there are risks involved. It’s simple to concentrate solely on productivity, but neglecting security can have detrimental effects. A tiny malicious script concealed within an apparently innocuous tool could wind up costing far more than a few minutes of effort.
Concluding remarks
For developers all over the world, the VS Code Marketplace has changed everything. However, as it has grown, attackers have also turned it into a target. Both Microsoft and the developer community should take note of the vulnerability surrounding reusable extension names.
It is the responsibility of developers to double-check what they install until more robust safeguards are in place. A well-known name does not always imply safety; occasionally, the true threat is concealed by something you believe to be familiar.
I’m Srini – a tech junkie who loves exploring the latest in gadgets, apps, and science. I enjoy sharing my thoughts on tech news and discoveries in a simple, friendly way. For me, technology is not just about updates, it’s about how it connects to our daily lives. Through this blog, I want to make tech fun and easy to understand for everyone.
Leave a Reply