UHG
Search
Close this search box.

Just How Easy is it to Publish Malicious Extension on VSCode?

There are 1,283 malicious extensions on VSCode with a combined total of 229 million installs.

Share

How easy it is to publish malicious extension on VSCode

Recently, a group of Israeli researchers were able to create and publish a malicious VSCode extension in 30 minutes. Surprisingly, the extension was trending, and had 100+ downloads within the first 24 hours, shockingly exposing the vulnerability of the platform. 

Built with Flaws 

The experiment showcased that over 1,280 extensions had malicious dependencies packaged in them with a combined total of 229 million installations. Also, there were 87 extensions that attempted to read the /etc/passwd file on the host system.

Amit Assaraf, the co-founder of real estate investing app Landa, and one of the Israeli researchers who experimented to expose the flaw, said, “Unlike Google Chrome extensions, VSCode extensions are practically apps/executables running on your machine with zero limitations on what they can do on the host.

“This means extensions pose a threat to spawn child processes, system calls or even import any NodeJS package they’d like.”

In the experiment conducted by Assaraf and his team members Itay Kruk, and Idan Dardikman, it was found that 2,304 extensions used another publisher’s GitHub repo as their official listed repository. This means you have no way to tell if the code of your extension and the linked GitHub repository are the same. 

A major flaw in the popular open-source code editor VSCode is that extensions are not sandboxed. Though there’s a provision for sandboxing code, it is not applicable for extensions. 

Since extensions are not sandboxed, they can access anything inside the IDE and execute anything on the host machine without the developer receiving any feedback.

Apart from sandboxing, VSCode also lacks permission management. You will find multiple feature requests to add permission manager in VSCode, similar to what we have in our smartphones to know that is being accessed by extensions. 

This way, a theme extension that is built to change colours of IDE, may execute code and read or write files without any visibility or explicit authorisation from the user.

Auto Update of Extension

VSCode extensions automatically update to the latest version behind the scenes. This means any developer can initially create an extension without any malicious intent and later update the extension where he can introduce the malicious code. 

The same happened with xz utility, which was safe for years and later found to have a backdoor.

$5 to Verify VSCode Extension

Extension verification allows extension authors to verify the ownership of a domain to establish their authenticity and credibility, with the verified domain displayed alongside their name.

Isidor Nikolic, a senior product manager at Microsoft, VS Code, mentions that extension authors can become verified by checking the ownership of an eligible domain associated with your brand or identity.

Interestingly, to verify your extension, all you have to do is get a domain for your extension (which usually costs around $5) and soon you’ll receive a badge from VSCode suggesting that your extension is verified.

How easy it is to verify malicious extension on VSCode Market place

A GitHub user critiqued the process, calling the process for verification badge as totally useless and misleading. “The verified blue check mark merely means that whoever the publisher is has proven the ownership of a domain. And that means any domain. In reality, a publisher could buy any domain and register it to get that verified check mark,” he said.

Sure, there are manual steps involved in the verification process but these are not rock solid. You can use a different name while applying for verification and as soon as you get verified, it can be changed to look exactly like the original name of the extension.

“Security is not a high priority for Microsoft as they want as many extensions on their marketplace as possible,” the Israeli researcher also mentioned further.

Solutions to Navigate

Vignesh Rajan, a lead engineer at GenAI startup MachineHack, suggested, “You may use VSCode but with as few extensions as possible to minimise the risk. If necessary, a developer should do a thorough research on which extension is official and can be trusted before installation.”

By nature, VSCode heavily relies on extensions to enhance its functionality. It is a bare-bone IDE where developers can install extensions of their choice to get the job done. 

You may also switch to closed-source IDE such as IntelliJ. A user while praising IntelliJ for Java development mentioned that “VS Code is not only unsuitable (still) for larger enterprise-level projects, it is also less reliable, responsive and stable than IntelliJ.”

On November 18, 2015, the source code of VS Code was released under the MIT License and made available on GitHub. The idea was to create a lightweight platform powered by extension and it was an instant success.

📣 Want to advertise in AIM? Book here

Picture of Sagar Sharma

Sagar Sharma

A software engineer who loves to experiment with new-gen AI. He also happens to love testing hardware and sometimes they crash. While reviving his crashed system, you can find him reading literature, manga, or watering plants.
Related Posts
19th - 23rd Aug 2024
Generative AI Crash Course for Non-Techies
Upcoming Large format Conference
Sep 25-27, 2024 | 📍 Bangalore, India
Download the easiest way to
stay informed

Subscribe to The Belamy: Our Weekly Newsletter

Biggest AI stories, delivered to your inbox every week.

Flagship Events

Rising 2024 | DE&I in Tech Summit
April 4 and 5, 2024 | 📍 Hilton Convention Center, Manyata Tech Park, Bangalore
Data Engineering Summit 2024
May 30 and 31, 2024 | 📍 Bangalore, India
MachineCon USA 2024
26 July 2024 | 583 Park Avenue, New York
MachineCon GCC Summit 2024
June 28 2024 | 📍Bangalore, India
Cypher USA 2024
Nov 21-22 2024 | 📍Santa Clara Convention Center, California, USA
Cypher India 2024
September 25-27, 2024 | 📍Bangalore, India
discord-icon
AI Forum for India
Our Discord Community for AI Ecosystem, In collaboration with NVIDIA.