"Hackers Can Abuse Visual Studio Marketplace to Target Developers with Malicious Extensions"
A new attack vector aimed at the Visual Studio (VS) Code extensions marketplace could be used to upload malicious extensions masquerading as their official equivalents in order to launch supply chain attacks. Ilay Goldman, a security researcher at Aqua, stated that the technique might serve as an entrance point for an attack on numerous companies. Microsoft's marketplace for VS Code extensions enables developers to add programming languages, debuggers, and tools to the VS Code source-code editor to modify their workflows. Without a sandbox, all extensions operate with the privileges of the person who opened VS Code, which means they can install any program on a user's computer, including ransomware, wipers, and more. Aqua discovered that not only is it easy for a threat actor to impersonate a popular extension by modifying the URL, but the marketplace also permits the adversary to use the same name and extension publisher details, including the project repository information. Although the method prohibits replicating the number of installs and the number of stars, it can be used to trick developers because there are no constraints on the other identifying qualities. This article continues to discuss the abuse of the VS Code extensions marketplace to target developers with rogue extensions.