Malicious Supply Chain Attacking Moving From npm Community To VSCode Marketplace

Researchers have identified a rise in malicious activity on the VSCode Marketplace, highlighting the vulnerability of the platform to supply chain attacks similar to those previously seen in the npm community.

Malicious actors are increasingly exploiting npm packages to distribute malicious code, mirroring tactics previously used in VSCode extensions that involve the npm package etherscancontracthandler, which highlights this evolving threat, underscoring the need for vigilance in both ecosystems.

VSCode extensions, built with Node.js and npm packages, can introduce vulnerabilities due to their potential to include compromised npm dependencies.

- Advertisement -

While extensions are often seen as safe, their reliance on external packages makes them a potential attack vector. 

Malicious npm packages, potentially installed in VSCode, can compromise local development environments, highlighting the risk of supply chain attacks and the need for rigorous package security checks.

Free Webinar on Best Practices for API vulnerability & Penetration Testing:  Free Registration

A campaign involving 18 malicious VSCode extensions with downloader functionality emerged in October 2024. 

A sophisticated cryptocurrency-themed phishing campaign evolved into a targeted attack against Zoom users as malicious browser extensions were developed, disguised as legitimate tools, to deceive victims into installing malware, which employed deceptive tactics like inflated download counts and fabricated reviews to increase credibility.

The malicious extensions, disguised as Solidity Language support for Visual Studio Code, employed JavaScript Obfuscator to conceal a simple script, which downloaded a second-stage payload from various domains, including some seemingly legitimate ones like Microsoft and CaptchaCDN, to deceive users.

A malicious npm package, etherscancontracthandler, was published by a threat actor targeting the crypto community, which is similar to malicious VSCode extensions, and downloaded a secondary payload from specific domains using a consistent string identifier.

VSCode extensions and npm packages were found to contain obfuscated malicious code with similar structures. Upon detection, the malicious npm package was reported and promptly removed, limiting its impact to approximately 350 downloads.

IDEs and their extensions pose significant security risks due to their potential for malicious exploitation.

Regular security assessments of IDEs and their dependencies are crucial to prevent unauthorized access and compromise of the development environment and supply chain.

Reversing Labs highlights the vulnerability of software supply chains, specifically npm and VSCode ecosystems. Malicious actors can easily compromise packages, introducing backdoors and data theft risks. 

It is important for organizations and developers to carefully evaluate the dependencies of third parties and implement robust security solutions in order to mitigate this risk.

Investigate Real-World Malicious Links, Malware & Phishing Attacks With ANY.RUN – Try for Free