Thursday, December 19, 2024
HomeCyber Security NewsMalicious Supply Chain Attacking Moving From npm Community To VSCode Marketplace

Malicious Supply Chain Attacking Moving From npm Community To VSCode Marketplace

Published on

SIEM as a Service

Researchers have identified a rise in malicious activity on the VSCode Marketplace, highlighting the vulnerability of the platform to supply chain attacks similar to those previously seen in the npm community.

Malicious actors are increasingly exploiting npm packages to distribute malicious code, mirroring tactics previously used in VSCode extensions that involve the npm package etherscancontracthandler, which highlights this evolving threat, underscoring the need for vigilance in both ecosystems.

VSCode extensions, built with Node.js and npm packages, can introduce vulnerabilities due to their potential to include compromised npm dependencies.

- Advertisement - SIEM as a Service

While extensions are often seen as safe, their reliance on external packages makes them a potential attack vector. 

Malicious npm packages, potentially installed in VSCode, can compromise local development environments, highlighting the risk of supply chain attacks and the need for rigorous package security checks.

Free Webinar on Best Practices for API vulnerability & Penetration Testing:  Free Registration

A campaign involving 18 malicious VSCode extensions with downloader functionality emerged in October 2024. 

VoiceMod.VoiceMod’s inflated number of installs and fabricated reviews
VoiceMod.VoiceMod’s inflated number of installs and fabricated reviews

A sophisticated cryptocurrency-themed phishing campaign evolved into a targeted attack against Zoom users as malicious browser extensions were developed, disguised as legitimate tools, to deceive victims into installing malware, which employed deceptive tactics like inflated download counts and fabricated reviews to increase credibility.

The malicious extensions, disguised as Solidity Language support for Visual Studio Code, employed JavaScript Obfuscator to conceal a simple script, which downloaded a second-stage payload from various domains, including some seemingly legitimate ones like Microsoft and CaptchaCDN, to deceive users.

A malicious npm package, etherscancontracthandler, was published by a threat actor targeting the crypto community, which is similar to malicious VSCode extensions, and downloaded a secondary payload from specific domains using a consistent string identifier.

Malicious code from VSCode extensions Ethereum.SoliditySupport
Malicious code from VSCode extensions Ethereum.SoliditySupport

VSCode extensions and npm packages were found to contain obfuscated malicious code with similar structures. Upon detection, the malicious npm package was reported and promptly removed, limiting its impact to approximately 350 downloads.

IDEs and their extensions pose significant security risks due to their potential for malicious exploitation.

Regular security assessments of IDEs and their dependencies are crucial to prevent unauthorized access and compromise of the development environment and supply chain.

Reversing Labs highlights the vulnerability of software supply chains, specifically npm and VSCode ecosystems. Malicious actors can easily compromise packages, introducing backdoors and data theft risks. 

It is important for organizations and developers to carefully evaluate the dependencies of third parties and implement robust security solutions in order to mitigate this risk.

Investigate Real-World Malicious Links, Malware & Phishing Attacks With ANY.RUN – Try for Free

Latest articles

Beware Of Malicious SharePoint Notifications That Delivers Xloader Malware

Through the use of XLoader and impersonating SharePoint notifications, researchers were able to identify...

Hackers Weaponizing LNK Files To Create Scheduled Task And Deliver Malware Payload

TA397, also known as Bitter, targeted a Turkish defense organization with a spearphishing email...

BADBOX Botnet Hacked 74,000 Android Devices With Customizable Remote Codes

BADBOX is a cybercriminal operation infecting Android devices like TV boxes and smartphones with...

Europol Details on How Cyber Criminals Exploit legal businesses for their Economy

Europol has published a groundbreaking report titled "Leveraging Legitimacy: How the EU’s Most Threatening Criminal...

API Security Webinar

72 Hours to Audit-Ready API Security

APIs present a unique challenge in this landscape, as risk assessment and mitigation are often hindered by incomplete API inventories and insufficient documentation.

Join Vivek Gopalan, VP of Products at Indusface, in this insightful webinar as he unveils a practical framework for discovering, assessing, and addressing open API vulnerabilities within just 72 hours.

Discussion points

API Discovery: Techniques to identify and map your public APIs comprehensively.
Vulnerability Scanning: Best practices for API vulnerability analysis and penetration testing.
Clean Reporting: Steps to generate a clean, audit-ready vulnerability report within 72 hours.

More like this

Beware Of Malicious SharePoint Notifications That Delivers Xloader Malware

Through the use of XLoader and impersonating SharePoint notifications, researchers were able to identify...

Hackers Weaponizing LNK Files To Create Scheduled Task And Deliver Malware Payload

TA397, also known as Bitter, targeted a Turkish defense organization with a spearphishing email...

BADBOX Botnet Hacked 74,000 Android Devices With Customizable Remote Codes

BADBOX is a cybercriminal operation infecting Android devices like TV boxes and smartphones with...