1. Forum
  2. tqwNet
  3. TQW_GENTECH

  • VSCode extensions pulled over security risks, but millions of use

    From TechnologyDaily@1337:1/100 to All on Thu Feb 27 15:00:08 2025
    VSCode extensions pulled over security risks, but millions of users have already installed

    Date:
    Thu, 27 Feb 2025 14:42:00 +0000

    Description:
    Malicious code seems to have introduced into two VSCode extensions somewhere along the way.

    FULL STORY ======================================================================Security
    researchers found malicious code hiding in two VSCode extensions Microsoft quickly pulled them and notifies users The developer criticized Microsoft's move, saying they were never consulted

    Microsoft has pulled two popular VSCode extensions from its marketplace after finding malicious code hiding inside. However, the original developers dont seem to be the culprits, and have slammed Microsoft for its harsh reaction which, they claim, caused more harm than good.

    Two security researchers - Amit Assaraf and Itay Kruk - used a specialized scanner to analyze extensions in Visual Studio Marketplace, and have found obfuscated malicious code in Material Theme - Free and Material Theme Icons - Free, two extensions built by one Mattia Astorino (AKA equinusocio).

    BleepingComputer analyzed parts of the code and said that in the "release-notes.js" files in the theme, there was heavily obfuscated JavaScript, which is always a red flag in open-source software. Apparently, they managed to partially deobfuscate the code, which showed numerous references to usernames and passwords, but couldnt determine the context in which they were being mentioned. Microsoft's move

    Assaraf added the malicious code was most likely added in an update, suggesting either the developers account was compromised, or the malware was added in a supply chain attack.

    Since the two extensions have roughly nine million downloads, combined, Microsofts reaction was swift: "Microsoft removed both extensions from the VS Code marketplace and banned the developer," a Microsoft employee said in YCombinator's Hacker News.

    "A member of the community did a deep security analysis of the extension and found multiple red flags that indicate malicious intent and reported this to us. Our security researchers at Microsoft confirmed this claims and found additional suspicious code."

    "We banned the publisher from the VS Marketplace and removed all of their extensions and uninstalled from all VS Code instances that have this
    extension running. For clarity - the removal had nothing to do about copyright/licenses, only about potential malicious intent."

    Astorino acknowledged the findings, but also criticized Microsoft for not reaching out to him first:

    "Nothing harmful was ever shipped within Material Theme," he said in a post
    on Microsoft's VSMarketplace repository. "We just had an outdated sanity.io dependency used since 2016 to show release notes from sanity headless CMS, that was the only issue they found."

    "That dependency has been there since 2016 and passed every check since then, now it looks compromised but NO ONE from Microsoft reached us to remove it. They just pulled down everything causing issues to millions of users, and causing a loop in vscode (yep, it's their fault)"

    "They broke everything without ever reaching out to us for clarification. Removing the old dependency was a quick 30-second fix, but it seems that's just how Microsoft operates. We also ship an obfuscated index.js file that contains all the theme commands and logic. It's obfuscated because the extension is now closed-source; however, if you delete it, the extension will still function with plain JSON files."

    In an even quicker counter-move, Astorino completely rewrote the extension without any dependencies, and named it Fanny Themes, but Microsoft allegedly removed that one too.

    Via BleepingComputer You might also like We've rounded up the best password managers Take a look at our guide to the best authenticator app Orange confirms it suffered breach after hacker leaks company documents



    ======================================================================
    Link to news story: https://www.techradar.com/pro/security/vscode-extensions-pulled-over-security- risks-but-millions-of-users-have-already-installed


    --- Mystic BBS v1.12 A47 (Linux/64)
    * Origin: tqwNet Technology News (1337:1/100)