Threats actors target Microsofts VSCode Marketplace with malicious extensions (May 30, 2023)

Ref# AL2023_42 | Date: May 30th 2023


Researchers at Check Point discovered several malicious extensions residing on the VSCode marketplace capable of stealing personal information and installing remote shells.  


Visual Studio Code (VSCode) is a lightweight, efficient, and powerful source code editor developed by Microsoft. It features a customizable coding environment that supports a wide range of programming languages, frameworks, and tools while also supporting debugging, syntax highlighting, intelligent code completion, and code refactoring. It has gained much popularity in recent years and one contributing factor towards this is the VSCode extension marketplace. The marketplace allows developers to discover and install extensions to enhance their VSCode environment and experience. These extensions can add new features, support new programming languages, integrate with external tools and services, and more. The marketplace now contains over 50,000 extensions.  

The marketplace allows for official Microsoft extensions and third-party extensions created by the community. This poses a security risk as threat actors can upload malicious extensions to carry out harmful actions once installed to VSCode. Microsoft stated that they had implemented several security measures to counteract this such as automatic extension scanning in attempts to detect and remove any malicious extensions and the user reviews and ratings sections for users to identify and report any malicious extensions. However, almost no malicious extensions were detected through these security measures. 

The Check Point research team analyzed and detected three malicious extensions and several extensions with suspicious code patterns but are not necessarily malicious. The first malicious extension discovered was called prettiest java, which is supposed to mimic the popular Prettier-Java code formatter project on GitHub. Analysis of the code revealed that it steals stored data, credentials from Discord and Discord Canary and from the browsers Google Chrome, Opera, Brave, and Yandex. Stolen data is retrieved and sent to the attacker through a Discord webhook. This extension saw 278 downloads. 

The next malicious extension discovered was called Darcula dark. This is a theme extension that claims to improve the color scheme in VSCode and was seen as quite popular with over 45,000 downloads. Analysis of the code shows that it steals basic information on the compromised device, including the devices hostname, operating system, memory, and CPU information. The stolen information is sent via a POST request to a remote device. 

The last malicious extension discovered was called Python-vscode. There was no description for this extension, however it still managed to gain over 1,300 downloads. Researchers believed it might have tricked users into thinking the extension is a Python development VSCode enabler, hence the considerable amounts of downloads. Looking at the code, researchers found an obfuscated snippet of code that was revealed to be a common C# shell injector code.  

The researchers also found some cases of extensions that use suspicious code patterns such as fetching code from private repositories or downloading resources from general IP addresses. Both methods can be used theoretically to infect installers or sneak in malicious packages silently; however, no evidence of those malicious activities was found.  


Check Point disclosed the malicious extensions to VSCode and the extensions were removed from the marketplace as of May 14th, 2023. However, if these extensions were already installed, it is recommended to remove them immediately and have your device scanned with a reputable anti-virus solution. When installing extensions from the marketplace, we recommend that extensions are installed only from trusted publishers and extensions source code is inspected for anything suspicious before installing it. 

The Guyana National CIRT recommends that users and administrators review this alert and apply it where necessary. 

PDF Download: Threat actors target Microsoft”s VSCode Marketplace with malicious extensions.pdf