Cybersecurity researchers have uncovered a significant vulnerability within the Visual Studio Code Marketplace that permits malicious actors to re-register extensions that have been previously removed, using their original names. This loophole could enable attackers to impersonate legitimate extensions and distribute malware, posing a serious threat to the software supply chain.

Key Takeaways

• A flaw in the VS Code Marketplace allows deleted extensions to be re-registered under their original names.

• This vulnerability was demonstrated by researchers who found a malicious extension mimicking previously removed ones.

• The issue mirrors a similar vulnerability previously identified in the Python Package Index (PyPI).

The Discovery of the Vulnerability

ReversingLabs, a software supply chain security firm, identified a malicious extension named "ahbanC.shiba." This extension exhibited behavior similar to two other extensions, "ahban.shiba" and "ahban.cychelloworld," which had been flagged and removed earlier in March. The critical discovery was that the new malicious extension shared a name with a previously removed one, despite VS Code Marketplace documentation stating that extension names must be unique.

How the Attack Works

Security researcher Lucija Valentić found that the loophole becomes exploitable once an extension is removed from the repository. Unlike when an author simply unpublishes an extension, a removed extension's name can be re-registered. This means that if a popular and legitimate extension is removed, its name becomes available for malicious actors to claim.

The malicious extensions identified were designed to act as downloaders for PowerShell payloads. These payloads would encrypt files on a victim's Windows desktop, specifically within a folder named "testShiba," and then demand a ransom in Shiba Inu tokens, instructing victims to deposit the assets to an unspecified wallet. This indicates ongoing development efforts by the threat actor to exploit this vulnerability.

Broader Implications and Similarities

This vulnerability in the VS Code Marketplace is not unique. ReversingLabs previously demonstrated a similar issue with the Python Package Index (PyPI) in early 2023. On PyPI, deleting a package typically makes its project name available to others, provided the distribution file names differ. However, PyPI has an exception for malicious packages, preventing their names from being reused. The VS Code Marketplace appears to lack such a safeguard.

This discovery aligns with broader trends in software supply chain attacks, where threat actors aim to poison open-source registries with malicious libraries, including ransomware. Leaked chat logs from the Black Basta group have shown interest in such tactics. The ability to reuse names of removed extensions could be leveraged for sophisticated multi-layer campaigns designed to evade traditional security measures and steal sensitive data.

Recent Malicious Activity

In related incidents, eight malicious npm packages were discovered delivering a Google Chrome browser information stealer targeting Windows systems. These packages, published by users named "ruer" and "npjun," were capable of stealing passwords, credit card details, cryptocurrency wallet data, and user cookies, transmitting them to a specified URL or a Discord webhook. These packages employed up to 70 layers of obfuscated code to unpack a Python payload for data theft and exfiltration.

Experts emphasize the growing importance of adopting secure development practices and proactively monitoring software ecosystems for supply chain threats. Visibility across the entire software supply chain, coupled with rigorous automated scanning, is crucial for mitigating these risks. As cyber threats become increasingly sophisticated, your security strategy must evolve to keep pace. BetterWorld Technology offers adaptive cybersecurity solutions that grow with the threat landscape, helping your business stay secure while continuing to innovate. Reach out today to schedule your personalized consultation.

Sources

• Researchers Find VS Code Flaw Allowing Attackers to Republish Deleted Extensions Under Same Names, The Hacker News.