Visual Studio Code Extension with 9 Million Installs Attacks Developers with Malicious Code
Visual Studio Code Extension with 9 Million Installs Attacks Developers with Malicious Code
Visual Studio Code Extension with 9 Million Installs Attacks Developers with Malicious Code
Information:
Vscode (Visual studio code) is an editor program or simply called a programming tool. It is used to edit small but highly efficient code. It is suitable for developers at all levels, from beginners to professionals. It supports Windows, macOS and Linux, as well as many languages such as JavaScript, TypeScript, Python, C ++ and others. It is easy to use and has many extensions or tools to facilitate the use.
Incident :
Microsoft has removed two widely-used Visual Studio Code (VS Code) extensions, “Material Theme Free” and “Material Theme Icons Free,” from its marketplace after cybersecurity researchers discovered malicious code embedded within them.
These extensions, developed by Mattia Astorino (also known as equinusocio), had amassed nearly 9 million installations combined, with Astorino’s total extension downloads exceeding 13 million.
The investigation revealed that the malicious code was likely introduced through a compromised dependency or during a recent update.
This suggests a possible supply chain attack or unauthorized access to the developer’s account.
The analysis revealed heavily obfuscated JavaScript code in the extensions, which included references to usernames and passwords. Although the exact purpose of this code remains unclear
Threat actors often exploit open-source platforms like VS Code Marketplace to distribute harmful code under the guise of legitimate extensions.
In this case, developers who installed these compromised extensions may have unknowingly exposed sensitive information or systems to potential breaches.
Solution :
To mitigate risks, developers are advised to uninstall all extensions published by equinusocio, including:
- equinusocio.moxer-theme
- equinusocio.vsc-material-theme
- equinusocio.vsc-material-theme-icons
- equinusocio.vsc-community-material-theme
- equinusocio.moxer-icons.
This incident highlights the importance of scrutinizing third-party dependencies and maintaining robust supply chain security practices and avoid extensions with suspicious or obfuscated code .
The important things is Security systems. We must concern and monitor as usual.
For more information please contact
Email :sales@inetms.co.th
065 149 2822 (Ms.Suphatson )
063 204 4534 (Ms.Atsamaphorn)
065 929 6330 (Ms.Kansinee)
0613879439 (Ms.Sirilak)
0922576902 (Ms.Narusorn)
References :
- https://gbhackers.com/vs-code-extension-with-9-million-installs-attacks/#google_vignette
- https://www.bleepingcomputer.com/news/security/vscode-extensions-with-9-million-installs-pulled-over-security-risks/
- https://codingonblog.com/what-is-vscode-codingonblog/
- https://learn.microsoft.com/th-th/power-pages/configure/vs-code-extension
Weekly Interesting CVE
| NO. |
CVE Name |
Published Date |
Last Update |
Device/Appplication/OS Target |
Attack Type |
CVSS |
Detail |
Solution |
Reference |
|---|---|---|---|---|---|---|---|---|---|
| 1 |
CVE-2025-21532 |
21/1/2025 |
25/2/2025 |
Oracle |
Local Privilege Escalation |
7.8 |
Vulnerability in the Oracle Analytics Desktop product of Oracle Analytics (component: Install). Supported versions that are affected are Prior to 8.1.0. Easily exploitable vulnerability allows low privileged attacker with logon to the infrastructure where Oracle Analytics Desktop executes to compromise Oracle Analytics Desktop. Successful attacks of this vulnerability can result in takeover of Oracle Analytics Desktop. |
Upgrade to version 8.1.0. |
https://vuldb.com/?id.292854 |
| 2 |
CVE-2025-25746 |
12/2/2025 |
02/24/2025 |
D-Link |
Stack-based overflow |
9.8 |
D-Link DIR-853 A1 FW1.20B07 was discovered to contain a stack-based buffer overflow vulnerability via the Password parameter in the SetWanSettings module. |
Upgrade the firmware to the latest version |
|
| 3 |
CVE-2025-24989 |
19/2/2025 |
24/2/2025 |
Microsoft |
Access control |
8.2 |
An improper access control vulnerability in Power Pages allows an unauthorized attacker to elevate privileges over a network potentially bypassing the user registration control. |
This vulnerability has already been mitigated |
https://vuldb.com/?id.296331
|
| 4 |
CVE-2025-1756 |
27/2/2025 |
27/2/2025 |
Mongodb |
privilege escalatio |
7.5 |
mongosh may be susceptible to local privilege escalation under certain conditions potentially enabling unauthorized actions on a user's system with elevated privilege, when a crafted file is stored in C: ode_modules. |
Upgrade to Version 2.3.0 |
https://jira.mongodb.org/browse/MONGOSH-2028 |
| 5 |
CVE-2025-0975 |
28/2/2025 |
28/2/2025 |
IBM |
code execution |
8.8 |
IBM MQ 9.3 LTS, 9.3 CD, 9.4 LTS, and 9.4 CD console could allow an authenticated user to execute code due to improper neutralization of escape characters. |
9.1 LTS upgrade to 9.1.0.27 |
|
No |
Campaign Name |
Detection Date |
Attack Type |
Description |
Mitigation/Remediation |
|---|---|---|---|---|---|
| 1 |
'Silver Fox' APT Skirts Windows Blocklist in BYOVD Attack |
26/02/2025 |
Privilege Escalation & Defense Evasion, BYOVD, Payload: Gh0stRAT Malware |
A Chinese cybercriminal group known as “Silver Fox” has exploited a vulnerability in the Truesight.sys driver, which is associated with Adlice’s Roguekiller anti-malware utility. Although Microsoft has a block list for vulnerable drivers, due to a bug in the TBS hash specification, version 2.0.2 of this driver was not blocked. As a result, the Silver Fox group was able to use this driver in a Bring Your Own Vulnerable Driver (BYOVD) attack that disables security software and installs the Gh0stRAT malware on the victim’s device. |
|
Ref: https://www.darkreading.com/cyber-risk/silver-fox-byovd-attack-windows-blocklist
18 March 2025
Viewed 89 time
