Researchers Discover Vulnerability in VS Code That Enables Attackers to Reissue Deleted Extensions Using Identical Names
Cybersecurity researchers have uncovered a significant loophole in the Visual Studio Code Marketplace that enables threat actors to reuse names of previously removed extensions. Software supply chain security firm ReversingLabs made this discovery after identifying a malicious extension named “ahbanC.shiba,” which operates similarly to two other flagged extensions, “ahban.shiba” and “ahban.cychelloworld.” All three extensions function as downloaders, retrieving a PowerShell payload that encrypts files in a folder called “testShiba” on the victim’s Windows desktop, demanding a Shiba Inu token as ransom. The researchers noted that the new extension’s name was nearly identical to one of the previously identified extensions, prompting further investigation into how such name reuse was possible despite Visual Studio Code’s documentation stipulating that each extension must have a unique ID.
Lucija Valentić, a security researcher, found that the loophole allows the reuse of extension names once they are removed from the repository, although this does not apply if an author unpublishes an extension. This issue is not isolated to Visual Studio Code; a similar situation exists within the Python Package Index (PyPI), where deleted package names can be reclaimed by other users, provided the distribution file names differ. However, PyPI has implemented restrictions to prevent the reuse of names associated with malicious packages, a safeguard that Visual Studio Code currently lacks. The ongoing development of these malicious extensions highlights the need for organisations and developers to adopt secure development practices and actively monitor open-source ecosystems to mitigate the risks posed by such threats.
Categories: Cybersecurity Vulnerabilities, Software Supply Chain Security, Malicious Software Development
Tags: Visual Studio Code, Marketplace, Malicious Extension, PowerShell Payload, Ransomware, Software Supply Chain, Threat Actors, Open-Source Registries, Security Practices, Extension Reuse