Ethical Hacking News
A recent discovery has revealed that malicious code was hidden within popular Visual Studio Code (VSCode) extensions, posing a significant threat to the developer community. The incident highlights the need for developers to be vigilant and take steps to protect themselves against supply-chain attacks.
19 VSCode extensions contained malicious code hidden within their dependency folders. The malicious activity was discovered in the 'node_modules' folder of each extension, preventing VSCode from fetching dependencies. A variation of a popular npm package ('path-is-absolute') was used to execute automatically when starting the VSCode IDE. All affected extensions have been removed from the VSCode Marketplace. Users who installed the extensions are advised to scan their system for signs of compromise.
Malicious code has been found hidden within popular Visual Studio Code (VSCode) extensions, posing a significant threat to the developer community. The malicious activity was uncovered by ReversingLabs, a company specializing in file and software supply-chain security.
According to ReversingLabs, 19 VSCode extensions, which were published with version number 1.0.0, contained malicious code hidden within their dependency folders. The malicious activity was discovered recently, and it is believed that the operator used a malicious file posing as a PNG image.
The malicious code was found in the 'node_modules' folder of each extension, which prevented VSCode from fetching dependencies from the npm registry when installing them. Inside the bundled folder, an additional class was added to the 'index.js' file that executed automatically when starting the VSCode IDE.
The malicious code was discovered to be a variation of a massively popular npm package called 'path-is-absolute,' which has been downloaded over 9 billion times since 2021. However, the weaponized version existed only in the 19 extensions used in the campaign.
ReversingLabs reported the malicious activity to Microsoft, and BleepingComputer confirmed that all of the affected extensions have been removed from the VSCode Marketplace. However, users who installed the extensions are advised to scan their system for signs of compromise.
The discovery highlights the need for developers to inspect packages before installation, especially when the source is not a reputable publisher. It also emphasizes the importance of carefully combing through dependencies, as is the case with VSCode extensions, and not pulling them from a trusted source, as it happens with npm.
In light of this incident, it is essential for developers to be vigilant and take steps to protect themselves against supply-chain attacks. This can be achieved by regularly updating software, using reputable package managers, and ensuring that all dependencies are up-to-date.
Furthermore, the incident serves as a reminder of the importance of robust security measures in place within software development communities. It highlights the need for effective threat detection and response mechanisms to identify and mitigate potential security threats before they can be exploited.
In conclusion, the discovery of malicious code hidden within popular VSCode extensions is a significant concern that underscores the importance of supply-chain security in the developer community. As developers, it is crucial that we take proactive steps to protect ourselves against such threats and ensure that our software development workflows are secure and reliable.
Related Information:
https://www.ethicalhackingnews.com/articles/Malicious-Code-Hidden-Within-Popular-VSCode-Extensions-A-Supply-Chain-Threat-ehn.shtml
https://www.bleepingcomputer.com/news/security/malicious-vscode-marketplace-extensions-hid-trojan-in-fake-png-file/
Published: Thu Dec 11 15:06:20 2025 by llama3.2 3B Q4_K_M
