A Troubling Discovery in VS Code Marketplace

Cybersecurity experts have unearthed a disturbing vulnerability in the Visual Studio Code Marketplace, revealing that malicious individuals can revive names of previously deleted extensions, potentially jeopardizing user security.

A Closer Look at the Malicious Extensions

ReversingLabs, a prominent software supply chain security firm, flagged a harmful extension named 'ahbanC.shiba.' This extension mirrors two others—'ahban.shiba' and 'ahban.cychelloworld'—that were identified as threats back in March. All three serve a sinister purpose: they act as downloaders for a PowerShell payload that encrypts files located in a folder named 'testShiba' on unsuspecting victims’ Windows desktops, demanding a ransom in the form of Shiba Inu tokens.

The Name Game: A Crucial Loophole

What’s particularly alarming is how similar the new extension's name is to the previously flagged ones. The Visual Studio Code guidelines stipulate that each extension name must be unique within the Marketplace—a restriction that seems to fail once an extension is removed. ReversingLabs discovered that both 'ahban.shiba' and 'ahbanC.shiba' share almost identical names, allowing the latter to slip through the cracks.

A Pattern of Concern Across Platforms

This isn’t just a problem for Visual Studio Code. Similar vulnerabilities were noticed in Python's Package Index (PyPI), where deleting a package effectively opens its name for anyone else to claim, provided they tweak the distribution file names. Notably, PyPI does impose restrictions on names linked to malicious packages, a safeguard that Visual Studio Code currently lacks.

A Growing Threat to Software Supply Chains

As indicated by leaked communications from the notorious Black Basta group, threat actors are actively working to corrupt open-source repositories with ransomware that can deceive naive users into installing them. Valentić emphasizes the risk: 'This loophole enables anyone to reclaim the name of any removed extension, including those that were popular and trusted.'

Alert: New Malicious npm Packages

In tandem with this revelation, eight new malicious npm packages have surfaced, delivering an information stealer targeting Google Chrome on Windows systems. These packages, registered by users ruer and npjun, utilize convoluted layers of obfuscated code to unleash a Python payload designed for data theft.

Strengthening Security Must Be a Priority

JFrog security researcher Guy Korolevski underscores the seriousness of the situation: 'Open-source software repositories are becoming primary attack vectors, with threats ranging from typosquatting to more sophisticated disguise tactics.' As the threat landscape evolves, it becomes imperative for organizations and developers to fortify their development practices and maintain vigilant oversight of their software supply chains.