Malicious Microsoft VSCode extensions steal passwords, open remote shells

*Content borrowed from

Cybercriminals are starting to target Microsoft’s VSCode Marketplace, uploading three malicious Visual Studio extensions that Windows developers downloaded 46,600 times.

According to Check Point, whose analysts discovered the malicious extensions and reported them to Microsoft, the malware enabled the threat actors to steal credentials, system information, and establish a remote shell on the victim’s machine.

The extensions were discovered and reported on May 4, 2023, and they were subsequently removed from the VSCode marketplace on May 14, 2023.

However, any software developers still using the malicious extensions must manually remove them from their systems and run a complete scan to detect any remnants of the infection.

Malicious cases on the VSCode Marketplace

Visual Studio Code (VSC) is a source-code editor published by Microsoft and used by a significant percentage of professional software developers worldwide.

Microsoft also operates an extensions market for the IDE called the VSCode Marketplace, which offers over 50,000 add-ons that extend the application’s functionality and provide more customization options.

The malicious extensions discovered by Check Point researchers are the following:

‘Theme Darcula dark’ – Described as “an attempt to improve Dracula colors consistency on VS Code,” this extension was used to steal basic information about the developer’s system, including hostname, operating system, CPU platform, total memory, and information about the CPU.

While the extension did not contain other malicious activity, it is not typical behavior associated with a theme pack.

This extension had the most circulation by far, downloaded over 45,000 times.

Darcula extension on the VSCode Marketplace
Darcula extension on the VSCode Marketplace (Check Point)

‘python-vscode’ – This extension was downloaded 1,384 times despite its empty description and uploader name of ‘testUseracc1111,’ showcasing that having a good name is enough to garner some interest. 

Analysis of its code showed that it is a C# shell injector that can execute code or commands on the victim’s machine.

Obfuscated C# code injector
Obfuscated C# code injector (Check Point)

‘prettiest java’ – Based on the extension’s name and description, it was likely created to mimic the popular ‘prettier-java‘ code formatting tool.

In reality, it stole saved credentials or authentication tokens from Discord and Discord Canary, Google Chrome, Opera, Brave Browser, and Yandex Browser, which were then sent to the attackers over a Discord webhook.

The extension has had 278 installations.

Searching for local secrets
Searching for local secrets (Check Point)

Check Point also found multiple suspicious extensions, which could not be characterized as malicious with certainty, but demonstrated unsafe behavior, such as fetching code from private repositories or downloading files.

Software repositories come with risk

Software repositories allowing user contributions, such as NPM and PyPi, have proven time and time again to be risky to use as they have become a popular target for threat actors.

While VSCode Marketplace is just starting to be targeted, AquaSec demonstrated in January that it was fairly easy to upload malicious extensions to the VSCode Marketplace and presented some highly suspicious cases. However, they were not able to find any malware.

The cases discovered by Check Point demonstrate that threat actors are now actively attempting to infect Windows developers with malicious submissions, precisely like they do in other software repositories such as the NPM and PyPI.

Users of the VSCode Marketplace, and all user-supported repositories, are advised to only install extensions from trusted publishers with many downloads and community ratings, read user reviews, and always inspect the extension’s source code before installing it.

Related Articles:

The new info-stealing malware operations to watch out for

Facebook disrupts new NodeStealer information-stealing malware

New Atomic macOS info-stealing malware targets 50 crypto wallets

EvilExtractor malware activity spikes in Europe and the U.S.

Typhon info-stealing malware devs upgrade evasion capabilities