A group of Israeli researchers explored the security of the Visual Studio Code marketplace and managed to "infect" over 100 organizations by trojanizing a copy of the popular 'Dracula Official theme to include risky code. Further research into the VSCode Marketplace found thousands of extensions with millions of installs.
They made themselves the extensions.
If you are talking about the other reverse shell, it hit a local IP address.
True, it’s a private (not local) IP. It could easily have connected to a remote system, as their proof-of-concept did.
This code execs
cmd.exe
and pipes output to and from a hardcoded IP. That’s pretty weird. What’s running on that IP? How does the extension know something is there?It looks like VS Code has no review — human or automated — or enforced entitlement system that would have stopped this or at least had someone verify it was legit.
Thing is, tons of code extensions have an RCE in one form or another, but they always hit a localhost, or configurable IP. How do there automated analysis did any difference ?
Tons of extensions summon the cmd to summon the language devtools, their automated analysis flagged tons of package and they infer millions of infeections from that.
Since I read this I can’t stop picturing you as Peter Lorre lmao.
Damn now I noticed i did tons of mistake/types there ^^'.