VSCode Marketplace could be used to host malware extensions

Researchers discovered that it was easy to download malicious Visual Studio Code extensions via the VSCode Marketplace. They also found signs that threat actors were already taking advantage of this vulnerability.

Visual Studio Code (VSC), a Microsoft-published source-code editor, is used by professional software developers around the world.

Microsoft has an extension market called the VSCode Marketplace for its IDE. This marketplace offers extensions that enhance the functionality of the application and more customization options.

These extensions are downloaded millions upon millions, and malicious actors might quickly be able to fool the platform.

The extensions can run on infected computers with a user’s privileges. They are able to use the developer’s SSH key for access to connected GitHub repositories.

A new report from shows that it is quite easy to upload malicious extension to Microsoft’s Visual Studio Code Marketplace. They have also found some extensions very suspect.

Distribution of malicious extensions

AquaSec’s experiment to upload a malicious extension on the VSCode marketplace saw them “typosquat,” a well-known code formatting extension called ” .” It has been downloaded more than 27 million times.

They discovered that the original extension could be reused’s description and logo, and they were able to give the extension the exact same name.

The real extension (left) and fake extension (right)


Publishers are permitted to use the property ‘displayName’. This means that the name of an add-on on the market page does not have to be unique.

AquaSec discovered that the section displaying GitHub stats in project details is automatically updated from GitHub. The publisher has the ability to edit stats at will, and can modify them as needed. This creates the impression of an active project that has a history of significant development.

The fake extension was not able to have the same amount of downloads or rank in search engines, however, the researchers were able replicate the authentic extension’s GitHub name, last commit times and open issues.

Our fake extension will be downloaded by a growing number of users over time. The extension will grow in credibility as these numbers increase,” AquaSec researchers explained.

Additionally, the dark internet allows you to buy various services. An extremely determined attacker might manipulate the numbers and purchase services that would increase the stars or downloads.

The analysts found that the verification badge displayed on the platform is meaningless as every publisher who has purchased any domain receives the blue tick when they prove their ownership. It doesn’t have to relate to the software project.

AquaSec’s proof-of-concept extension (PoC), was installed by more than 1,500 developers in less than 48 hours.

Map of developers who downloaded the fake extension


Existing suspicious VSCode extensions

AquaSec proved it is possible to duplicate popular extensions from VSCode Marketplace. It also discovered suspicious examples that were already posted to the marketplace.

These extensions were named “API Generator Plugin” and “code-tester” respectively. They sent HTTP requests every 30 seconds to an external URL and executed the response with the “eval() function.

Part of the ‘code-tester’ code


The information was exchanged over HTTP. It wasn’t encrypted so the traffic of the developers could be hacked.

The domain was hosted on an IP address that has a long history of distributing malicious files according to VirusTotal, ranging from VBS and PowerShell scripts and Windows, Linux, and Android malware.

AquaSec submitted both extensions to Microsoft. However, they are still available on the market at the time this article was written.

The VSCode Marketplace is open to abuse

Researchers warn that although Visual Studio Code Extensions have been subject to little security research, threats actors continue to seek new ways of breaching corporate networks.

The threat of malicious extensions to VSCodes is real. AquaSec concludes that this threat of malicious VSCode extensions has not received enough attention in the past because it isn’t known if any campaigns have had a significant impact.

However, hackers are always looking to improve their techniques to allow them to execute malicious code within the organizations.

AquaSec claims that Microsoft offers extensions marketplaces for Azure DevOps and Visual Studio that are vulnerable to malicious extension.

Threat actors are known to perform campaigns on package repositories such as NPM or PyPi. It is not surprising that they will soon turn their attention on Microsoft marketplaces.

This is why code developers who use VSCode extensions should be vigilant about their add-ons before installing them onto production machines.