Researchers warn, “The numbers show that there are numerous extensions in the Visual Studio Code marketplace that pose risks to organizations.”
“VSCode extensions are an abused and exposed attack vector, with zero visibility, high impact, and high risk. This issue poses a direct threat to organizations and warrants the attention of the security community.”
All malicious extensions detected by the researchers have been responsibly reported to Microsoft for removal. However, as of the time of writing, the vast majority of these extensions are still available for download from the VSCode Marketplace.
The researchers plan to release their “ExtensionTotal” tool next week, along with detailed information on its operational capabilities, as a free tool to help developers scan their environments for potential threats.
BleepingComputer has contacted Microsoft to ask if they plan to reassess the security of the Visual Studio Marketplace. However, we have not received a response as of the time of publication.