- Researchers found that removed extension names on the Visual Studio Code Marketplace can be reused by anyone, opening a new attack vector.
- Malicious extensions have been discovered, including some that demand cryptocurrency for file decryption.
- The loophole allows threat actors to reuse names previously linked to removed or malicious extensions, posing supply chain risks.
- Similar vulnerabilities exist in other repositories, such as PyPI, but with additional safeguards not present in Visual Studio Code.
- Eight dangerous npm packages have been identified, capable of stealing browser data and transmitting it to external servers.
Researchers at ReversingLabs have identified a security loophole within the Visual Studio Code (VS Code) Marketplace that lets anyone reuse the names of previously removed extensions. This means attackers can upload malicious extensions with the same name as those that were previously deleted.
According to ReversingLabs, the discovery happened when they spotted a harmful extension named “ahbanC.shiba.” This extension behaves like older ones, such as ahban.shiba and ahban.cychelloworld, which were flagged in March. These extensions download a PowerShell script that targets files in a Windows “testShiba” folder and requests payment in Shiba Inu tokens sent to an unspecified wallet, effectively functioning as Ransomware.
Researchers found that while each extension on the VS Code Marketplace needs a unique combination of publisher and extension names, the platform allows reuse of an extension name once it has been deleted from the repository. Researcher Lucija Valentić explained, “The discovery of this loophole exposes a new threat: that the name of any removed extension can be reused, and by anyone. That means that if some legitimate and very popular extension is removed, its name is up for grabs.”
The same issue has appeared in other open-source repositories like Python’s PyPI, where removed package names can be registered by a new user. However, PyPI has a rule that prevents reusing names associated with previously known malicious packages. The Visual Studio Code documentation doesn’t have such a safeguard, increasing the risk of supply chain attacks.
Attacks involving popular development tools are rising. Recent leaks from Black Basta, a ransomware group, show discussions about using open-source package confusion for ransomware attacks. In addition, JFrog researchers have discovered eight malicious npm packages that can exfiltrate sensitive data like passwords and cryptocurrency information from Chrome browsers to remote servers. These packages include toolkdvv, react-sxt, react-typex, react-typexs, react-sdk-solana, react-native-control, revshare-sdk-api, and revshare-sdk-apii.
These npm packages use deeply layered, obfuscated code to hide Python Malware that can steal user information. JFrog researcher Guy Korolevski said, “The impact of sophisticated multi-layer campaigns designed to evade traditional security and steal sensitive data highlights the importance of having visibility across the entire software supply chain with rigorous automated scanning and a single source of truth for all software components.”
✅ Follow BITNEWSBOT on Telegram, Facebook, LinkedIn, X.com, and Google News for instant updates.
Previous Articles:
- Global Stablecoin Market Tops $280B; Ripple RLUSD Rises to #13
- ZachXBT Refuses to Help XRP Holders, Criticizes Ripple Community
- Caliber Shares Surge 77% on Chainlink Treasury Pivot Amid Probe
- Crypto Industry Urges Lawmakers to Shield DeFi Developers from Prosecution
- Elizabeth Holmes’ X Account Sparks Mystery Amid Prison Term
