VS Code

864 readers

45 users here now

founded 2 years ago

MODERATORS

[email protected]

VSCode extensions with 9 million installs pulled over security risks (www.bleepingcomputer.com)

submitted 11 hours ago* (last edited 11 hours ago) by [email protected] to c/[email protected]

9 comments fedilink hide all child comments

all 10 comments

sorted by: hot top controversial new old

[–] [email protected] 2 points 3 hours ago

There must be dozens of malicious extensions. I'm honestly surprised we haven't seen it more. Chrome extensions get sold to shady people all the time; I would have thought VSCode extensions are even higher value targets.

[–] [email protected] 3 points 6 hours ago

What are the malicious behaviours? The article is very vague.

[–] [email protected] 20 points 10 hours ago (4 children)

'Material Theme – Free' and 'Material Theme Icons – Free,'

[–] [email protected] 7 points 9 hours ago (1 children)

"We just had an outdated sanity.io dependency used since 2016 to show release notes from sanity headless CMS, that was the only issue they found."

"That dependency has been there since 2016 and passed every check since then, now it looks compromised but NO ONE from Microsoft reached us to remove it. They just pulled down everything causing issues to millions of users, and causing a loop in vscode (yep, it's their fault)"

If the dependency has been compromised then extensions that use that dependency and ship compromised code are also compromised. Its a transitive property if it ships bad code.

With that in mind Microsoft yoinking the extension from the market place and user devices seems reasonable. But what was the "loop" they mention?

[–] [email protected] 7 points 6 hours ago (1 children)

But what was the “loop” they mention?

The linked issue comment has the info about it

Letting you know that VSCode is unable to uninstall the extension. It prompts me to uninstall, but when I confirm the window refreshes and the extension is still there, triggering the same "is problematic" prompt. This is an infinite loop. Same behavior when trying to uninstall the usual way from the extensions panel.

[–] [email protected] 3 points 6 hours ago

Well that's not ideal.

[–] [email protected] 2 points 9 hours ago* (last edited 9 hours ago)

Breaking: software with "free" in the name turns out to be malicious

[–] [email protected] 2 points 9 hours ago

Thank you :)

[–] [email protected] 1 points 6 hours ago

lol, release-notes.js - obfuscated; at first I thought it was the release notes data or content, but maybe it's the logic for displaying it?

Outdated sanity-io dependency somehow led to compromise? I still don't get how. It wouldn't suddenly integrate something else. Does it source data from elsewhere during build, and that was compromised too? Does it call into the web for no reason in the first place?

Either way, it's an issue of their integration. Claiming "it's not an issue in our extension" while shipping compromised code is just wrong.

Obfuscating their index.js theme logic because it's closed source may seem fine if they're trustworthy, but with this violation and breach, that trust is gone.