Researchers demonstrate a thousand installs of fake VS Code extension in 48 hours

Researchers at Aqua Security have shown how easy it is to distribute an extension to Visual Studio Code (VS Code) that masquerades as a popular add-on but in fact comes from an untrusted source.

VS Code is the most popular development tool globally thanks in part to the huge range of extensions available, and developers rely on extensions to customize the editor to their requirements. These extensions most often come from the VS Code Marketplace, which is integrated into the editor. Developers can find and install extensions, via the Marketplace, from within VS Code itself. Typically they might type a search word such as “Rust” or “Svelte”, which returns a list of matching extensions showing the number of times they have been downloaded and the user rating.

There are several features which help to protect developers from malicious extensions. First, Microsoft gives its assurance that a “virus scan is run for each new extension and for each extension update. Until the scan is all clear, the extension won’t be published in the Marketplace for public usage.”

In addition, there is some effort to prevent name squatting, where a publisher name is deliberately similar to a well-known one. Developers can also observe whether an extension has a blue tick, meaning that the publisher has verified ownership of a web domain.

All of these are helpful features, yet the Aqua researchers claim that “it’s a challenge even for security-aware developers to distinguish between malicious and benign extensions.” They note several points to back up the claim:

  • Anyone can register as an extension publisher even using a new throwaway email address
  • The extension name and publisher name for an extension do not have to be unique but can copy the name of an existing one. In the example given, the researchers published an extension called Pretier which displayed as Prettier, the same name as a popular code formatting add-on.
  • The blue tick for a publisher only proves ownership of a domain. “A publisher could buy any domain and register it to get that verified check mark,” say the researchers.
  • The number of downloads and reviews is useful but these things can be scripted and faked in order to achieve respectable-looking figures.

The Aqua team failed to show that a malicious extension could get past Microsoft’s virus checkers, but did succeed in getting a fake version of Prettier installed over 1,000 times in 48 hours. The success of the fake was thanks to its use of a common misspelling. If a developer carelessly searched for Pretier, the fake extension was the only search result.

VS Code extensions run with the same privileges as the user so there is plenty of potential for damage if a malicious extension were to be installed.

The heart of the problem is that as with the big package repositories like NPM or PyPi, having a human check every submission is too costly so checks have to be automated, and in principle a bad extension might be downloaded thousands of times before someone complained and it was taken down. Microsoft does have a “kill list” so that uninstallation is automatic once known.

Package repositories are frequently in the public eye because of the risks of bad dependencies but developer add-ons not so much, perhaps because the installation process is more visible and a vigilant coder is more likely to spot a problem; but the potential for harm is real and this report shows weaknesses in the protections currently in place.