- Security researchers found malicious code hidden in two vscode extensions
- Microsoft quickly took them out and notifies users
- The developer criticized Microsoft’s movement, saying that they were never consulted
Microsoft has taken two popular extensions of vscode from its market after finding a malicious code hidden inside. However, the original developers do not seem to be guilty, and have criticized Microsoft for their hard reaction that, they claim, caused more damage than well.
Two security researchers, Amit Assaraf and Itay Kruk, used a specialized scanner to analyze extensions in the Visual Studio market, and have found a malicious code obfuscated on “material theme – free” and “icons of materials: free”, two extensions built by an Astorino Mattia (AKA Equinusocio).
Bleepingcomputer He analyzed parts of the code and said that in the “Release-Notes.JS” files on the subject, there was “Javascript very obfuscated, which is always a red flag in the open source software”. Apparently, they managed to partially disable the code, which “showed numerous references to usernames and passwords”, but could not determine the context in which they were mentioned.
Microsoft movement
Assaraf added that the malicious code was probably added in an update, suggesting that the developer’s account was compromised or malware was added to an attack of the supply chain.
Since the two extensions have approximately nine million discharges, combined, Microsoft’s reaction was rapid: “Microsoft eliminated both VS Code market extensions and prohibited the developer,” said a Microsoft employee in Ycombinator’s hacker News.
“A community member conducted a deep security analysis of the extension and found multiple red flags that indicate malicious intention and reported this. Our security researchers in Microsoft confirmed this statement and found an additional suspicious code.”
“We prohibit the editor of the VS Marketplace and eliminate all its extensions and uninstall of all instances of code vs that have this extension in operation. For clarity: elimination had nothing to do on copyright/licenses, only on the possible malicious intention.”
Astorino recognized the findings, but also criticized Microsoft for not communicating with him first:
“Nothing harmful was sent within the material theme,” Microsoft’s Vsmarketplace said in a publication on a publication about Microsoft’s repository. “We have just had a dependence on obsolete sanity.
“That agency has been there since 2016 and approved each check since then, now it seems committed, but nobody from Microsoft contacted us to eliminate it. They simply demolished everything causing millions of users and causing a loop in VScode (yes, it is its fault)”
“They broke everything without reaching us for clarification. Eliminating the old dependence was a quick solution of 30 seconds, but it seems that this is how Opera Microsoft. We also send an obfuscated index file that contains all the commands of themes and logic. It is obfuscated because the extension is now of closed origin; however, if it eliminates it, the extension still with the function of the extension with the function of Json”, “,” “,”, “”, “,” “,”, “,”, “,”, “”, “,”, “,”, “,”, “,”, “,”, “,”, “,”, “,”, “,”, “,”, “,”.
In a against Move even faster, Astorino completely rewrote the extension without units, and called it “Strip themes”, but Microsoft supposedly eliminated that too.
Through Bleepingcomputer
