- Security researchers have found malicious code hiding in two VSCODE extensions
- Microsoft quickly pulled them and informs users
- The developer criticized Microsoft’s decision, saying that they had never been consulted
Microsoft has drawn two popular VSCODE extensions from its market after finding malware hiding inside. However, the original developers do not seem to be the culprits and criticized Microsoft for his hard reaction which, according to them, caused more harm than good.
Two security researchers – AMIT ASSARAF and ITAY KRUK – used a specialized scanner to analyze extensions on Visual Studio Marketplace, and found obscured malicious code in “Material theme – Free” and “Material theme icons”, two extensions built by a Mattia Astorino (AKA Equinusocio).
Bleeping Compompute analyzed the parts of the code and said that in the “release-to-” files “in the theme, there was” strongly obscured javascript, which is always a red flag in the open-source software “. Apparently, they managed to partially undo the code, which “showed many references to user names and passwords”, but could not determine the context in which they were mentioned.
Microsoft’s movement
Assaraf added that the malicious code has probably been added to an update, which suggests that the developer’s account was compromised, the malware was added to a supply chain attack.
Since the two extensions have around nine million downloads, combined, Microsoft’s reaction was rapid: “Microsoft has removed the two extensions of the VS code market and prohibited the developer,” said an employee of Microsoft in the news of the Ycombinator hacker.
“A member of the community carried out a deep security analysis of the extension and found several red flags which indicate a malicious intention and reported this to us. Our Microsoft safety researchers confirmed these complaints and found an additional suspicious code.”
“We have prohibited the publisher of the VS Marketplace and deleted all their extensions and uninstalled from all the instances of code VS which have this extension in progress. For more clarity – the deletion had nothing to do concerning copyright / licenses, only on the malicious potential intention.”
Astorino recognized the conclusions, but also criticized Microsoft for not having contacted him first:
“Nothing harmful has never been shipped in the theme of materials,” he said in an article on the VSmarketplace benchmark in Microsoft. “We have just had an obsolete sanity.io.
“This dependence has been there since 2016 and has passed each check since then, now it seems compromised, but nobody of Microsoft has reached us to remove it. They simply lowered everything that caused problems to millions of users and causing a VSCODE loop (yes, that’s their fault)”
“They broke everything without ever contacting us for clarification. The abolition of the old dependence was a quick correction of 30 seconds, but it seems that it is as well as Microsoft.
In an even faster counter-movement, Astorino completely rewritten the extension without any dependence, and called it “Fanny themes”, but Microsoft would also have deleted that one.
Via Bleeping Compompute
