- Security researchers found malicious code stored in two VSCODE -EXTENDS
- Microsoft pulled them up quickly and notifies users
- The developer criticized Microsoft’s movement and said they were never heard
Microsoft has drawn two popular VSCODE extensions from its marketplace after finding malicious code hiding inside. However, the original developers do not appear to be the guilty and have slammed Microsoft for his harsh reaction, as they claim, caused more harm than good.
Two security researchers – AMIT Assaraf and Itay Kruk – used a specialized scanner to analyze extensions at Visual Studio Marketplace and have found obfusced malicious code in “Material theme – Free” and “Material Temicons – Free”, two extensions built by a Mattia Astorino (aka Equinusocio).
Bleeping computer Analyzed parts of the code and said that in the theme “Publishing notes.js” in the theme was “Highly veiled JavaScript, which is always a red flag in open source software.” Apparently, they succeeded in parting in the Deobfuscere code, which “showed several references to usernames and passwords” but could not determine the context they were mentioned.
Microsoft’s features
Assaraf added that the malicious code was likely to be added in an update, suggesting that either the developer’s account was compromised or malware was added in a supply chain attack.
When the two extensions have about nine million downloads, combined, Microsoft’s reaction was quick: “Microsoft removed both extensions from the VS cod market and banned the developer,” said a Microsoft employee in Ycombinator’s Hacker News.
“A member of the community conducted a deep security analysis of the expansion and found several red flags indicating malicious intention and reporting this to us. Our security researchers at Microsoft confirmed this claim and found further suspicious code.”
“We banned the publisher from VS Marketplace and removed all their extensions and uninstalled from all VS code deposits that have this extension that runs. For clarity – removal had nothing to do with copyright/licenses, only about potential malicious intention.”
Astorino recognized the conclusions, but also criticized Microsoft for not reaching out to him first:
“Nothing harmful was ever sent within a material theme,” he said in a post on Microsoft’s VMarketplace archive. “We just had an outdated reason.
“This addiction has been there since 2016 and adopted every check since then, now it looks compromised, but no one from Microsoft managed to remove it. They just dragged down everything that causes problems to millions of users, causing a loop in VSCODE (YEP, it’s their fault)”
“They broke everything without ever reaching out to us for clarification. Removing the old addiction was a quick 30-second solution, but it seems that it is precisely how Microsoft works. We also send an obfusced index.
In an even faster Counter-Move, Astorino completely rewrote the expansion without any addictions and named it “Fanny themes”, but Microsoft has reportedly removed it as well.
Via Bleeping computer
