The steady flow of news about malicious attacks on open source repositories like npm, PyPi, RubyGems and NuGet can be deceptive. Open source dependencies are only part of the software supply chain. The tools and plugins used to develop, build and distribute software are also targeted by malicious attackers.
A compromised IDE extension can be a gateway for stealing developer credentials, infiltrating CI/CD environments, tampering with software, and ultimately attacking customers. A real-world example of attack technique is the compromise of ETHcode, a legitimate Visual Studio Code (VS Code) extension, which was first flagged by Spectra Assure’s predictive threat hunting models and subsequently verified by RL researchers.
IDE extensions are not usually perceived as a potential source of compromise since they are not added to the code base. However, Microsoft’s VS Code Extension Marketplace is a tempting target for attackers. A 2024 survey indicated that 73% of respondents regularly use VS Code as their IDE, more than twice as many as its nearest alternative. Most developers add languages, debuggers, and tools to streamline day-to-day tasks with extensions downloaded directly from VS Code Marketplace. Automated updates also can also make it easier for compromised extensions to fly in under the radar.
Microsoft has safety measures for extensions published on VS Code Marketplace, and is quick to remove any detected malicious extensions. However, software supply chain security is a shared responsibility that crosses vendor, marketplace, and enterprise lines. IDEs and their extensions, plug-ins, and updates are third-party software — and developers deserve to have insight before trusting those tools.
[ See related research: Malicious pull request infects VS Code extension ]
Spectra Assure Assesses Extensions on VS Code Marketplace
Spectra Assure Community empowers VS Code users to verify an extension’s level of risk before trusting it to run with privileged system access. Over 100K risk assessments are available for the VS Code community. The simple search interface enables any developer to make more secure choices for their IDE.
Each risk assessment summarizes threats detected within the VS Code plugin, such as malware, tampering, and vulnerabilities actively being exploited by malware. It also includes a list of direct dependencies declared by the software package’s manifest, which is exportable in CycloneDX, and provides links to Spectra Assure’s assessment of each open source dependency. Users can also examine the list of software behaviors exhibited by each extension to avoid anomalous or unnecessary capabilities.
Figure 1: Spectra Assure Community empowers developers to review software supply chain risks before selecting VS Code extensions
Verify Safety of IDE Extension Updates
Newer doesn’t always mean safer when it comes to software and its dependencies. A software package or tool plugin can “play nice” for months with innocuous updates to gain developers’ trust before the malicious versions are published. Add in a large-scale attack similar to SolarWinds or 3CX and millions of developer systems can be compromised by extension updates. Security researchers have proved this possibility already. Only daily threat hunting activities can flag malicious or suspicious software changes and a dedicated research team can validate the threat.
Spectra Assure Community continually assesses new extensions and software versions as they are published to the marketplace. The version history for each extension is also maintained to help developers to make informed decisions about version upgrades.
Figure 2: Spectra Assure Community tracks VS Code Extension versions for making informed version upgrade decisions
With the Spectra Assure Community, VSCode Marketplace users have more insight for finding safe extensions to customize their IDEs. See RL's guided tour (view time: 60 seconds) to learn how the Spectra Assure Community helps you make the best choices for keeping your credentials, projects and end-users safe from malicious attacks.
