In today’s digital age, the world of software development has become an essential component of our technology-driven society. Platforms like Microsoft’s (VSCode) play a significant role in the daily tasks of many developers. However, this ubiquitous use also makes such platforms a prime target for cybercriminals. The recent discovery of on the VSCode Marketplace underscores the importance of cybersecurity awareness and action. We’ll explore the details of this alarming issue, and its implications for VSCode users, and provide actionable advice for safeguarding your systems. Visual Studio Code malicious extensions Threats in the VSCode Marketplace As an integral part of Microsoft’s VSCode Integrated Development Environment (IDE), the VSCode Marketplace has carved out a crucial space in the software development ecosystem. It serves as a hub for over 50,000 add-ons, providing a wealth of resources to enhance functionality and customization for developers globally. Unfortunately, this popularity has not gone unnoticed by cybercriminals. Recently, three malicious extensions were found on the marketplace, downloaded a staggering 46,600 times before their removal. This event signifies a concerning trend of cyber threats infiltrating the VSCode user community. The Malicious Extensions The extensions identified as harmful were ‘Theme Darcula dark’, ‘python-vscode’, and ‘prettiest java’. Each of these posed unique threats to unsuspecting users: : Disguised as a harmless theme pack, this extension was programmed to pilfer basic information about the developer’s system. This includes hostname, operating system, CPU platform, total memory, and CPU information. Though lacking in other observable malicious activities, such conduct is highly unusual for a theme pack, raising significant red flags. Theme Darcula dark : With an empty description and an unassuming uploader name, this extension managed to secure 1,384 downloads. Beneath its simple facade, it concealed a C# shell injector capable of executing code or commands on the victim’s machine – a grave security risk. python-vscode : Mimicking the popular ‘prettier-java’ code formatting tool, this extension operated stealthily to steal saved credentials or authentication tokens from various applications. The list of targets included Discord, Google Chrome, Opera, Brave Browser, and Yandex Browser, with stolen data being transmitted to the attackers. prettiest java The Risks of User-Supported Repositories User-contributed software repositories, such as and , have a long history of being targeted by threat actors. The VSCode Marketplace, though a relatively new target, is on a similar trajectory. The ease with which malicious extensions can be uploaded coupled with the recent discoveries, suggest a concerted effort by cybercriminals to infiltrate the Windows developer community. NPM PyPi Precautionary Measures for Safe Coding The current landscape necessitates users of the VSCode Marketplace, and all user-supported repositories, to adopt several precautionary measures: Prioritize installing extensions from trusted publishers with a high number of downloads and favorable community ratings. Make it a habit to read user reviews thoroughly. Always inspect the source code of an extension before proceeding with its installation. Conclusion The evolution of software development brings with it an ever-changing landscape of cyber threats. Staying informed about these risks and adopting proactive safety measures are our best defenses. Understanding the nature of these malicious extensions and adhering to secure installation practices will go a long way in ensuring a safe. Originally published on Programming Geeks Club.