A stealthy campaign with 19 extensions on the VSCode Marketplace has been active since February, targeting developers with malware hidden inside dependency folders.
The malicious activity was uncovered recently, and security researchers found that the operator used a malicious file posing as a .PNG image.
The VSCode Market is Microsoft’s official extensions portal for the widely used VSCode integrated development environment (IDE), allowing developers to extend its functionality or add visual customizations.
Due to its popularity and potential for high-impact supply-chain attacks, the platform is constantly targeted by threat actors with evolving campaigns.
ReversingLabs, a company specializing in file and software supply-chain security, found that the malicious extensions come pre-packaged with a ‘node_modules’ folder to prevent VSCode from fetching dependencies from the npm registry when installing them.
Inside the bundled folder, the attacker added a modified dependency, ‘path-is-absolute’ or ‘@actions/io,’ with an additional class in the ‘index.js’ file that executes automatically when starting the VSCode IDE.
Malicious code added to the index.js file
Source: ReversingLabs
It should be noted that ‘path-is-absolute’ is a massively popular npm package with 9 billion downloads since 2021, and the weaponized version existed only in the 19 extensions used in the campaign.
The code introduced by the new class in the ‘index.js’ file decodes an obfuscated JavaScript dropper inside a file named 'lock'. Another file present in the dependencies folder is an archive posing as a .PNG (banner.png) file that hosts two malicious binaries: a living-off-the-land binary (LoLBin) called 'cmstp.exe' and a Rust-based trojan.
... continue reading