Subscribe to Updates

    Get the latest creative news from CRYPTO NOUNCE.

    What's Hot

    Hygraph raises $30M to scale out a new, federated approach to managing digital content

    March 29, 2023

    Sidecars could be the last ILS segment to rebound: Anger, GC Securities

    March 29, 2023

    Hannon Armstrong Sustainable Infrastructure Capital, Inc. (NYSE:HASI) Given Average Recommendation of “Hold” by Brokerages

    March 29, 2023
    Facebook Twitter Instagram
    Facebook Twitter Instagram Vimeo
    Cryptonounce.com
    Contact
    • Business
      • Deals
      • investors
      • IPO
      • Startups
      • Wall Street
    • Markets
      • Bonds
      • Commodities & Futures
      • Currencies
      • Funds & ETFs
      • Stocks
    • Crypto
      • Alticoins News
      • Binance News
      • Bitcoins News
      • Blockchain News
      • Ethereum News
      • Token Sales News
      • XRP News
    • Technology
      • Artificial Intelligence
      • Big Data
      • Cloud Computing
      • Cybersecurity
      • Gaming
      • Internet of Things
      • Mobile
      • Social Media
      • Transportation
      • VR & AR
    • FinTech
    • Personal finance
    • Grides
      • Crypto
      • FinTech
      • Investing
      • Personal Finance Guides
      • Techonology
    • Tools
      • Coins
      • ICO List
      • Organigations
      • Events
    Cryptonounce.com
    Home » Hackers Can Abuse Visual Studio Marketplace to Target Developers with Malicious Extensions
    Cybersecurity

    Hackers Can Abuse Visual Studio Marketplace to Target Developers with Malicious Extensions

    AdmincryptBy AdmincryptJanuary 9, 2023No Comments3 Mins Read
    Facebook Twitter Pinterest LinkedIn Tumblr WhatsApp VKontakte Email
    Share
    Facebook Twitter LinkedIn Pinterest Email


    Jan 09, 2023Ravie LakshmananSupply Chain / CodeSec

    Malicious Visual Studio Extensions

    A new attack vector targeting the Visual Studio Code extensions marketplace could be leveraged to upload rogue extensions masquerading as their legitimate counterparts with the goal of mounting supply chain attacks.

    The technique “could act as an entry point for an attack on many organizations,” Aqua security researcher Ilay Goldman said in a report published last week.

    VS Code extensions, curated via a marketplace made available by Microsoft, allow developers to add programming languages, debuggers, and tools to the VS Code source-code editor to augment their workflows.

    “All extensions run with the privileges of the user that has opened the VS Code without any sandbox,” Goldman said, explaining the potential risks of using VS Code extensions. “This means that the extension can install any program on your computer including ransomwares, wipers, and more.”

    To that end, Aqua found that not only is it possible for a threat actor to impersonate a popular extension with small variations to the URL, the marketplace also allows the adversary to use the same name and extension publisher details, including the project repository information.

    While the method doesn’t allow the number of installs and the number of stars to be replicated, the fact that there are no restrictions on the other identifying characteristics means it could be used to deceive developers.

    The research also discovered that the verification badge assigned to authors could be trivially bypassed as the check mark only proves that the extension publisher is the actual owner of a domain.

    In other words, a malicious actor could buy any domain, register it to get a verified check mark, and ultimately upload a trojanized extension with the same name as that of a legitimate one to the marketplace.

    A proof-of-concept (PoC) extension masquerading as the Prettier code formatting utility racked up over 1,000 installations within 48 hours by developers across the world, Aqua said. It has since been taken down.

    This is not the first time concerns have been raised about software supply chain threats in the VS Code extensions marketplace.

    In May 2021, enterprise security firm Snyk uncovered a number of security flaws in popular VS Code extensions with millions of downloads that could have been abused by threat actors to compromise developer environments.

    “Attackers are constantly working to expand their arsenal of techniques allowing them to run malicious code inside the network of organizations,” Goldman said.

    Found this article interesting? Follow us on Twitter  and LinkedIn to read more exclusive content we post.





    Source link

    Share. Facebook Twitter Pinterest LinkedIn Tumblr WhatsApp Email
    Previous ArticleUS tech giants say Indian panel’s recommended competition act ‘absolutist and regressive’ • TechCrunch
    Next Article Bitcoin’s large-sized transactions crumble
    Admincrypt
    • Website

    Related Posts

    North Korean APT43 Group Uses Cybercrime to Fund Espionage Operations

    March 29, 2023

    Microsoft Introduces GPT-4 AI-Powered Security Copilot Tool to Empower Defenders

    March 28, 2023

    Pakistan-Origin SideCopy Linked to New Cyberattack on India’s Ministry of Defence

    March 28, 2023

    IcedID Malware Shifts Focus from Banking Fraud to Ransomware Delivery

    March 28, 2023

    Leave A Reply Cancel Reply

    Our Picks
    • Facebook
    • Twitter
    • Pinterest
    • Instagram
    • YouTube
    • Vimeo
    Don't Miss
    Technology

    Hygraph raises $30M to scale out a new, federated approach to managing digital content

    By AdmincryptMarch 29, 20230

    Digital content and how we consume it continue to endlessly evolve, and with that, so…

    Sidecars could be the last ILS segment to rebound: Anger, GC Securities

    March 29, 2023

    Hannon Armstrong Sustainable Infrastructure Capital, Inc. (NYSE:HASI) Given Average Recommendation of “Hold” by Brokerages

    March 29, 2023

    Fact of the Day – 3/29/2023

    March 29, 2023

    Subscribe to Updates

    Get the latest creative news from CRYPTO NOUNCE.

    NEWS
    • Business
    • Crypto
    • Blockchain
    • Markets
    • Technology
    FEATURED SECTIONS
    • Coins
    • ICO List
    • Organigations
    • Events
    • Grides
    FEATURED LINKS
    • Story of the day
    • Videos
    • Infographics
    CONNECT WITH US
    • Facebook
    • Twitter
    • Telegram
    • LinkedIn
    • Pinterest
    ABOUT US
    • Contact
    • Advertise
    • Sitemap
    Copyright © 2023 Cryptonounce All rights reserved. Cryptonounce.
    • Home
    • Buy Now

    Type above and press Enter to search. Press Esc to cancel.

    Sign In or Register

    Welcome Back!

    Login to your account below.

    Lost password?