Thousands Visual Studio extensions with 229M total installs found malicious

The fake 'Darcula' extension took VSCode Marketplace by storm

Reading time icon 2 min. read

Readers help support MSpoweruser. We may get a commission if you buy through our links. Tooltip Icon

Read our disclosure page to find out how can you help MSPoweruser sustain the editorial team Read more

Key notes

  • Researchers exposed security flaws in the VSCode Marketplace with a fake extension.
  • The ‘Darcula’ extension collected sensitive data and gained quick traction.
  • In the end, they found 1,283 malicious extensions with a total of 229 million installs.
Visual Code

Microsoft, once again, is in hot water over security concerns. After reports that the Redmond company’s “Recall” feature has a lot of safety loopholes, a group of researchers has apparently tested Visual Code (VSCode) Marketplace’s security system. Microsoft says it’s yet to patch the issue.

TL;DR, researchers from Israel conducted the experiment by creating a malicious extension that mimics another widely used extension with millions of downloads. The test itself barely lasted more than half an hour, and just like that, Microsoft’s popular IDE app with over 15 million monthly users was breached.

The fake extension, called ‘Darcula,’ takes on the popular ‘Dracula Official’ theme. To make it look more legit and have a verified published badge on the marketplace, the researchers even bought a domain – a website that had already been taken down by the time of this publishing.

‘Darcula’ and ‘Dracula’ look nearly identical, but the difference is that the former added a script that collects information about your hostname, domain, platform, number of extensions, and more. The fake extension then generated a lot of downloads. It became a “Trending” extension in the marketplace, with downloads including from a company with a $483 billion market cap, according to researchers.

“By installing an extension, this in turn means giving the extension publisher full access to the host environment,” the finding reads.

The researchers then found some shocking statistics. They identified 1,283 extensions with known malicious dependencies totaling 229 million installs, 87 attempting to access sensitive system files, 8,161 communicating with hardcoded IP addresses, 1,452 running unknown executables, 267 containing hardcoded secrets, and the list goes on.

“VSCode extensions are an abused and exposed attack vertical, with zero visibility, high impact, and high risk. This issue poses a direct threat to organizations and deserves the security community’s attention,” the researchers say.