A malicious campaign on the official VSCode Marketplace has been distributing 19 extensions that contain hidden malware within their bundled dependency folders. Active since February, these extensions include a pre-packaged node_modules folder to avoid fetching dependencies from the public npm registry, a technique that helps evade detection. Inside this folder, a modified version of the popular path-is-absolute package includes additional code that executes automatically when the VSCode IDE starts.
The malicious code decodes an obfuscated JavaScript dropper and retrieves a file disguised as a .PNG image named banner.png. This fake image file actually contains two malicious binaries: a legitimate Windows system tool (cmstp.exe) used for living-off-the-land attacks and a Rust-based trojan, the full capabilities of which are still under analysis. The extensions were named as themes, such as "Malkolm Theme" and "PandaExpress Theme," and were all published with the version number 1.0.0.
ReversingLabs discovered the campaign and reported it to Microsoft, leading to the removal of all identified extensions. However, users who installed any of these themes should scan their systems for signs of compromise. This incident highlights the growing sophistication of supply-chain attacks targeting developers and underscores the importance of carefully inspecting extension dependencies, especially when they are bundled rather than downloaded from a trusted source.
Read more...