Visual Studio Marketplace is the latest supply chain attack vector

Ryan Daws is a senior editor at TechForge Media, with a seasoned background spanning over a decade in tech journalism. His expertise lies in identifying the latest technological trends, dissecting complex topics, and weaving compelling narratives around the most cutting-edge developments. His articles and interviews with leading industry figures have gained him recognition as a key influencer by organisations such as Onalytica. Publications under his stewardship have since gained recognition from leading analyst houses like Forrester for their performance. Find him on X (@gadget_ry) or Mastodon (@gadgetry@techhub.social)


Aqua Security researchers have found that hackers are using Visual Studio Marketplace to conduct supply chain attacks.

In a new report, the researchers uncovered that attackers could impersonate popular VS Code extensions to trick developers into downloading malicious versions.

VS Code is the most popular IDE, with around 74.48 percent of developers using it. The vast array of extensions available for VS Code is partly what drives its popularity.

Here are some of the most popular VS Code extensions:

“It’s a challenge even for security-aware developers to distinguish between malicious and benign extensions,” explains Ilay Goldman, Security Researcher at Aqua Security.

“When you take into consideration that anyone can create a user even with a temporary email, the truth is that anyone can publish an extension which could be listed in the Marketplace.”

Aqua Security uploaded a proof-of-concept which masquerades as a legitimate extension:

The masquerading app also takes advantage of “typosquatting” (making a simple typo) in the URL.

“When typing ‘pretier’, which developers might very well inadvertently do, our masquerading extension is the only result,” adds Goldman.

The researchers also highlight concerns about the verification procedure. A blue checkmark is displayed not for authors’ that are verified as being who they say they are, as you’d expect, but simply that the publisher has proven ownership of any domain.

Malicious packages are regularly uploaded to package managers such as NPM. Aqua Security notes the possibility of legitimate extension developers having their work compromised by using a malicious package as a dependency.

Aqua Security’s findings show that it’s more important than ever to triple-check the extensions you install and the packages you’re using.

(Photo by Mohammad Rahmani on Unsplash)

Want to learn more about cybersecurity and the cloud from industry leaders? Check out Cyber Security & Cloud Expo taking place in Amsterdam, California, and London.

Explore other upcoming enterprise technology events and webinars powered by TechForge here.

Tags: , , , , , , , ,

View Comments
Leave a comment

Leave a Reply

Your email address will not be published. Required fields are marked *