{
	"id": "8aab45ca-51d7-4c38-ad3b-58940121ba9a",
	"created_at": "2026-04-06T00:11:35.177195Z",
	"updated_at": "2026-04-10T03:24:29.211157Z",
	"deleted_at": null,
	"sha1_hash": "20d984534e9003dc71b5b7dcf8a8afdbe13c9e8f",
	"title": "Hackers Can Abuse Visual Studio Marketplace to Target Developers with Malicious Extensions",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 604791,
	"plain_text": "Hackers Can Abuse Visual Studio Marketplace to Target\r\nDevelopers with Malicious Extensions\r\nBy The Hacker News\r\nPublished: 2023-01-09 · Archived: 2026-04-05 21:38:27 UTC\r\nA new attack vector targeting the Visual Studio Code extensions marketplace could be leveraged to upload rogue\r\nextensions masquerading as their legitimate counterparts with the goal of mounting supply chain attacks.\r\nThe technique \"could act as an entry point for an attack on many organizations,\" Aqua security researcher Ilay\r\nGoldman said in a report published last week.\r\nVS Code extensions, curated via a marketplace made available by Microsoft, allow developers to add\r\nprogramming languages, debuggers, and tools to the VS Code source-code editor to augment their workflows. \r\n\"All extensions run with the privileges of the user that has opened the VS Code without any sandbox,\" Goldman\r\nsaid, explaining the potential risks of using VS Code extensions. \"This means that the extension can install any\r\nprogram on your computer including ransomwares, wipers, and more.\"\r\nTo that end, Aqua found that not only is it possible for a threat actor to impersonate a popular extension with small\r\nvariations to the URL, the marketplace also allows the adversary to use the same name and extension publisher\r\nhttps://thehackernews.com/2023/01/hackers-distributing-malicious-visual.html\r\nPage 1 of 4\n\ndetails, including the project repository information.\r\nWhile the method doesn't allow the number of installs and the number of stars to be replicated, the fact that there\r\nare no restrictions on the other identifying characteristics means it could be used to deceive developers.\r\nThe research also discovered that the verification badge assigned to authors could be trivially bypassed as the\r\ncheck mark only proves that the extension publisher is the actual owner of a domain.\r\nhttps://thehackernews.com/2023/01/hackers-distributing-malicious-visual.html\r\nPage 2 of 4\n\nIn other words, a malicious actor could buy any domain, register it to get a verified check mark, and ultimately\r\nupload a trojanized extension with the same name as that of a legitimate one to the marketplace.\r\nA proof-of-concept (PoC) extension masquerading as the Prettier code formatting utility racked up over 1,000\r\ninstallations within 48 hours by developers across the world, Aqua said. It has since been taken down.\r\nThis is not the first time concerns have been raised about software supply chain threats in the VS Code extensions\r\nmarketplace.\r\nIn May 2021, enterprise security firm Snyk uncovered a number of security flaws in popular VS Code extensions\r\nwith millions of downloads that could have been abused by threat actors to compromise developer environments.\r\n\"Attackers are constantly working to expand their arsenal of techniques allowing them to run malicious code\r\ninside the network of organizations,\" Goldman said.\r\nUpdate\r\nA Microsoft spokesperson has shared the following statement with The Hacker News, noting that it provides tools\r\nfor users to flag malicious extensions identified in the Marketplace. It also confirmed that the PoC add-on has\r\nbeen removed.\r\nThis technique involves the use of social engineering tactics to convince a victim to download a malicious\r\nextension. To help keep customers safe and protected, we scan extensions for viruses and malware before they are\r\nuploaded to the Marketplace and we check that an extension has a Marketplace certificate and verifiable\r\nhttps://thehackernews.com/2023/01/hackers-distributing-malicious-visual.html\r\nPage 3 of 4\n\nsignature prior to being installed. To help make informed decisions, we recommend consumers review\r\ninformation, such as domain verification, ratings and feedback to prevent unwanted downloads.\r\nFound this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content\r\nwe post.\r\nSource: https://thehackernews.com/2023/01/hackers-distributing-malicious-visual.html\r\nhttps://thehackernews.com/2023/01/hackers-distributing-malicious-visual.html\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"references": [
		"https://thehackernews.com/2023/01/hackers-distributing-malicious-visual.html"
	],
	"report_names": [
		"hackers-distributing-malicious-visual.html"
	],
	"threat_actors": [
		{
			"id": "aa73cd6a-868c-4ae4-a5b2-7cb2c5ad1e9d",
			"created_at": "2022-10-25T16:07:24.139848Z",
			"updated_at": "2026-04-10T02:00:04.878798Z",
			"deleted_at": null,
			"main_name": "Safe",
			"aliases": [],
			"source_name": "ETDA:Safe",
			"tools": [
				"DebugView",
				"LZ77",
				"OpenDoc",
				"SafeDisk",
				"TypeConfig",
				"UPXShell",
				"UsbDoc",
				"UsbExe"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434295,
	"ts_updated_at": 1775791469,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/20d984534e9003dc71b5b7dcf8a8afdbe13c9e8f.pdf",
		"text": "https://archive.orkl.eu/20d984534e9003dc71b5b7dcf8a8afdbe13c9e8f.txt",
		"img": "https://archive.orkl.eu/20d984534e9003dc71b5b7dcf8a8afdbe13c9e8f.jpg"
	}
}