Hackers can hide malicious code where we least expect it. And, on this occasion, the programmers and developers who use the popular Microsoft editor, Visual Studio Code, have become the new targets of these cybercriminals. So, if you use this software, be very careful about this new malware distribution campaign that can be very expensive for you.
The security firm check point has discovered a number of extensions with malicious code within VSCode’s own Marketplace, which are focused on stealing the passwords saved on users’ PCs and also opening remote terminals to be able to control the victims’ computers remotely.
These extensions have been published in the extensions store of this program for more than 10 days (specifically from May 4 to May 14), and in that time they have added nearly 50,000 downloads in total. However, even though they have already been removed, users who have downloaded them will still be at risk. And it is not ruled out that there are more malicious extensions uploaded in this Marketplace.
The extensions with malware that have been published in the store and endangering the security of users are:
- Dark Darcula Theme. An extension that promised to improve the “Dracula” color consistency, widely used by programmers. This stole the basic information of the PC (CPU, platform, memory, system…) and sent it to a remote server.
- python-vscode. An extension intended to improve the editor’s compatibility with Python, but actually hides obfuscated code that allows attackers to execute code and commands on victims’ machines.
- best java. Java code format enhancement extension that actually steals all saved passwords in Google Chrome, Edge, Firefox, and other web browsers, as well as some programs (like Discord) that are installed on the computer.
In addition to these extensions, which could be the most dangerous, Check Point has also detected other extensions that, although they do not have such dangerous code, do have suspicious code that Microsoft should not allow in its Marketplace.
What I do?
First thing is, if you haven’t installed any of these extensions, don’t worry. Microsoft has already removed the three extensions we mentioned, and you can no longer get infected with them. In case you have installed some of them, depending on the extension it is, it is necessary to take one or the other measures. For example, first of all, you will have to remove the extension from your publisher, analyze the whole system with an antivirus and try to know the scope of the computer attack. Of course, if the extension you have installed has been the third, and your passwords have been stolen, there is no other option than to change them all.
And, to avoid falling back into this type of computer attack, it is best to always avoid new, strange extensions and those uploaded by users without a track record. Always look for popular extensionsused by thousands of users, and check their comments to make sure you don’t run into these kinds of problems.
