Experts have cautioned that threat actors might use the VSCode Marketplace, a repository for Visual Studio Code (VSC) extensions, to spread malicious code to the millions of users it has.

AquaSec conducted tests on the platform and found that it could be easily abused to spread malware.

The researchers also say that they aren’t the first to discover the vulnerabilities, and that some malicious actors have been using them for some time.

Falsifying crucial information

A team from AquaSec wrote a blog post detailing their attempt to publish a typosquatted, malicious version of a popular extension with 27 million instals.

The platform’s ‘displayName’ function made it clear that the malware’s name didn’t even have to be typosquatted; developers may give their extensions whatever name they choose, and it doesn’t have to be a unique string. So they gave it the same name as the real one.

Then they saw that they could just copy the official project’s branding and description.

Not only that, but the information may be updated after it has been fetched from GitHub. This enables them to portray the virus as a genuine product with a lengthy development history by spoofing the project data. The download count and the position in search results were the only aspects of the page that were unspoofable.

“Over time, though, a growing number of unsuspecting people will instal our phoney extension. The expansion will acquire legitimacy as these numbers rise “As AquaSec put it. “Moreover, because it is possible to acquire numerous services on the dark web, a really determined attacker might theoretically manipulate these figures by purchasing services that would increase the amount of downloads and stars,” the authors write.

AquaSec examined the verification badge on VSCode Marketplace and found that it was useless since any publication with a bought domain receives one regardless of whether or not the domain is related to the software project.

On addition to the researchers’ proof-of-concept, they discovered real malicious code in the market. The “API Generator Plugin” and the “code tester” are examples of these.